Data Security Center (DSC) must be authorized to access specific data assets before it can detect sensitive data in the data assets. Supported data assets include Object Storage Service (OSS) buckets, ApsaraDB RDS databases, ApsaraDB RDS for PPAS databases, Distributed Relational Database Service (PolarDB-X) databases, PolarDB databases, Tablestore instances, self-managed databases hosted on Elastic Compute Service (ECS) instances, MaxCompute projects, AnalyticDB for PostgreSQL databases, AnalyticDB for MySQL databases, ApsaraDB for MongoDB databases, ApsaraDB for OceanBase databases, and ApsaraDB for Redis databases. This topic describes how to authorize DSC to access specific data assets.

Prerequisites

DSC is activated. DSC is authorized to access Alibaba Cloud resources. For more information, see Authorize DSC to access Alibaba Cloud resources.

Background information

You can authorize DSC to access specific data assets in Alibaba Cloud services. If you do not authorize DSC to access the data assets, DSC cannot detect sensitive data in Alibaba Cloud services or de-identify the sensitive data.

Authorize DSC to access OSS buckets

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the OSS tab, click Unauthorized.
  4. Select the OSS buckets that you want to authorize DSC to access and click Batch operation.
    You can also click Authorization in the Open protection column for a single OSS bucket to authorize DSC to access the OSS bucket.
  5. In the Batch processing for selected assets dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  6. Click Ok.
    After the authorization is complete, DSC scans authorized OSS buckets for sensitive data. When DSC accesses an OSS bucket for the first time, DSC automatically scans all the data in the OSS bucket, and you are charged for the full scan. For more information, see the "How long does it take to scan data in my data asset after I authorize DSC to access the data asset?" section of the Sensitive data scan and detection topic.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. After you cancel the authorization for an OSS bucket, DSC no longer scans the OSS bucket.

    Note DSC scans only authorized OSS buckets and analyzes risks of sensitive data detected in these OSS buckets.

Authorize DSC to access ApsaraDB RDS databases

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the RDS tab.
  4. On the RDS tab, click Not authorized.
  5. Find the data assets that you want to authorize DSC to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import the logon information for multiple data assets at a time. For more information, see Import logon information for multiple data assets at a time.

    Important Invalid usernames or passwords cause an authorization failure. Make sure that you enter valid usernames and passwords.
  6. Select the data assets that you want to authorize DSC to access and click Batch operation.
    You can also click One-click authorization or Account Password Authorization in the Actions column for a single data asset to authorize DSC to access the data asset.
  7. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.

      SDDP allows you to collect audit logs that cover the generation, update, and use of your data assets. The log information includes the audit rule that is hit for a data asset, the type of the data asset, the type of the operation that hits the audit rule, and the operator account.

      Note After you enable the audit log feature for an ApsaraDB RDS database, SQL Explorer is automatically enabled, and you are charged for using SQL Explorer. You are charged an hourly fee of USD 0.0018 per GB for using SQL Explorer of the non-trial edition. The fee is listed in your bill of ApsaraDB RDS. For more information about how to view the fee, see View your bills. For more information about SQL Explorer, see Use the SQL Explorer feature on an ApsaraDB RDS for MySQL instance.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  8. Click OK.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for an ApsaraDB RDS database, you can modify only the username and password for accessing the database. After you cancel the authorization, DSC no longer scans the database.

Authorize DSC to access ApsaraDB RDS for PPAS databases

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the RDS-PPAS tab.
  4. On the RDS-PPAS tab, click Add data assets.
  5. In the Add data assets dialog box, set the parameters as required and click Ok.
    The following table describes the parameters for adding an ApsaraDB RDS for PPAS database to DSC.
    ParameterDescription
    RegionThe region where the ApsaraDB RDS for PPAS database that you want to authorize DSC to access resides.
    Instance NameThe name of the ECS instance on which the ApsaraDB RDS for PPAS database that you want to authorize DSC to access is hosted.
    Database NameThe name of the ApsaraDB RDS for PPAS database that you want to authorize DSC to access.
    User nameThe username and password of a valid user of the ApsaraDB RDS for PPAS database.
    Password
  6. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  7. Click OK.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

Authorize DSC to access PolarDB-X databases

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the PolarDB-X tab.
  4. On the PolarDB-X tab, click Not authorized.
  5. Find the data assets that you want to authorize DSC to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import the logon information for multiple data assets at a time. For more information, see Import logon information for multiple data assets at a time.

