Database authorization - Data Security Center - Alibaba Cloud Documentation Center

After you purchase a Data Security Center (DSC) instance, you must authorize DSC to access your database instances before you can use DSC to detect sensitive data in cloud services such as ApsaraDB RDS and PolarDB or audit database activities.

Supported databases

DSC provides data security services only for databases on Alibaba Cloud. For more information about the supported database types, see Supported data asset types.

This topic describes how to authorize DSC to access and connect to an ApsaraDB RDS database. You can follow the same procedure to authorize DSC to access and connect to the following types of databases: ApsaraDB RDS, PolarDB, PolarDB-X, PolarDB-X 2.0, Tair (Redis OSS-compatible), ApsaraDB for MongoDB, ApsaraDB for OceanBase, Tablestore, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL. For more information about the other types of databases, see the following topics:

Prerequisites

You have activated the Free Edition of Data Security Center or purchased a paid edition of Data Security Center.For more information, see Free Edition of Data Security Center or Purchase Data Security Center.
You have authorized Data Security Center to access cloud services. For more information, see Authorize DSC to access cloud resources.

Step 1: Asset instance authorization

Log on to the Data Security Center console.
In the left-side navigation pane, select Overview.
On the Overview page, click Asset Authorization.
On the Asset Authorization Management tab, select the type of data that you want to authorize DSC to access from the product list in the navigation pane on the left, and click Asset synchronization.
Note
After you purchase a DSC instance, the system automatically synchronizes the list of cloud assets the first time you log on to the DSC console. DSC automatically scans and synchronizes the asset list at 00:00 every day. You can also manually synchronize assets by clicking Asset synchronization in the Asset Center in the navigation pane on the left.
Click Authorization in the Actions column of the target asset.
To authorize DSC to access multiple assets at a time, select the target assets and click Batch Authorize.
Important
After you authorize DSC to access a structured data asset, DSC calls the API operations of Database Autonomy Service (DAS) and enables the audit service of DAS. Therefore, the DAS Basic Edition service that is activated for the asset is automatically upgraded to Enterprise Edition (SQL audit feature only). This upgrade does not incur additional fees.

Step 2: Connect to databases

Connection modes

DSC collects and analyzes data stored in databases and database activities to provide data classification, data audit, security posture monitoring, and data de-identification capabilities. To provide these capabilities, DSC must connect to databases. DSC supports one-click connection and account-based connection modes.

Connection mode

Description

Supported data asset types

One-click connection

You can connect to the database with a single click using the console button.

If you click Connect for a database on the Authorization Management tab, DSC creates a read-only account for the database and uses the read-only account to connect to the database to run data identification tasks. You cannot store de-identified data in the database.

ApsaraDB RDS:
- MySQL
- SQL Server (read-only instances are not supported)
- MariaDB (read-only instances are not supported)
PolarDB:
- MySQL
PolarDB-X 1.0 (DRDS)
PolarDB-X 2.0
OSS
Tablestore
Tablestore
SLS

Account-based connection

You can connect to the database by manually entering the username and password.

If you use a read-only account to connect to a database, you can perform sensitive data identification, de-identification, and audit tasks on the database. You cannot store de-identified data in the database.
If you use an account that has read and write permissions to connect to a database, you can store de-identified data in the database.

Structured data:
ApsaraDB RDS, PolarDB, PolarDB-X, PolarDB-X 2.0, ApsaraDB for MongoDB, ApsaraDB for OceanBase, and self-managed databases
Big data:
AnalyticDB for MySQL and AnalyticDB for PostgreSQL (AnalyticDB for PG)

You can select a connection mode based on the preceding table and data security requirements.

If a database supports one-click connection and you do not need to use the database as the destination database of a de-identification task, we recommend that you use the one-click connection mode.
If you want to use a database as the destination database of a de-identification task, use the account-based connection mode and use an account that has read and write permissions to connect to the database.

The following section uses an ApsaraDB RDS instance as an example to describe the one-click connection and account-based connection modes.

One-click connection

After you connect DSC to a database using the one-click connection mode, DSC creates and immediately runs a default data identification task. The task reads data from the database and lowers the read performance of the database. We recommend that you perform one-click connection operations during off-peak hours.

On the Authorization Management tab, click Connect in the Actions column of the target instance.
- The first time you connect to a database on an instance, DSC creates a whitelist named ali_sddp_group for the instance. This way, DSC can obtain information about the databases on the instance. The whitelist contains IP addresses that are used by DSC. The IP addresses vary based on the region.
- DSC creates a read-only account for the database on the instance. The account prefix is sddp_auto.
Click the icon to the left of the database instance to view the connection status and feature status of the database.

Account-based connection

We recommend that you use an independent database account based on the principle of least privilege. Do not use a business account or an account that has the highest permissions.

On the Authorization Management tab, click Account Logon in the Operation column of the target instance.
In the Account Logon panel, click Add Credential in the Operation column of the target database.
In the Add Credential dialog box, select a credential, select or clear Scan assets and identify sensitive data now., and then click OK.
- For more information about credential management, see Credential management.
- If you connect DSC to a database during off-peak hours, you can select the Immediately scan database assets and identify data check box. Otherwise, clear the check box. If you clear the check box, DSC creates a default data identification task and runs the task at 00:00 the next day.
The first time you connect to a database on an instance using the Account-based Connection mode, DSC creates a whitelist named ali_sddp_group for the instance. This way, DSC can obtain information about the databases on the instance. The whitelist contains IP addresses that are used by DSC. The IP addresses vary based on the region.
Click the icon to the left of the database instance to view the connection status and feature status of the database.

What to do next

After you connect DSC to a database, DSC automatically creates a default data identification task.

If you select Immediately Scan Database Assets And Identify Data when you use the One-click Connection mode, the default data identification task is immediately run.
If you clear Immediately Scan Database Assets And Identify Data when you use the One-click Connection mode, you can go to the Identification Tasks tab on the Data Insights > Task Management page. On the Default Tasks tab, click Rescan to manually run the default data identification task.
You can customize the scan time and scan cycle for a default data identification task. For more information, see Modify scan settings for default data identification tasks.

Default data identification tasks use the primary identification template (the default template is Internet industry classification template + general identification template) to scan the connected data assets. You can check the status of a data identification task to confirm the completion time of the data identification task.

Note

You can set the primary identification template to a built-in identification template or a custom identification template. For more information, see Set a primary identification template.

If the primary identification template is a built-in identification template, the general identification template (compliant with the personal information security specification) is also used. If the primary identification template is a custom identification template, the general identification template is not used.

View the completion time of a default data identification task. For more information, see View default data identification tasks.
View data classification results. For more information, see View data identification results.

References

For examples of authorizing DSC to access data assets for data classification, see Classify sensitive data.
For more information about custom data identification tasks, see Create a custom data identification task.
You can use data domains to classify and manage data assets based on business attributes, organizational structures, and data features. For more information, see Manage assets using data domains.

FAQ

For more information about the common issues and solutions for data asset authorization, see Data authorization.