All Products
Search

This Product

    Data Management:Enable the sensitive data protection feature

    Document Center

    Data Management:Enable the sensitive data protection feature

    Last Updated:Mar 28, 2026

    The sensitive data protection feature scans your database instances to detect and classify sensitive fields—such as personally identifiable information (PII) or financial records—and tags each field with the appropriate data category and security level. After scanning, you can apply masking rules and manage access permissions directly from the scan results.

    This topic covers three tasks:

    1. Enable the feature for a database instance

    2. Configure a scan task to detect sensitive fields

    3. View and apply identification results

    Prerequisites

    Before you begin, ensure that you have:

    • The DMS administrator, database administrator (DBA), or security administrator role

      To check your role, move the pointer over the profile icon in the upper-right corner of the DMS console.

    • Purchased the sensitive data protection feature. To purchase it, move the pointer over the order icon in the upper-right corner and select DMS Order Management. In the dialog box that appears, check the number of available instances for which the feature can be enabled. For more information, see Purchase the DMS service.

    • A supported database instance. The following database types are supported: Data warehouses

      • AnalyticDB for MySQL

      • AnalyticDB for PostgreSQL

      • Data Lake Analytics (DLA)

      • ClickHouse

      • MaxCompute

      • Hologres

      • Hive

      Relational databases

      EngineSupported variants
      MySQLApsaraDB RDS for MySQL, PolarDB for MySQL, MySQL databases from other sources
      SQL ServerApsaraDB RDS for SQL Server, SQL Server databases from other sources
      PostgreSQLApsaraDB RDS for PostgreSQL, PolarDB for PostgreSQL, PostgreSQL databases from other sources
      MariaDBApsaraDB RDS for MariaDB, MariaDB databases from other sources
      PolarDB for PostgreSQL (Compatible with Oracle)
      PolarDB for Xscale (PolarDB-X)
      OceanBase
      Oracle
      Db2
      Dameng (DM)
      LindormLindorm_CQL, Lindorm_SQL
      openGauss

    Enable the sensitive data protection feature

    Two paths are available:

    • Sensitive Data module: enables the feature and optionally sets up a scan task in one flow. Use this path when enabling the feature for one or more instances.

    • Edit dialog box: enables the feature for a single instance without immediately configuring a scan. Use this path when you only need to activate the feature quickly.

    Enable via the Sensitive Data module

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, choose Security and Specifications > Sensitive Data > Sensitive Data Assets.

      If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Sensitive Data > Sensitive Data Assets.

    3. On the Sensitive Data Assets tab, click the Not opened tab in the Instance List section.

      Only instances with the feature disabled appear on this tab.

    4. Find the instance and click Enable Now in the Operation column.

    5. In the Enable Sensitive Data Protection dialog box, choose whether to configure a scan task immediately:

      • To skip the scan task for now, turn off Configure Scan Task. After enabling, go to the Enabled tab to configure a scan task later.

      • To configure a scan task immediately, select the scan method and scope, and specify whether to apply results automatically. For parameter details, see Configure a scan task.

    6. Click OK.

    Enable via the Edit dialog box

    1. Log on to the DMS console V5.0.

    2. In the left-side database instance list on the Home tab, right-click the instance and select Edit.

    3. In the Basic Information section, select Sensitive Data Protection for the Advanced Feature Pack parameter, then select a template from the Classification template drop-down list. The template determines how sensitive data is categorized and graded during scanning.

      image

    4. Click Save.

    Configure a scan task

    During a scan, DMS scans the metadata of the specified database and randomly samples 100 to 200 data entries. The sampled data is used only for sensitive data analysis and is not stored for any other purpose.

    1. On the Sensitive Data Assets tab, click the Enabled tab in the Instance List section.

    2. Find the instance and click Configure Scan Task in the Operation column.

    3. Configure the scan task parameters:

      ParameterOptionsDescription
      Scan methodImmediate Task (Task Immediately Run Only Once)Starts scanning immediately after you click OK.
      Scheduled Task (Task Run at Specified Time Only Once)Runs once at a date and time you specify.
      Periodic TaskRuns on a recurring schedule that you configure.
      ScopeAll DatabasesScans every database in the instance.
      Specific DatabasesScans only the databases you select. Multiple selection is allowed.
      Apply scan results immediately?YesAutomatically tags fields with data categories and security levels after scanning.
      No (Go to the identification result to apply it manually.)Saves results to the Identification Result panel for manual review before applying.

    4. Click OK.

    5. Grant access to the instance so DMS can automatically detect sensitive data.

      1. On the Enabled tab, find the instance and click Account Authorization in the Operation column.

      2. In the Account Authorization dialog box, enter the database account and password.

      3. Click OK.

      If the instance is managed in Security Collaboration mode, DMS grants access automatically. Skip this step.

    View identification results

    View results

    In the Overview section, click the number below Scanned to open the Identification Task Log page. Find the scan task and click the number in the Execution History column to open the Identification Result panel.

    Alternatively, go to the Instance List section, find the instance, and click Task details in the Operations column.

    Apply results

    If you set Apply scan results immediately? to Yes when configuring the scan task, DMS applies the results automatically—no further action is needed.

    If you set it to No, apply results manually:

    1. Go to the Identification Task Log page.

    2. Find the scan task and click the number in the Execution History column.

    3. In the Identification Result panel, click Take Effect in the Actions column.

    What's next

    After applying identification results, manage sensitive fields on the Field Control tab:

    • Adjust sensitivity levels of fields

    • Change data masking rules for fields

    • Grant permissions on fields

    To open Field Control, click Sensitive Data List in the Operation column on the Enabled tab, then click the Field Control tab. For details, see Manage sensitive data.

    To disable the feature for an instance, see Disable the sensitive data protection feature.