On the System Configuration page of Data Security Guard, you can specify the retention period of watermarked files, whether to display the identified risk level of MaxCompute data, the address for receiving alert notifications, and whether to enable real-time identification of sensitive data. You can configure the parameters on the System Configuration page based on your business requirements.
Go to the System Configuration page
Go to the DataStudio page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, select the desired workspace from the drop-down list and click Go to Data Development.
Click the
icon in the upper-left corner, choose , and then click Try now. NoteIf your Alibaba Cloud account is granted the required permissions, you can directly access the homepage of Data Security Guard.
If your Alibaba Cloud account is not granted the required permissions, you are redirected to the authorization page of Data Security Guard. You can use the features of Data Security Guard only after your Alibaba Cloud account is granted the required permissions.
In the left-side navigation pane, click System Configuration.
On this page, you can perform the following operations:
Watermark-based Tracing: On this tab, you can specify the retention period of watermarked files.
Tagging Configuration: On this tab, you can specify whether to display the sensitivity level of MaxCompute data.
Alert Settings: On this tab, you can specify the email address and webhook URL for receiving alert notifications.
Desensitization Settings: On this tab, you can specify whether to enable real-time identification of sensitive data.
Watermark-based Tracing
On the Watermark-based Tracing tab of the System Configuration page, specify the retention period of watermarked files. You can set the Watermark-based Tracing Time parameter to One Year, Two Years, or Three Years. For example, if you set the Watermark-based Tracing Time parameter to Two Years, you can trace risky operations that are performed on data in the recent two years when a data leak occurs.
Data Security Guard allows you to obtain watermark information from a leaked data file. This helps you identify users who may be involved in the data leaks and determine the cause. For more information, see Trace sensitive data.
Tagging Configuration
On the Tagging Configuration tab of the System Configuration page, specify whether to enable sensitivity level labeling of MaxCompute data. If you enable labeling, the sensitivity level of data in a MaxCompute table of a project is used as the sensitivity-level label for the corresponding column in the MaxCompute table. On the Field Information subtab of the Details tab for the table in Data Map, you can view the sensitivity levels of the columns. For more information, see View the details of a table.
If you enable labeling but the sensitivity levels for MaxCompute table columns are not displayed in Data Map, you can check whether the column-level access control feature is enabled in the MaxCompute console. For more information about how to enable the column-level access control feature, see Label-based access control.
After you enable labeling, the sensitivity levels of the columns in a MaxCompute table of a project affect your permissions on the table columns. You can check the sensitivity level of each column on the Manual Data Correction tab of the Sensitive Data Identification page in the DataWorks console. If the access level that is configured for your account in MaxCompute is lower than the sensitivity level of a column, you cannot access the column. For information about how to configure access-level labels for users, see Label-based access control.
Alert Settings
On the Alert Settings tab of the System Configuration page, specify the email address and webhook URL for receiving alert notifications. After sensitive data is identified, alert notifications are sent to inform the relevant personnel to assess and handle risks at the earliest opportunity.
Email address for receiving alert notifications
Configure the email address for receiving alert notifications. When data risks are identified, the platform sends an alert notification to the email address. For information about how to add alert contacts, see Configure and view alert contacts.
Webhook URL for receiving alert notifications
DataWorks supports the webhook URLs of DingTalk, WeCom, and Lark. When data risks are identified, the platform sends an alert notification to the specified group based on your configurations.
NoteOnly DataWorks Enterprise Edition or a more advanced edition allows users to use WeCom or Lark to receive an alert notification.
Desensitization Settings
On the Desensitization Settings tab of the System Configuration page, specify whether to enable real-time identification of sensitive data. The platform uses the following logic for data queries or data display based on the sensitive data identification rule and data masking rule that you configure:
If real-time identification is enabled, the platform first checks whether the current data is sensitive based on the existing sensitive data identification results. Then, the platform performs an operation based on the check result:
If the data is sensitive, the platform masks the data and displays the masked data.
If the data is insensitive, the platform initiates a sensitive data identification task in real time to re-evaluate the data. If the data is sensitive, the data masking rule takes effect in real time to mask the current data and the platform displays the masked data.
NoteBy default, the real-time identification of sensitive data feature is enabled to prevent the platform from missing sensitive data. For example, sensitive data in newly added data may be missed.
If real-time identification is disabled, only identified sensitive data can be masked based on the data masking rule.