DSC monitors authorized data assets for risky activities and generates audit alerts when built-in or custom rules are triggered. If specific IP addresses or database accounts consistently perform safe, expected operations — such as a monitoring agent scanning tables, or an internal service account running bulk queries — add them to the system whitelist. DSC skips alert generation for whitelisted sources, so your team can focus on genuine threats instead of filtering recurring noise.
Prerequisites
Before you begin, ensure that you have authorized the data assets you want to whitelist:
RDS, PolarDB, PolarDB-X, OceanBase, Tablestore, AnalyticDB for MySQL, and AnalyticDB for PostgreSQL — see Authorize generic databases
MaxCompute — see Authorize MaxCompute
How whitelist rules work
DSC enables audit alert detection for all authorized data assets by default, using five categories of built-in audit alert rules: abnormal operation rules, data breach rules, vulnerability attack rules, SQL injection rules, and risky operation rules. You can also add custom audit rules. For details, see Configure and enable audit alert rules.
When a whitelist rule matches an incoming activity, DSC does not generate an audit alert for that database or OSS operation. Whitelist changes — adding, editing, or deleting a rule — take effect for all audit alerts within one minute.
Whitelist rule constraints
Each whitelist rule has the following constraints:
Only one asset type per rule
At least one account, IP address, or IP range is required
Up to 10 IP addresses or IP ranges
Up to 10 accounts
When a rule contains items from multiple categories (for example, instances and accounts), a logical AND applies between categories and a logical OR applies within the same category. For example, a rule with Instance A, Instance B, Account A, and Account B matches activities from (Instance A OR Instance B) AND (Account A OR Account B).
Add a whitelist rule
Add specific IP addresses, IP ranges, or data assets to the system whitelist to exempt their activities from audit alert detection.
Log on to the Data Security Center console.
In the navigation pane on the left, select System Settings > Whitelist.
On the Whitelist page, click Add Entry.
In the Add Entry dialog box, configure the parameters and click OK.
Parameter Description Rule Name A custom name for the rule. Use a name that is easy to identify. Maximum 100 characters. IP The IP addresses or IP ranges to whitelist. Enter up to 10 entries, separated by line breaks or commas. Data Asset The asset type and corresponding assets. Select an asset type, then select the instance, database, table name, and account as prompted. Multiple instances and accounts are supported. To add custom accounts, click the Account drop-down list and select Add Account at the end of the list. Operation Type The operation types to whitelist. Defaults to all operation types. Select one or more specific types if needed. After the rule is created, search and view it in the whitelist rule list. Filter by asset type, rule name, or other criteria.
Add a whitelist rule from an audit alert
When handling an audit alert, you can add the source directly to the whitelist without navigating to the Whitelist page. DSC pre-populates the rule name in the format <alert time> <audit alert rule name> — for example, 2024-05-21 20:58:09 OSS rule test. For instructions on handling alerts, see View and handle audit alerts.
Edit or delete a whitelist rule
To re-enable audit alert detection for a previously whitelisted source, edit the whitelist rule to remove the source, or delete the rule entirely.
You cannot change the asset type when editing an existing whitelist rule.
Log on to the Data Security Center console.
In the navigation pane on the left, select System Settings > Whitelist.
Find the target rule and click Modify or Delete in the Actions column.
FAQ
Can I add custom accounts to a whitelist rule?
Yes. Click the Account drop-down list in the Add Entry dialog box and select Add Account to enter custom account names. A single whitelist rule supports up to 10 accounts.
Why can't I select databases or tables when configuring a whitelist rule?
The data assets haven't finished scanning yet. Wait for the identification task to complete, then try again. For more information, see Scan for sensitive data using an identification task.
Why are audit alerts still generated for an instance I've whitelisted?
The whitelist rule is likely invalid. A rule requires at least one account, IP address, or IP range — rules without any of these are not enforced. Edit the rule to add the missing items.
API reference
Use the Alibaba Cloud SDK to call the following API operations to query authorized data assets. For supported languages and installation instructions, see Data Security Center SDK and Alibaba Cloud SDK.
Query the list of authorized assets: DescribeParentInstance
Query the list of authorized instances, databases, and buckets: DescribeDataLimits
Query the list of authorized instances, databases, or buckets for a specific product: DescribeDataLimitSet