If a database contains sensitive data, you can enable the sensitive data protection feature for the database. This way, Data Management (DMS) can scan the database, and detect, mask, and manage the sensitive data. This topic describes how to enable the sensitive data protection feature and how to create a scan task for an instance.

Prerequisites

  • You are a DMS administrator, a database administrator (DBA), or a security administrator.
    Note To view the role of your account, move the pointer over the Profile picture icon in the upper-right corner of the DMS console.
  • The database is supported by the sensitive data protection feature. The following types of databases are supported:
    • Relational databases: MySQL, SQL Server, PostgreSQL, MariaDB, Oracle, Dameng (DM), PolarDB for PostgreSQL(Compatible with Oracle), PolarDB for Xscale, OceanBase, Db2, Lindorm CQL, Lindorm SQL, and OpenGauss.
    • Data warehouses: AnalyticDB for MySQL, AnalyticDB for PostgreSQL, Data Lake Analytics (DLA), ClickHouse, MaxCompute, Hologres, and Hive.
  • The quota on the number of instances for which sensitive data protection can be enabled is purchased and not used up.
    Note To view the number of available instances for which sensitive data protection can be enabled, move the pointer over the Purchase icon icon and select DMS Order Management.

Procedure

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, choose Security and Specifications > Sensitive Data > Sensitive Data Assets.
  3. On the Sensitive Data Assets tab, click the Not opened tab in the Instance List section.
  4. Find the instance for which you want to enable the sensitive data protection feature and click Enable Now in the Operation column.
    Note Only instances for which the sensitive data protection feature is disabled appear on this tab.
  5. In the Enable Sensitive Data Protection dialog box, configure the parameters as required. The following table describes the parameters.
    ParameterRequiredDescription
    Configure Scan TaskNoBy default, Configure Scan Task is turned on. If Configure Scan Task is turned on, all databases in the instance are scanned.
    Select a scan templateYesSelect a scan template or create a new template. For more information about how to create a template, see Create a classification and grading template.
    Scan MethodNo
    Note If you turn on Configure Scan Task, you must select a scan method.
    • If you select Immediate Task (Task Immediately Run Only Once), DMS immediately scans the specified database and marks sensitive data after the task is configured.
    • If you select Scheduled Task (Task Run at Specified Time Only Once), you must select a date and time. DMS automatically scans the specified database and marks sensitive data as scheduled.
    • If you select Periodic Task, you must configure the scheduling cycle and specific point in time. DMS automatically scans the specified database and marks sensitive data on a regular basis.
  6. Click OK.
  7. Grant access to the instance. After you grant access to an instance, sensitive data in the instance can be automatically detected. You must grant access to an instance before you configure a scan task for the instance.
    Note If the instance is managed in Security Collaboration mode, the system automatically grants access to the instance. In this case, skip this step.
    1. On the Enabled tab in the Instance List section, find the instance to which you want to grant access and click Account Authorization in the Operation column.
    2. In the Account Authorization dialog box, enter the database account and database password of the destination instance.
    3. Click OK.
  8. Configure and run a scan task if you have not configured a scan task when you enable the sensitive data protection feature.
    Note When DMS runs a scan task for an instance, DMS scans the metadata of the specified database and randomly scans 100 to 200 data entries in the database. The data is used only for sensitive data analysis in the scan task and is not saved for other purposes.
    1. On the Enabled tab, find the instance for which you want to configure a scan task and click Configure Scan Task in the Operation column.
    2. In the Configure Scan Task dialog box, configure the parameters as required. The following table describes the parameters.
      ParameterDescription
      Scan MethodThe execution method of the scan task. This parameter specifies when to start the scan task. Valid values:
      • Immediate Task (Task Immediately Run Only Once): starts the scan task immediately to scan the databases that belong to the selected instance.
      • Scheduled Task (Task Run at Specified Time Only Once): starts the scan task at a specific point in time to scan the databases that belong to the selected instance.
      • Periodic Task: schedules the scan task by hour, day, week, or month to scan the databases that belong to the selected instance.
      ScopeThe scan scope. Valid values: All Databases and Specific Databases. If you select Specific Databases, you can select multiple databases.
      Apply scan results immediately?Specifies whether to tag the fields in the identification results with data categories and security levels immediately. Valid values:
      • Yes: tags the fields immediately.
      • No (Go to the identification result to apply it manually.): does not tag the fields immediately. You must go to the Identification Result panel to manually apply the identification results.
    3. Click OK.
    4. View the identification results.
      In the Overview section, click the number below Scanned to go to the Identification Task Log page. Find the scan task whose identification results you want to view and click the number in the Execution History column. In the Identification Result panel, you can view the identification results.
      Note Alternatively, go to the Instance List section, find the instance whose scan task and identification results you want to view and click Task details in the Operations column.
    5. Manually apply the identification results. If you set the Apply scan results immediately? parameter to Yes when you configure the scan task, the system automatically applies the identification results. In this case, skip the following steps.
      1. Go to the Identification Task Log page.
      2. Find the scan task whose identification results you want to view and click the number in the Execution History column.
      3. In the Identification Result panel, click Take Effect in the Actions column to manually apply the identification results.
    6. Optional:To view sensitive data and the sensitivity levels of the sensitive data in the specified instance, click Sensitive Data List in the Operation column, and click the Field Control tab. You can also manage sensitive fields on the Field Control tab. For example, you can adjust the sensitivity levels of fields, change the masking rules for fields, and grant permissions on fields. For more information, see Manage sensitive data.