    Important Invalid usernames or passwords cause an authorization failure. Make sure that you enter valid usernames and passwords.
  6. Select the data assets that you want to authorize DSC to access and click Batch operation.
    You can also click One-click authorization or Account Password Authorization in the Actions column for a single data asset to authorize DSC to access the data asset.
  7. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  8. Click OK.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for a PolarDB-X database, you can modify only the username and password for accessing the database. After you cancel the authorization, DSC no longer scans the database.

Authorize DSC to access PolarDB databases

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the PolarDB tab.
  4. On the PolarDB tab, click Unauthorized.
  5. Find the data assets that you want to authorize DSC to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import the logon information for multiple data assets at a time. For more information, see Import logon information for multiple data assets at a time.

    Important Invalid usernames or passwords cause an authorization failure. Make sure that you enter valid usernames and passwords.
  6. Select the data assets that you want to authorize DSC to access and click Batch operation.
    You can also click One-click authorization or Account Password Authorization in the Actions column for a single data asset to authorize DSC to access the data asset.
  7. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  8. Click OK.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for a PolarDB database, you can modify only the username and password for accessing the database. After you cancel the authorization, DSC no longer scans the database.

Authorize DSC to access Tablestore instances

OTS refers to Tablestore.

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the OTS tab.
  4. On the OTS tab, click Unauthorized.
  5. Select the data assets that you want to authorize DSC to access and click Batch operation.
    You can also click One-click authorization or Account Password Authorization in the Actions column for a single data asset to authorize DSC to access the data asset.
  6. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  7. Click OK.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

Authorize DSC to access self-managed databases hosted on ECS instances

A self-managed database hosted on an ECS instance must meet the following requirements before DSC can scan the database:
  • The ECS instance on which the self-managed database is hosted resides in a virtual private cloud (VPC) so that DSC can scan the database.
  • The self-managed database hosted on the ECS instance is a MySQL, an SQL Server, or an Oracle database.
  • The account that you use to connect to the self-managed database hosted on the ECS instance is granted the permissions to remotely access the self-managed database from specified CIDR blocks. You must log on to the self-managed database to complete this authorization before you authorize DSC to access the self-managed database.
  1. Log on to the self-managed database hosted on the ECS instance. Grant the account that you use to connect to the self-managed database the permissions to remotely access the self-managed database from specified CIDR blocks.
    For example, run the following command to grant the remote access permissions if the self-managed database hosted on the ECS instance is a MySQL database. If the self-managed database hosted on the ECS instance is of another database type, run the authorization command based on the syntax of the specific database type.
    GRANT ALL PRIVILEGES ON *.* TO 'Username'@'CIDR blocks' IDENTIFIED BY 'Password'
    Parameter description:
    • Username: the username of the account that you use to connect to the self-managed database hosted on the ECS instance.
    • CIDR blocks: the CIDR blocks from which the self-managed database hosted on the ECS instance can be accessed.

      You must specify the CIDR blocks in the authorization command based on the region where the data assets reside and the network type of the data assets.

