The sensitive data access feature records every access to sensitive data in DataWorks, capturing the operation time, account, and operation content for each event. Security administrators use these records to maintain a comprehensive audit trail and verify that data access complies with your organization's security policies.
Limitations
| Dimension | Details |
|---|---|
| Applicable editions | DataWorks Standard, Professional, or Enterprise Edition with the new data security features enabled in Security Center |
| Supported regions | China (Hangzhou), China (Shanghai), China (Beijing), China (Shenzhen), China (Chengdu) |
| Supported compute engine | MaxCompute |
Prerequisites
Before you begin, ensure that you have:
An Alibaba Cloud account or RAM user with one of the following permissions:
The AliyunDataWorksFullAccess policy attached
The tenant security administrator role of DataWorks assigned
The tenant administrator role of DataWorks assigned
Completed the New user guide
View sensitive data access records
Sensitive data refers to the results that are identified by detection tasks in Sensitive Data Protection > Data classification grading. These records are subject to a one-day delay.
Log on to the DataWorks console. In the top navigation bar, select the target region. In the left-side navigation pane, choose Data Governance > Security Center, then click Go to Security Center.
In the left navigation pane, choose Audit > Sensitive Data Access.
Select the MaxCompute or Hologres tab to view the corresponding records.
Click Details to view the full details of a specific access event.
Filter records by Involving data types and Operation time, then click Export Tasks to export the results.
The following fields appear in the access records table.
The Type of behavior field distinguishes between actions triggered by the system and actions performed by users. Data sampling run by a sensitive data detection task is recorded as System Behavior.
| Field | Description |
|---|---|
| Time | The date and time when the sensitive data was accessed. |
| Operator | The account that performed the operation. This can be the logon account, or the RAM user or Alibaba Cloud account set as the default access identity for the data source. |
| Operation Type | The type of operation performed on the sensitive data. |
| Involving data types | The categories of sensitive data included in the access event. |
| Type of behavior | Whether the access was initiated by the system or a user. Valid values: System Behavior and User Behavior. |
| Operation | The SQL statement executed during the event. |