Configure identification templates - Data Security Center

Data Security Center (DSC) uses a three-level hierarchy — identification features, identification models, and identification templates — to scan your assets for sensitive data. Built-in templates cover common industries including financial services, cloud security, electricity, Internet of Vehicles (IoV), and the Internet industry. If none fit your requirements, create a custom template from scratch or by copying a built-in one.

Key concepts

Identification template hierarchy

An identification template contains one or more identification models, and each identification model contains one or more identification features.

Term	Description
Identification feature	The base detection unit. Features support content identification, metadata identification, and dictionary identification, using operators such as regular expressions, Contains, and Does Not Contain. Combine multiple rules with AND or OR to build complex detection logic. DSC provides built-in identification features and supports custom identification features.
Identification model	Built from one or more identification features and generates the final identification result. A model can be scoped to specific asset types — database instances, tables, OSS buckets, Simple Log Service Logstores, and file directories. DSC provides built-in identification models and supports custom identification models.
Identification template	A collection of identification models tailored to an industry or compliance standard. DSC provides built-in identification templates and supports custom identification templates (up to 10).

Template types

Template type	Description
Built-in identification template	Industry-specific templates provided by DSC: the data classification template for the financial industry, internal security template for cloud security, data classification template for the electricity industry, data classification template for the Internet of Vehicles (IoV) industry, and data classification template for the Internet industry. Built-in templates can only be enabled or disabled — sensitivity levels, identification features, and identification models cannot be customized.
Custom identification template	Create your own template when built-in templates don't meet your needs. Configure custom identification features and models. The maximum number of custom identification templates is 10.

Template type

Description

Built-in identification template

Industry-specific templates provided by DSC: the data classification template for the financial industry, internal security template for cloud security, data classification template for the electricity industry, data classification template for the Internet of Vehicles (IoV) industry, and data classification template for the Internet industry. Built-in templates can only be enabled or disabled — sensitivity levels, identification features, and identification models cannot be customized.

Custom identification template

Create your own template when built-in templates don't meet your needs. Configure custom identification features and models. The maximum number of custom identification templates is 10.

Template roles in identification tasks

DSC assigns each enabled template one of three roles:

Role	Description
Main identification template	Used by default identification tasks. Only one main template is allowed, and it cannot be disabled. The default main template is the data classification template for the Internet industry. The DSC console displays identification results based on the main template on the Asset Insight page under Classification and Grading.
Active identification template	Enabled built-in or custom templates available for selection in custom identification tasks. Up to two active identification templates can be enabled at a time.
Common identification template	Automatically applied alongside built-in templates to protect personal information in compliance with GB/T 35273-2020 (Information security technology — Personal information security specification). The common identification template cannot be manually selected in an identification task.

When creating a custom identification task, select the main identification template and active identification templates. Up to two templates total can be selected. For details, see Create a custom identification task.

Sensitivity levels

DSC classifies sensitive data on a scale from S1 (lowest) to S10 (highest). The sensitivity levels available for an identification model are determined by its associated template.

Level	Description
N/A	No sensitive data matching the current template was detected.
S1	Non-sensitive data. Disclosure typically causes no harm. Examples: provinces, cities, product names.
S2	Moderately sensitive data. Disclosure causes low-level harm. Examples: names, addresses.
S3	Highly sensitive data. Disclosure of even small amounts causes serious harm. Examples: identity documents, account passwords, database information.
S4	Core confidential data. Must not be disclosed under any circumstances. Examples: genes, fingerprints, iris information.

View built-in identification models and features

View built-in identification models

Log on to the Data Security Center console.
In the left navigation pane, choose Classification and Grading > Config.
On the Identification Models tab, select Built-in from the All Sources drop-down list. Enter a model name in the search box and click the icon to find a specific model.
In the Actions column, click Details to view the identification rules and thresholds for a model. To view a specific identification feature, copy the feature name and search for it on the Identification Features tab.

View built-in identification features

Log on to the Data Security Center console.
In the left navigation pane, choose Classification and Grading > Config.
On the Identification Features tab, select Built-in from the Sources drop-down list. Enter a keyword in the search box and click the icon to find a specific feature.

Create custom identification models and features

Create a custom identification model

Create a model directly

On the Identification Models tab, click Create.

In the Create panel, configure the following parameters and click OK.

Basic information

Parameter	Description
Model Name	The name of the custom identification model.
Model Description	(Optional) A description of the model.
Tag	(Optional) Select Personal sensitive information, Personal information, or General information.
Data Category	(Optional) Associate the model with a custom identification template, sensitive data category, and sensitivity level. Only custom identification templates can be selected.

Model rule

Parameter	Description
Identification Features	Select one or more built-in or custom identification features. Multiple features are evaluated with the OR logical operator.
Identification Scope	(Optional) Select the asset types the model applies to. Multiple asset types are evaluated with the OR logical operator.
Advanced Settings	(Optional) Define a more precise identification scope by asset type and condition groups. Select an asset type, choose AND or OR between conditions, and click Add Condition or Create Group to build compound conditions.

Identification threshold

Parameter	Description
Minimum Hits (Unstructured Data)	Minimum number of feature hits required in a single OSS object for it to be classified as sensitive. For example, a threshold of 1 means a file is identified as sensitive if it matches at least one feature in the model.
Hit Ratio (Structured Data)	Minimum hit percentage across 200 data samples for structured data such as ApsaraDB RDS. For example, at 50%, a column is identified as sensitive if at least 100 of the 200 samples match the model.

Create a submodel from an existing model

A submodel inherits the parent model's identification features, so it is useful when you need slight variations without changing the original.

