Enable the sensitive data protection feature and create a scan task for a database instance - Data Management

This topic describes how to enable the sensitive data protection feature, create a scan task for a database instance, and view the scan result.

Prerequisites

You are a Data Management (DMS) administrator, a database administrator (DBA), or a security administrator.
Note
To view the role of your account, move the pointer over the icon in the upper-right corner of the DMS console.
Supported databases
- Relational databases:
  - MySQL: ApsaraDB RDS for MySQL, PolarDB for MySQL, and MySQL databases from other sources
  - SQL Server: ApsaraDB RDS for SQL Server and SQL Server databases from other sources
  - PostgreSQL: ApsaraDB RDS for PostgreSQL, PolarDB for PostgreSQL, and PostgreSQL databases from other sources
  - MariaDB: ApsaraDB RDS for MariaDB and MariaDB databases from other sources
  - PolarDB for PostgreSQL (Compatible with Oracle)
  - PolarDB for Xscale (PolarDB-X)
  - OceanBase
  - Oracle
  - Db2
  - Dameng (DM)
  - Lindorm: Lindorm_CQL and Lindorm_SQL
  - openGauss
- Data warehouses
  - AnalyticDB for MySQL
  - AnalyticDB for PostgreSQL
  - Data Lake Analytics (DLA)
  - ClickHouse
  - MaxCompute
  - Hologres
  - Hive
The sensitive data protection feature is purchased. For more information, see Purchase the DMS service.
Note
To purchase the feature, move the pointer over the icon in the upper-right corner of the DMS console and select DMS Order Management. In the dialog box that appears, view the available number of instances for which the sensitive data protection feature can be enabled.

Enable the sensitive data protection feature

You can enable the sensitive data protection feature for an instance in the Edit dialog box of the instance or in the Sensitive Data module.

Enable the sensitive data protection feature in the Edit dialog box

Log on to the
DMS console V5.0.
In the left-side database instance list of the Home tab, find the database instance that you want to manage and right-click the database instance.
Select Edit.
In the Basic Information section of the Edit dialog box, select Sensitive Data Protection for the Advanced Feature Pack parameter and select a classification and grading template from the Classification template drop-down list. The classification and grading template is used to scan and identify sensitive data in the database instance.
Click Save.

Enable the feature in the Sensitive Data module

Log on to the
DMS console V5.0.
In the top navigation bar, choose Security and Specifications > Sensitive Data > Sensitive Data Assets.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Sensitive Data > Sensitive Data Assets.
On the Sensitive Data Assets tab, click the Not opened tab in the Instance List section.
Find the database instance that you want to manage and click Enable Now in the Operation column.
Note
Only instances for which the sensitive data protection feature is disabled appear on this tab.
In the Enable Sensitive Data Protection dialog box, specify whether you want to immediately configure a scan task.
- If you do not want to immediately configure a scan task, turn off Configure Scan Task. After you enable the feature, you can go to the Sensitive Data Assets tab, click the Enabled tab in the Instance List section, and configure a scan task.
- If you want to immediately configure a scan task, select the scan method and scope, and specify whether to immediately apply scan results. For more information, see the Configure a scan task section of this topic.
Click OK.

Configure a scan task

On the Sensitive Data Assets tab, click the Enabled tab in the Instance List section. Find the database instance that you want to manage and click Configure Scan Task in the Operation column.

Note

When DMS runs a scan task for a database instance, DMS scans the metadata of the specified database and randomly scans 100 to 200 data entries in the database. The data is used only for sensitive data analysis in the scan task and is not saved for other purposes.

Parameter	Description
Scan Method	If you select Immediate Task (Task Immediately Run Only Once), DMS immediately scans the specified database and marks sensitive data after the task is configured. If you select Scheduled Task (Task Run at Specified Time Only Once), you must select a date and point in time. DMS automatically scans the specified database and marks sensitive data as scheduled. If you select Periodic Task, you must configure the scheduling cycle and specific point in time. DMS automatically scans the specified database and marks sensitive data on a regular basis.
Scope	The scan scope. Valid values: All Databases and Specific Databases. If you select Specific Databases, you can select multiple databases.
Apply scan results immediately?	Specifies whether to immediately add tags to the fields in the identification results with data categories and security levels. Valid values: Yes No (Go to the identification result to apply it manually.) You must go to the Identification Result panel to manually apply the identification results.

Click OK.
Grant access to the instance. After you grant access to an instance, sensitive data in the instance can be automatically detected. You must grant access to an instance before you configure a scan task for the instance.
Note
If the database instance is managed in Security Collaboration mode, the system automatically grants access to the instance. In this case, skip this step.
1. On the Enabled tab, find the database instance to which you want to grant access and click Account Authorization in the Operation column.
2. In the Account Authorization dialog box, enter the database account and database password of the database instance.
3. Click OK.

View identification results

View the identification results.
In the Overview section, click the number below Scanned to go to the Identification Task Log page. Find the scan task whose identification results you want to view and click the number in the Execution History column. In the Identification Result panel, you can view the identification results.
Note
Alternatively, go to the Instance List section, find the instance whose scan task and identification results you want to view and click Task details in the Operations column.
Manually apply the identification results. If you set the Apply scan results immediately? parameter to Yes when you configure the scan task, the system automatically applies the identification results. In this case, skip the following steps.
1. Go to the Identification Task Log page.
2. Find the scan task whose identification results you want to view and click the number in the Execution History column.
3. In the Identification Result panel, click Take Effect in the Actions column to manually apply the identification results.
Optional. To view the distribution and sensitivity levels of the sensitive data in the database instance, click Sensitive Data List in the Operation column. On the page that appears, click the Field Control tab. You can also manage sensitive fields on the Field Control tab. For example, you can adjust the sensitivity levels of fields, change the data masking rules for fields, and grant permissions on fields. For more information, see Manage sensitive data.

For information about how to disable the sensitive data protection feature, see Disable the sensitive data protection feature.