      For more information about the CIDR blocks, see the following CIDR blocks section. In the authorization command, you must specify at least two CIDR blocks of the corresponding region. In addition, the IP address range of the CIDR blocks that you specify can be greater than that of the two CIDR blocks of the corresponding region.
    • Password: the password of the account that you use to connect to the self-managed database hosted on the ECS instance.
    Table 1. CIDR blocks
    RegionCIDR block
    China (Shanghai)
    • 100.104.238.64/26
    • 100.104.198.192/26
    China (Beijing)
    • 100.104.250.0/26
    • 100.104.51.192/26
    China (Hangzhou)
    • 100.104.207.192/26
    • 100.104.232.64/26
    China (Shenzhen)
    • 100.104.247.0/26
    • 100.104.150.64/26
    China (Zhangjiakou)
    • 100.104.37.128/26
    • 100.104.191.64/26
    China (Hohhot)
    • 100.104.234.192/26
    • 100.104.26.128/26
    China (Hong Kong)
    • 100.104.153.64/26
    • 100.104.65.192/26
    Singapore (Singapore)
    • 100.104.158.192/26
    • 100.104.218.128/26
    Malaysia (Kuala Lumpur)
    • 100.104.240.128/26
    • 100.104.127.0/26
    Indonesia (Jakarta)
    • 100.104.127.0/26
    • 100.104.182.128/26
  2. Log on to the DSC console.
  3. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  4. On the Cloud hosting page, click the ECS self-built database tab.
  5. On the ECS self-built database tab, click Add data assets.
  6. In the Asset authorization dialog box, set the parameters as required and click Next.
    The following table describes the parameters for adding a self-managed database hosted on an ECS instance to DSC.
    ParameterDescription
    RegionThe region where the self-managed database that you want to authorize DSC to access resides.
    ECS instance IDThe ID of the ECS instance on which the self-managed database that you want to authorize DSC to access is hosted.
    Database typeThe type of the self-managed database that you want to authorize DSC to access. DSC supports the following types of self-managed databases hosted on ECS instances: MySQL, SQL Server, and Oracle.
    Library nameThe name of the self-managed database that you want to authorize DSC to access.
    Note To authorize DSC to access other self-managed databases hosted on the ECS instance, click Add Database to add the databases.
    PortThe port number that is used to access the self-managed database hosted on the ECS instance.
    User nameThe username and password of a valid user of the self-managed database hosted on the ECS instance.
    Password
  7. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  8. Click OK.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

Authorize DSC to access a MaxCompute project

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the MaxCompute tab.
  4. On the MaxCompute tab, click Add data assets.
  5. In the Add data assets dialog box, set the parameters as required. The following table describes the parameters for adding a MaxCompute project to DSC.
    ParameterDescription
    RegionThe region where the MaxCompute project that you want to authorize DSC to access resides.
    Project NameThe name of the MaxCompute project.
    Note Fuzzy search is not supported. You must enter the exact name of the project.
  6. Run the following commands on the MaxCompute client to add the DSC account yundun_sddp to the MaxCompute project. DSC uses this account to access the MaxCompute project.
    add user aliyun$yundun_sddp;
    
    grant admin to aliyun$yundun_sddp;

    Perform one of the following operations based on the returned result:

    • If no error message is returned after the preceding commands are run, go to Step 8.
    • If an error message is returned after the preceding commands are run, go to Step 7.
  7. Optional:Run the following command to add the service IP addresses of DSC to the IP address whitelist of the MaxCompute project:
    
    setproject odps.security.ip.whitelist=11.193.236.0/24,11.193.64.0/24,11.193.58.0/24 odps.security.vpc.whitelist=<VPC ID>;
    // 11.193.236.0/24, 11.193.64.0/24, and 11.193.58.0/24 are the CIDR blocks used by DSC on the classic network. They must be added to the IP address whitelist.
    // Replace the VPC ID with that of the region where your MaxCompute project resides. The following table describes the VPC IDs of the supported regions. 

    If the IP address whitelist feature is enabled for your MaxCompute project, you must add the service IP addresses of DSC to the IP address whitelist of the MaxCompute project. This prevents authorization failures. You can run the setproject; command to check whether the IP address whitelist feature is enabled for your MaxCompute project. If the value of the odps.security.vpc.whitelist parameter is empty, the IP address whitelist feature is not enabled. In this case, you can skip this step.

