DMS enforces field-level access control on sensitive data by combining sensitivity levels with data masking. As a DMS administrator, database administrator (DBA), or security administrator, you can adjust the sensitivity level of individual fields, grant or revoke user permissions on those fields, and control whether users see plaintext, masked, or encrypted values.
Prerequisites
Before you begin, make sure that you have:
The DMS administrator, DBA, or security administrator role
To check your role, move the pointer over the
icon in the upper-right corner of the DMS console.An instance with the sensitive data protection feature enabled. See Enable the sensitive data protection feature.
A supported database:
Category Supported databases Relational databases MySQL, SQL Server, PostgreSQL, MariaDB, Oracle, Dameng (DM), PolarDB for PostgreSQL (Compatible with Oracle), PolarDB for Xscale, ApsaraDB for OceanBase, DB2, Lindorm_CQL, Lindorm_SQL, OpenGauss Data warehouses AnalyticDB for MySQL, AnalyticDB for PostgreSQL, Data Lake Analytics (DLA), ClickHouse, MaxCompute, Hologres, Hive
How it works
Each sensitive field has two controls:
Security level — classifies the field's sensitivity. The level determines which default masking rules apply.
User permissions — grants named users the right to query, export, or change data in the field, and specifies what they see: plaintext or a masked value.
Users without explicit permissions see field values encrypted. The Field Control tab on the Sensitive Data List page is the central place to manage both controls.
Adjust the security level of a field
Log on to the DMS console V5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
Move the pointer over the
icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Sensitive Data > Sensitive Data Assets.In normal mode, choose Security and Specifications (DBS) > Sensitive Data > Sensitive Data Assets in the top navigation bar.
In the upper-right corner of the Sensitive Data Assets page, click Global Sensitive Data to open the Sensitive Data List page.
On the Field Control tab, find the field whose sensitivity level you want to change and click Change Security Level in the Operation column.
To change the security level of multiple fields at once, select the fields and click Change Security Level in the upper-left corner of the Field Control tab.
In the Security Level Adjustment dialog box, select a sensitivity level and click Confirm.
Grant permissions on sensitive fields
Users who need to query or export plaintext values in fully masked or partially masked fields must be explicitly granted access. Permissions can only be granted for instances with security hosting enabled. See the "Enable security hosting" section of Security hosting.
On the Field Control tab of the Sensitive Data List page, select the fields on which you want to grant permissions.
Click Authorize User in the upper-left corner of the Field Control tab.
In the Authorize User dialog box, select one or more users from the drop-down list in the Add User section.
In the Permission Configuration section, set the following parameters. Users without granted permissions see field values encrypted.
Parameter Description Permission The permission types to grant. Select one or more: Query (run SQL statements on the SQL Console tab), Export (submit tickets to export data), or Change (submit tickets to change or import data). Data Masking Policy What the user sees: Semi-sensitization (applies the configured masking algorithm if one exists; otherwise encrypts the value) or Plain Text (displays the raw value). Expire Date How long the permissions are valid: one month, three months, six months, one year, two years, three years, or a custom range. To set a validity period by day or hour, select Others and specify the range. Click OK.
Revoke permissions on sensitive fields
On the Field Control tab of the Sensitive Data List page, find the sensitive field and click Manage Permissions in the Operation column.
On the Manage Permissions page, click Column Permissions.
Find the permission entry to remove and click Recycle Permission in the Actions column.
To review the full authorization details for a field before revoking, click View Details in the Actions column. You can also grant or revoke other database-level permissions on the Manage Permissions page.
FAQ
Why can't I configure sensitive fields?
Check the following in order:
Sensitive data protection is not enabled. Go to the instance settings and enable it. See Enable the sensitive data protection feature.
You are not authorized to access the instance. Ask an administrator to grant you permissions on the sensitive fields. See Grant permissions on sensitive fields.
A ticket is already in progress. If you previously submitted a ticket to configure sensitive fields and it has not been closed, complete or close it before making new changes.
What's next
Query data in a table after updating its masking algorithm: Manage a database on the SQLConsole tab
Adjust the security level of fields programmatically: ChangeColumnSecLevel