All Products
Search

This Product

    Data Security Center:General database authorization

    Document Center

    Data Security Center:General database authorization

    Last Updated:Nov 24, 2025

    After you purchase a Data Security Center (DSC) instance, you must authorize the asset instance. This authorization is required before you can use DSC to detect sensitive data or audit database activities in Alibaba Cloud services, such as RDS and PolarDB.

    Databases that this topic applies to

    DSC provides data security services only for database assets on Alibaba Cloud. For more information about the supported database types, see Supported data asset types.

    This topic uses an RDS database as an example to describe the complete authorization and onboarding process. You can follow the instructions in this topic to onboard the following database types to DSC: RDS, PolarDB, PolarDB-X, PolarDB-X 2.0, Tair (Redis OSS-compatible), MongoDB, OceanBase, TableStore, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL. For information about how to authorize other types of databases, see the following topics:

    Prerequisites

    Step 1: Authorize the asset instance

    1. Log on to the Data Security Center console.

    2. In the navigation pane on the left, select Overview.

    3. On the Overview page, click Asset Authorization.

    4. On the Asset Authorization Management page, select a data type from the product navigation pane on the left, and then click Asset synchronization.

      Note

      After you purchase a DSC instance, a sync task for your cloud assets runs automatically the first time you log on to the console. You do not need to perform this operation manually. DSC automatically scans and syncs the asset list daily at midnight. You can also go to the Asset Center in the navigation pane on the left to manually perform an Asset synchronization.

    5. In the Actions column of the target asset, click Authorization.

      To authorize assets in a batch, select the target assets and click Batch Authorize.

      Important

      After you authorize a structured data asset, DSC calls the API of Database Autonomy Service (DAS) and enables the audit service of DAS. As a result, the DAS Basic Edition for the asset is automatically upgraded to the Enterprise Edition (which supports only the SQL Audit feature). This upgrade does not incur extra fees.

    Step 2: Connect to the database

    Database connection methods

    DSC provides features such as data classification, data auditing, and security posture monitoring by collecting and analyzing data from and activities on your databases. To use these features, DSC must connect to your databases. DSC supports two connection methods: one-click connection and credential-based connection.

    Connection type

    Description

    Supported data asset types

    One-click connection

    Connect to the database with a single click in the console.

    During the connection process, DSC automatically creates a read-only account in the target data asset. The account name starts with sddp_auto. DSC uses this account to connect to the target database for data detection tasks. Because this account has only read-only permissions, a database authorized using the one-click connection method cannot be the destination database for data masking tasks.

    • RDS:

      • MySQL

      • SQL Server (not supported for read-only instances)

      • MariaDB (not supported for read-only instances)

    • PolarDB:

      • MySQL

    • PolarDB-X 1.0 (DRDS)

    • PolarDB-X 2.0 (not supported for read-only instances)

    • OSS

    • TableStore

    • MaxCompute

    • SLS

    Credential-based connection

    Connect to the database by manually entering the database account and password.

    • If you connect to the database using a read-only account, you can perform sensitive data detection, data masking, and audit tasks on the database. However, the database cannot be the destination database for data masking tasks.

    • If you connect to the database using an account that has read and write permissions, the database can be the destination database for data masking tasks to store masked data.

    • Structured data:

      RDS, PolarDB, PolarDB-X (formerly DRDS), PolarDB-X 2.0, MongoDB, OceanBase, and self-managed databases

    • Big data:

      AnalyticDB for MySQL and AnalyticDB for PostgreSQL (also known as AnalyticDB for PG)

    Select a connection method based on the methods supported by your database and your data security requirements.

    • If your database supports one-click connection and you do not need to use it as a destination database for data masking tasks, use the one-click connection method.

    • To use the database as a destination database for data masking tasks, you must use the credential-based connection method and connect to the database using an account that has read and write permissions.

    The following sections use an RDS instance as an example to describe how to use the one-click connection and credential-based connection methods.

    One-click connection

    After you use the one-click connection method, DSC automatically creates and immediately runs a default detection task. This detection task reads data from the database and can affect read performance. We recommend that you perform this operation during off-peak hours.

    1. On the Authorization Management tab, find the target asset instance and click Connect in the Actions column.

      • The first time you connect to a database in the asset instance, DSC adds a whitelist named ali_sddp_group to the asset. This allows DSC to retrieve information about the databases in the instance. The whitelist contains the IP address of the DSC server. The IP address varies by region.

        image

      • After you perform the one-click connection, DSC automatically creates an account that has read-only permissions on the database. The account name starts with sddp_auto.

    2. Click the 展开图标 icon to the left of the database instance to view the connection status and feature status of the database.

      image

    Credential-based connection

    When you use the credential-based connection method, follow the principle of least privilege. Use a dedicated database account and password (credential). Do not use a business account or a privileged account.

    1. On the Authorization Management tab, find the target asset instance and click Account Logon in the Actions column.

    2. In the Account Logon panel, you can find the target database and click Add Credential in the Actions column.

    3. In the Add Credential dialog box, select a credential. Select or clear Scan assets and identify sensitive data now., and then click OK.

      • For more information about how to manage credentials, see Credential management.

      • If you connect to the database during off-peak hours, select Scan Data Assets And Detect Data Now. Otherwise, clear this option. If you clear the option, DSC creates a default detection task and runs it the next day at midnight.

      The first time you connect to a database in the instance using the Account Logon method, DSC adds a whitelist named ali_sddp_group to the asset. This allows DSC to retrieve information about the databases in the instance. The whitelist contains the IP address of the DSC server. The IP address varies by region.

      image

    4. Click the 展开图标 icon to the left of the database instance to view the connection status and feature status of the database.

      image

    What to do next

    After you successfully connect to the database, DSC automatically creates a default task.

    • If you select Scan assets and identify sensitive data now during the Connect process, the default task runs immediately.

    • If you did not select Scan assets and identify sensitive data now during the Connect, you can go to the Identification Tasks tab on the Classification and Grading > Tasks page. In the Default Tasks list, click Rescan to manually run the default task.

      You can customize the rescan time and scan epoch for the default task. For more information, see Adjust the scan settings of a default task.

    The default task uses the primary detection template (by default, the Internet industry classification and categorization template and the general detection template) to scan the onboarded data assets. You can check the status of the detection task to determine its completion time.

    Note

    The primary detection template can be a built-in detection template or a custom detection template. For more information, see Set a primary detection template.

    If the primary detection template is a built-in detection template, the General Detection Template (which complies with personal information security specifications) is also used. If the primary detection template is a custom detection template, the General Detection Template is not used.

    1. Check the completion time of the default task. For more information, see View a default task.

    2. View the results of data classification and detection. For more information, see View the results of sensitive data detection.

    References

    • For an example of how to authorize a data asset and onboard it to DSC for sensitive data classification, see Quickly classify sensitive data.

    • For more information about custom sensitive data detection tasks, see Add a custom detection task.

    • You can use data domains to classify and manage data assets based on dimensions such as business properties, organizational structures, and data features. For more information, see Manage assets using data domains.

    FAQ

    For frequently asked questions about data asset authorization and their solutions, see Data authorization.