    RegionRegion IDVPC ID
    China (Zhangjiakou)cn-zhangjiakoucn-zhangjiakou_399229
    China (Beijing)cn-beijingcn-beijing_691047
    China (Shenzhen)cn-shenzhencn-shenzhen_515895
    China (Shanghai)cn-shanghaicn-shanghai_28803
    China (Hangzhou)cn-hangzhoucn-hangzhou_551733
    Note After you configure the IP address whitelist, wait for 5 minutes before you go to the next step.
  8. Click Ok.
    Note If the authorization fails, check whether the authorization parameters are correctly set and whether the DSC account is added to the MaxCompute project.
    After the authorization is complete, DSC scans the authorized MaxCompute project for sensitive data.

    In the list of authorized MaxCompute projects, you can cancel the authorization for a MaxCompute project. After you cancel the authorization, DSC no longer scans the project.

Authorize DSC to access AnalyticDB for PostgreSQL databases

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the ADB-PG tab.
  4. On the ADB-PG tab, click Add data assets.
  5. In the Add data assets dialog box, set the parameters as required and click Ok.
    The following table describes the parameters for adding an AnalyticDB for PostgreSQL database to DSC.
    ParameterDescription
    RegionThe region where the AnalyticDB for PostgreSQL database that you want to authorize DSC to access resides.
    Instance NameThe name of the ECS instance on which the AnalyticDB for PostgreSQL database that you want to authorize DSC to access is hosted.
    Database NameThe name of the AnalyticDB for PostgreSQL database that you want to authorize DSC to access.
    User nameThe username and password of a valid user of the AnalyticDB for PostgreSQL database.
    Password
  6. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  7. Click OK.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

Authorize DSC to access AnalyticDB for MySQL databases

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the ADB-MYSQL tab.
  4. On the ADB-MYSQL tab, click Unauthorized.
  5. Find the data assets that you want to authorize DSC to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import the logon information for multiple data assets at a time. For more information, see Import logon information for multiple data assets at a time.

    Important Invalid usernames or passwords cause an authorization failure. Make sure that you enter valid usernames and passwords.
  6. Select the data assets that you want to authorize DSC to access and click Batch operation.
    You can also click One-click authorization or Account Password Authorization in the Actions column for a single data asset to authorize DSC to access the data asset.
  7. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  8. Click OK.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for an AnalyticDB for MySQL database, you can modify only the username and password for accessing the database. After you cancel the authorization, DSC no longer scans the database.

Authorize DSC to access ApsaraDB for MongoDB databases

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the MongoDB tab.
  4. On the MongoDB tab, click Add data assets.
  5. In the Add data assets dialog box, set the parameters as required and click Ok.
    The following table describes the parameters for adding an ApsaraDB for MongoDB database to DSC.
    ParameterDescription
    RegionThe region where the ApsaraDB for MongoDB database that you want to authorize DSC to access resides.
    Instance NameThe name of the ECS instance on which the ApsaraDB for MongoDB database that you want to authorize DSC to access is hosted.
    Database NameThe name of the ApsaraDB for MongoDB database that you want to authorize DSC to access.
    User nameThe username and password of a valid user of the ApsaraDB for MongoDB database.
    Password
  6. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  7. Click OK.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

Authorize DSC to access ApsaraDB for OceanBase databases

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the OceanBase tab.
  4. On the OceanBase tab, click Unauthorized.
  5. Find the data assets that you want to authorize DSC to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import the logon information for multiple data assets at a time. For more information, see Import logon information for multiple data assets at a time.

    Important Invalid usernames or passwords cause an authorization failure. Make sure that you enter valid usernames and passwords.
  6. Select the data assets that you want to authorize DSC to access and click Batch operation.
    You can also click One-click authorization or Account Password Authorization in the Actions column for a single data asset to authorize DSC to access the data asset.
  7. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  8. Click OK.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for an ApsaraDB for OceanBase database, you can modify only the username and password for accessing the database. After you cancel the authorization, DSC no longer scans the database.