On the Identification Models tab, find the model you want to extend and click Create Submodel in the Actions column.
In the Create Submodel panel, configure the parameters and click OK. The Model and Identification Features parameters are inherited from the parent model and cannot be modified. Add a Complementary Feature to extend detection coverage. All other parameters follow the same configuration as direct model creation.
If the selected model is itself a submodel, its Model and Identification Features remain unchanged.

Create a custom identification feature

On the Identification Models tab, click Add Feature.

In the Add Feature panel, configure the following parameters and click OK.

Parameter	Description
Feature Name	The name of the custom identification feature.
Match Item	Rule Match: Build feature rules using Add Rule. Rules can use AND or OR logic. Enable Exception Rule to define patterns that should be excluded — data matching exception rules is not flagged even if it matches the feature rules. Dictionary Match: Enter keywords and press Enter. Each keyword is 1–128 characters. Keywords cannot contain commas (a comma is treated as a separator between keywords). Fuzzy match is supported.
Data Type	The type of data to identify: Structured Data or Unstructured Data.

Enable or disable an identification model

Identification models must be enabled for an identification template to take effect. Built-in models in built-in templates are enabled by default.

On the Identification Models tab, find the model and click the or icon in the Status column to toggle its state.

Important

Status changes do not affect ongoing identification tasks. The new status takes effect on the next run.

View the details of a built-in identification template

Log on to the Data Security Center console.
In the left navigation pane, choose Classification and Grading > Config.
On the Template Management tab, click Configure Template and find the template with Type set to Built-in.
Click View in the Actions column to see all sensitive data categories and identification models in the template. To inspect a model's identification features and thresholds, copy the model name and search for it on the Identification Models tab.

Create a custom identification template

Create a template directly

On the Template Management tab, click Configure Template and then click New template.
On the New template page, enter the template name and description in the Basic Information section and click Next.
In the Configure Template step, set up sensitive data categories and identification models, then click OK.
Set up sensitive data categories:
1. In the Configure Template Node section, click Create Category. Enter a category name and click OK.
2. Click the icon next to a category and choose Add Same-level Category or Add Subcategory to build out the category hierarchy.
Repeat as needed to create multiple categories.
Add identification models to a category:
1. Click the icon next to a category and click Create.
2. In the Create dialog box, select the identification models to add, turn on in the Status column, and click OK.
Filter models by data tag, model type, or model name. Both built-in and custom identification models can be selected.
Important
Enabling a model in a template activates its identification rules for all tasks using that template.

Create a template by copying an existing one

Copying is faster when an existing template is close to what you need.

On the Template Management tab, click Configure Template.
- To copy a built-in template: find the template and click Copy in the Actions column.
- To copy a custom template: find the template, click in the Actions column, and select Copy.
In the Copy Template dialog box, the default name is <Original template name>+copy. Update the name as needed and click OK.
Find the new template and click Edit in the Actions column. Adjust the template name, sensitive data categories, and identification models, then click OK.

More operations

Delete a template

Only custom identification templates can be deleted. To delete a template, click Configure Template, find the template, click the icon in the Actions column, and select Delete. Deleting a template also deletes all custom identification models that belong to it.

Manage sensitive data categories

Sensitive data categories can only be configured for custom identification templates. On the Template Management tab, click Configure Template, find the template, click Edit in the Actions column, and then click Next. In the Configure Template Node section:

Add a category: Click the icon next to an existing category and select Add Same-level Category.
Rename a category: Click the category's input box and edit the name.
Delete a category: Click the icon next to the category and select Delete.

Manage identification models in a template

For built-in templates, you can only enable or disable models. For custom templates, in the Configure Template Node section:

Add a model: Click the icon next to a category and select Create.
Remove a model: Click the icon next to the category, find the model, and click the icon.

Configure sensitivity levels

Sensitivity level configuration differs by template type:

Built-in templates: Modify the description of a sensitivity level only. Creating and deleting levels is not supported.
Custom templates (created directly): 10 sensitivity levels are configured by default. Only S10 can be deleted. Up to 10 levels are supported.
Custom templates (created by copying): Default levels match the copied template. Default levels cannot be deleted.

On the Template Management tab, click the Sensitivity Level Configuration tab and set Templates Being Modified to the target template. Then:

Delete a level: Find the level and click Delete in the Actions column.
Create a level: Click Configure Custom Sensitivity Level.
Edit a level: Find the level and click Edit in the Actions column.

Enable identification templates and set the main template

Enable an identification template

If no templates are configured, the built-in New National Standard Template is enabled and set as the main template by default. To use a different template in an identification task, enable it first.

Important

Up to two identification templates can be enabled at a time. Enabled templates appear in the Enabled Templates section.

On the Template Management tab, click Configure Template.
Find the template you want to enable and click the icon in the Status column. Confirm the status changes to .

Set the main identification template

The main template is used by default identification tasks. Change it when you want default tasks to scan against a different template.

Important

Only an enabled template can be set as the main template. Before changing the main template, terminate all identification tasks currently associated with it. For details, see Terminate an identification task.

On the Template Management tab, click Configure Template. In the Enabled Templates section, find the template you want to set as the main template and click Main Template.
In the confirmation message, click Continue. The template is marked as Main Template and dimmed after the change.

Limits

Resource	Limit
Custom identification templates per account	10
Identification templates that can be enabled at a time	2
Sensitivity levels per custom identification template	10
Keyword length for dictionary match	1–128 characters
Data samples used for structured data hit ratio	200

What's next

Use an enabled identification template to scan for sensitive data across your assets. For details, see Use identification tasks to scan sensitive data.