Data Management (DMS) uses a two-layer scanning architecture to detect and protect sensitive database fields. The first layer identifies which data category a field belongs to. The second layer applies classification rules to assign security levels and configure data masking automatically. This document explains how each layer works and how they interact.
How it works
DMS runs the two layers sequentially and independently:
Identification model-based scanning — DMS scans table fields and data to identify their data categories (for example, ID card, mobile number, or email address).
Classification and grading-based scanning — DMS applies classification rules against the identification results to assign security levels and configure data masking automatically.
Because the two layers are independent of each other, changes to one layer do not affect the other.
Identification model-based scanning
An _identification model_ is a set of criteria that determines which data category a field belongs to. DMS supports two identification methods.
Data content identification (regular expression match)
DMS examines the content of each field using the regular expression defined in the identification model. To balance speed and accuracy, DMS randomly samples a subset of rows from the field rather than scanning every row. If the proportion of sampled rows that match the pattern exceeds the configured threshold, DMS tags the field with the corresponding data category.
For example, if an identification model named ID Card is configured and a field meets the conditions of the ID card algorithm, DMS tags the field with the data category ID card.
Metadata identification
DMS classifies fields based on the field name rather than the field content. For example, the built-in ID Card identification model recognizes a field named id_card in a table and tags it with the data category ID card.
Identification results
A single field can match multiple identification models. For example, a field containing mobile numbers may be identified by both the built-in Mobile Number model and a custom model whose rule is "11 consecutive digits." DMS stores up to three identification results per field.
DMS provides a set of built-in identification models. You can also create custom identification models. Custom identification models support data content identification only; metadata identification is not available for custom models.
To control which models participate in scanning, enable or disable identification models as needed. Models are enabled by default after creation. Only enabled models are used in scanning.
Classification and grading-based scanning
A _classification rule_ maps identification results to a data category, a security level, and a data masking algorithm. A _classification and grading template_ groups multiple classification rules and is associated with instances.
How rules are evaluated
DMS filters all enabled classification rules in the associated template, then evaluates each rule against a field in three steps:
Step 1: Check identification model overlap
DMS checks whether the classification rule includes at least one identification model that also matched the field during identification model-based scanning.
For example, if a field was identified by models A and B, and a classification rule specifies models B and C, the intersection is model B. Because the intersection is non-empty, DMS continues to step 2. If there is no intersection, the rule does not apply to this field, and DMS moves to the next rule.
Step 2: Check identification scope
DMS checks whether the field's metadata falls within the scope defined for the classification rule. Metadata includes the database name, table name, field name, and field description.
The scope condition uses either AND (all scope criteria must match) or OR (at least one scope criterion must match). If the field's metadata satisfies the scope condition, DMS records the rule's data category as a candidate result and moves to the next rule.
Step 3: Assign the data category
After evaluating all classification rules, DMS assigns the field's data category:
If only one rule matched, the field is tagged with that rule's data category.
If multiple rules matched, DMS sorts the classification rules based on their security levels in ascending order and then tags the field with the data category corresponding to the rule with the highest security level.
The following diagram illustrates how a single field is evaluated:
Classification rule parameters
When creating a custom classification rule for a template, configure the following parameters:
| Parameter | Description |
|---|---|
| Security level | The sensitivity level of fields matched by this rule. A higher security level indicates that the field is more sensitive. For details, see Field security level. |
| Identification model | The identification models to include in this rule. Select one or more models. The logical relationship among selected models is OR: a field is detected if it matches any one of the selected models. |
| Identification scope | Metadata filters for this rule. Set to AND to require all scope criteria to match, or OR to require at least one criterion to match. |