How to configure watermark retention period and risk alert receiving address in Data Security Guard - DataWorks

In the system configuration settings for Data Security Guard, you can set the retention period for data watermark files, choose whether to display the risk level of MaxCompute data, configure recipient addresses for alert information, and enable or disable real-time detection of sensitive data.

Go to the System configuration page

Go to Data Security Guard.
1. Go to the DataStudio page.
  Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Development and O&M > Data Development. On the page that appears, select the desired workspace from the drop-down list and click Go to Data Development.
2. Click the icon in the upper-left corner. Then, choose All Products > Data Governance > Data Security Guard. On the page that appears, click Try Now to go to the Data Security Guard page.
  Note
  - If your Alibaba Cloud account is granted the required permissions, you can directly access the homepage of Data Security Guard.
  - If your Alibaba Cloud account is not granted the required permissions, you are redirected to the authorization page of Data Security Guard. You can use the features of Data Security Guard only after your Alibaba Cloud account is granted the required permissions.
In the navigation pane on the left, click System Configuration to open the System configuration page.
On this page, you can perform the following operations:
- Watermark-based tracing: Set the retention period for data watermark files.
- Tagging configuration: Set whether to display the security level of MaxCompute data.
- Alert settings: Set the email and webhook addresses for receiving alert information.
- Desensitization settings: Set whether to enable real-time detection of sensitive data.

Watermark-based tracing

On the System Configuration > Watermark-based Tracing tab, you can set the retention period for data watermark files to one, two, or three years. For example, if you set the tracing period to two years and a data breach occurs, you can trace operations from the last two years to determine the cause of the breach.

Note

Data Security Guard helps you identify the owner who may have leaked the data and trace the cause of the data breach by extracting watermark information from the leaked file. For more information, see Data traceability.

Tagging configuration

On the System Configuration > Tagging Configuration tab, you can choose whether to apply labels based on the classification results of MaxCompute data. If you enable this feature, the data's classification level is added as a sensitivity level label to the corresponding column in the MaxCompute table. This label is displayed in the Field Information > Security Level column of the table details page in DataWorks Data Map. For more information, see View table details.

Note

If you enable labeling but still cannot see the column-level security levels in Data Map, confirm that the column-level access control switch is turned on. For more information, see Label-based access control.
After you enable labeling, the column classification results in the MaxCompute project affect access control. You must confirm the field level on the View and manually correct sensitive data detection results page. If the access permission level label configured in MaxCompute is lower than the security level of a field, you cannot access that field. To set access permission level labels, see Label-based access control.

Alert settings

On the System Configuration > Alert Settings tab, you can set the email or webhook addresses to receive alert information. When sensitive data is detected, an alert is sent to notify relevant personnel to assess and handle the risk promptly.

Email recipient address
Configure the mailbox to receive alert information. When a data risk is detected, the platform sends an alert to this mailbox. To add a new alert contact, see View and set alert contacts.
Webhook recipient address
DataWorks supports webhook URLs for DingTalk groups, WeCom, and Lark. When a data risk is detected, the platform sends an alert to the specified group based on your configuration.
Note
Only DataWorks Enterprise Edition supports pushing alert information to WeCom or Lark.

Desensitization settings

On the System Configuration > Desensitization Settings tab, you can enable or disable real-time detection of sensitive data. When you query or display data (provided that you have configured both sensitive data detection rules and data masking rules), the platform performs the following logical check:

If real-time detection is enabled: The platform first checks whether the data is sensitive based on existing detection results. Then, it performs an action based on the result:
- If the data is sensitive, it is masked before it is displayed.
- If the data is not sensitive, the platform starts a real-time detection task to re-evaluate it. If the data is then identified as sensitive, the data masking rule takes effect immediately, and the data is masked before it is displayed.
Note
The real-time detection of sensitive data feature is enabled by default to ensure the platform detects all sensitive data, such as sensitive data in new entries.
If real-time detection is disabled: Only data that has already been identified as sensitive is masked according to the data masking rule.