Authorize DSC to access ApsaraDB for Redis databases

ApsaraDB for Redis
  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click the Redis tab.
  4. On the Redis tab, click Unauthorized.
  5. Find the data assets that you want to authorize DSC to access and enter the username and password that are used to access each data asset in the Username and Password fields.

    You can also click Batch password import to import the logon information for multiple data assets at a time. For more information, see Import logon information for multiple data assets at a time.

    Important Invalid usernames or passwords cause an authorization failure. Make sure that you enter valid usernames and passwords.
  6. Select the data assets that you want to authorize DSC to access and click Batch operation.
    You can also click One-click authorization or Account Password Authorization in the Actions column for a single data asset to authorize DSC to access the data asset.
  7. In the Batch operation dialog box, turn on or off the switches to configure the detection, audit, and de-identification permissions for DSC and set the remaining parameters as required.
    Set the following switches and parameters:
    • Identify permissions: specifies whether to grant DSC the sensitive data detection permissions on the selected data assets.
    • Audit permissions: specifies whether to grant DSC the audit permissions on the selected data assets.
    • Desensitization permissions: specifies whether to grant DSC the sensitive data de-identification permissions on the selected data assets.
    • Display number of sampling: the number of samples that DSC collects from the selected data assets. DSC collects samples when it detects sensitive data in the data assets. You can use the sensitive data samples to further analyze the sensitive data. Valid values:
      • 0
      • 5
      • 10
    • Audit log archiving: the number of days for which audit logs are retained for the selected data assets. Valid values:
      • 30 days
      • 90 days
      • 180 days
      Note You do not need to activate Log Service to archive audit logs that are generated by DSC.
  8. Click Ok.
    Note If the authorization fails, check whether the usernames and passwords are correct.
    After the authorization is complete, DSC scans authorized data assets for sensitive data.

    In the list of authorized data assets, you can modify the authorization configuration for a data asset or cancel the authorization for a data asset. When you modify the authorization configuration for an ApsaraDB for Redis database, you can modify only the username and password for accessing the database. After you cancel the authorization, DSC no longer scans the database.

Import logon information for multiple data assets at a time

DSC allows you to upload an EXCEL file to import logon information for multiple data assets at a time. This way, you can authorize DSC to access multiple data assets at a time. The data assets include ApsaraDB RDS databases, PolarDB-X databases, and PolarDB databases. To import logon information for multiple data assets at a time, perform the following steps:

  1. Log on to the DSC console.
  2. In the left-side navigation pane, choose Data asset authorization > Data asset authorization.
  3. On the Cloud hosting page, click Batch password import in the upper-right corner.
  4. In the Batch password import dialog box, click DSC Authorization File Template.xlsx.
  5. Open the downloaded template file, enter the username and password used to access each data asset in the user name and password columns, and then save the template file.
    If you modify the existing usernames and passwords in the template file and upload the file to the DSC console, the usernames and passwords saved in the DSC console are updated.
  6. In the Batch password import dialog box, click File Upload to upload the template file that you have edited.
  7. Click OK.
    The EXCEL file is uploaded. Then, DSC synchronizes the usernames and passwords that you enter in the file to the Username and Password columns for the related databases on the RDS, PolarDB-X, and PolarDB tabs. You can authorize DSC to access these databases on the Cloud hosting page without the need to manually enter the usernames and passwords for accessing the databases.

Troubleshoot an authorization failure

An authorization failure may occur when you authorize DSC to access your data assets. You can troubleshoot an authorization failure based on the following possible causes:
  • Possible causes of an authorization failure for ApsaraDB RDS
    • The username or password for accessing the ApsaraDB RDS database is invalid.
    • The service IP addresses of DSC are deleted from the whitelist of the ApsaraDB RDS database.
    • The ApsaraDB RDS database resides on the classic network, but the public endpoint of the ApsaraDB RDS database is inaccessible due to access control.
  • Possible causes of an authorization failure for MaxCompute
    • The name of the MaxCompute project is invalid.
    • The DSC account fails to be added to the MaxCompute project.