All Products
Search

This Product

    DataWorks:Security risks

    Document Center

    DataWorks:Security risks

    Last Updated:Apr 10, 2025

    The security risk feature provides various built-in expert risk detection items designed to help organizations proactively identify potential security threats and violations through preset risk identification rules. This feature supports visual risk management, improving the efficiency of risk monitoring and response. Additionally, it allows you to customize risk identification rules based on specific business scenarios, helping you flexibly configure and adjust these rules to meet different security policies and business requirements. This topic provides detailed information about the security risk feature to help you better understand and use it.

    Limits

    • Supported versions: Users who have newly activated DataWorks Standard Edition, Professional Edition, or Enterprise Edition.

    • Supported regions: China (Shanghai)

    • Supported compute engines: MaxCompute

    Prerequisites

    • You log on to DataWorks with an account that meets one of the following conditions:

      • An account with the AliyunDataWorksFullAccess permission.

      • An account with the DataWorks tenant security administrator role.

      • An account with the DataWorks tenant administrator role.

    • You have completed the new user guide.

    Access the security risk page

    1. Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Governance > Security Center. On the page that appears, click Go to Security Center.

    2. In the left-side navigation pane of the Security Center page, you can select Security Posture > Security Risks to access the Security Risks page.

    3. On the Security Risks page, you can switch between tabs to view security Risk Events and Risk Detection Items.

    Configure risk detection items

    Risk detection items

    DataWorks has built-in common risk detection items. You can customize risk detection items based on your data security needs. The operations supported by built-in detection items and user-defined detection items are shown in the following table:

    Source

    Enable/Disable

    Delete

    System built-in

    Supported

    Not supported

    User-defined

    Supported

    Supported

    The system built-in risk detection items are as follows:

    Policy

    Risk type

    Risk level

    Determination condition

    Batch query of sensitive data

    Behavior risk

    Low

    Single query of sensitive data ≥ 10,000 records

    Batch update of sensitive data

    Behavior risk

    Medium

    Single update of sensitive data ≥ 10,000 records

    Batch deletion of sensitive data

    Behavior risk

    High

    Single deletion of sensitive data ≥ 10,000 records

    Operation of sensitive data during non-working hours

    Behavior risk

    Medium

    Query/update/delete sensitive data during non-working hours

    Frequent query of sensitive data

    Behavior risk

    Low

    Query sensitive data ≥ 5 times within 5 minutes

    Frequent update of sensitive data

    Behavior risk

    Medium

    Update sensitive data ≥ 5 times within 5 minutes

    Frequent deletion of sensitive data

    Behavior risk

    High

    Delete sensitive data ≥ 5 times within 5 minutes

    Delete table containing sensitive data

    Behavior risk

    High

    Delete table containing sensitive data

    Empty table containing sensitive data

    Behavior risk

    High

    Empty table containing sensitive data

    Custom detection items

    On the Security Risks page, click the Risk Detection Items tab to enter the risk detection item list page, and click the Add Detection Item button to customize detection items. The configuration details can be found in the following table:

    Configuration item

    Description

    Custom Policy Name

    The name of the custom detection item.

    Risk Type

    Default is behavior abnormality.

    Risk Level

    • Low-risk

    • Medium-risk

    • High-risk

    You can adjust the risk level according to the actual situation.

    Detection Scope

    • By location: Currently only supports data under MaxCompute.

    • By classification: Supports detection based on classifications in data classification and grading, and multiple classifications can be selected for detection.

    • By grade: Supports detection based on grades in data classification and grading, with a maximum of 10 levels configurable.

    Note

    When selecting the detection scope, you can select multiple options for location, classification, and grade according to your needs to determine the detection scope.

    Operation Time

    The execution time of the security detection item within a week.

    User/User Group

    The operators of this detection item.

    Data Operation

    The operation methods on table data, mainly including SQL operations such as SELECT, UPDATE, INSERT, DELETE, ALTER, DROP, and TRUNCATE.

    Single Data Volume Exceeds

    The data volume detected when risk monitoring is clicked.

    Frequency Exceeds

    The frequency of alert pushes after the risk monitoring item is triggered.

    Note

    A count of 1 means that an alert will be triggered each time there is a hit.

    Enable/disable risk detection items

    After creating detection items, you can enable or disable risk items in the Risk Detection Items tab.

    • Enabled: DataWorks will identify events that match the rules of this detection item and mark them as risk events.

    • Disabled: DataWorks will still retain previously marked risk events but will no longer identify new events.

    Note

    When performing risk detection item activation, you can either Enable or Disable individually, or select multiple risk items for Batch Enable or Batch Disable.

    Edit/delete risk monitoring items

    After creating monitoring items, if you need to edit or delete risk detection items, you can do so in the Risk Detection Items tab.

    • Edit: Reconfigure the information of the risk monitoring item. Except for the Custom Policy Name which cannot be edited, all other configuration information can be reconfigured.

    • Delete: Delete the configured risk monitoring information.

    Note

    When Editing or Deleting risk detection items, you can individually Edit or Delete risk monitoring items through the operation column, or select multiple risk monitoring items for Batch Deletion.

    Handle risk events

    View risk events

    After enabling risk monitoring items, you can view risk events in the Risk Detection Items tab on the Security Risks page after the risk items are executed.

    Field

    Description

    Occurrence Time

    The date and time when the operator triggered the event.

    Risk Type

    The corresponding risk type after the event is identified as a risk item.

    Risk Item

    Which security risk the event is identified as.

    Operator

    The account that triggered the event. This is usually the login account or the default access identity of the data source.

    Risk Level

    Evaluates the possible consequences and impacts of the risk, with impacts ranging from small to large as follows: low-risk, medium-risk, high-risk, critical.

    Processing Status

    Used to mark the handling result of the risk: Processed, Unprocessed.

    Related events

    Describes the execution sequence of a series of events, helping security administrators assess the actual impact of the event.

    SQL

    The SQL statement when the operator triggered the event. You can click copy to obtain the complete SQL statement.

    Handle risk events

    On the Security Risks page, you can view risk events in the Risk Detection Items tab and handle risk events. Click the Operation column and click the Process Now button to mark the processing status of the risk event.