Security Center allows an administrator to register risk identification capabilities to DataWorks as extensions and use the extensions as risk identification rules to identify risks in user operations. If a user performs an operation for which a risk identification rule is defined in a DataWorks service, the risk identification rule is triggered to determine whether the operation is risky. If the operation is risky, a response is made based on the configured response policy. An operation is determined risky if the related extension returns Failed or Warning. This topic describes how to configure a risk identification rule and a response to the identified risky operation.
Background information
Security Center provides risk identification and response capabilities based on extensions. You can directly use the default extensions provided by DataWorks to manage high-risk operations. You can also use DataWorks Open Platform to develop and deploy an extension as a risk identification rule to identify risks in more complex scenarios. This extends the capabilities of your internal risk management platform to DataWorks.
Limits
You can configure a risk response only for an extension whose extension point type is pre-event for data download (file generation) and whose status is Published. For information about the list of extension point events supported by an extension and the extension states, see List of supported extension point events and Publish and manage extensions.
You can set the risk response policy only to Approval or Blocking.
Only RAM users to which the AliyunDataWorksFullAccess policy is attached and workspace members that are assigned the tenant administrator or tenant security administrator role can create and manage risk identification rules. For more information, see View the permissions of a RAM user and Grant permissions to a RAM user.
Supported operation events
Pre-event for data download (file generation)
Pre-event for data upload
Go to the Risk identification rules page
Go to the Security Center page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, click Go to Security Center.
In the left-side navigation pane, choose
.
Configure a risk identification rule
On the Risk identification rules page, all extensions that are used to process a specific type of event are displayed below the name of the related operation in the Extension Name column. The Extension Name column displays a default extension that is provided by Security Center to process a specific type of event. If the default extension cannot meet your business requirements, you can develop an extension based on your risk management requirements and register the extension to DataWorks on the Extensions page in the DataWorks console. If the extension is developed to process events that are supported by risk identification rules in Security Center, which indicates that the type of extension point event is pre-event for data download (file generation), the developed extension is automatically added to Security Center as a risk identification rule.
Description of a default risk identification rule
The pre-event for data download (file generation), which is supported by Security Center, is used as an example. If a default extension that is used to trigger request processing is enabled in Security Center, the risk response policy Approval is applied to the data download operation in all workspaces.
Default extensions in Security Center support only request processing policies that take effect in all workspaces. This indicates that you must select global as the effective scope of a request processing policy that you configure for a default extension. For more information, see Create a request processing policy.
Develop a custom risk identification rule
Click Create Extensions. The Extensions page of Open Platform appears.
Develop an extension on the Extensions page of Open Platform. For more information, see Procedure.
You can register existing risk identification logic on your on-premises machine as a risk identification rule in DataWorks Security Center. You can also develop risk identification logic on your on-premises machine based on actual scenarios and register the risk identification logic as a DataWorks extension.
NoteOnly an extension whose extension point type is pre-event for data download (file generation) can be automatically added as a risk identification rule in Security Center. This indicates that you must select the pre-event for data download (file generation) for the extension point type when you register an extension.
Configure a risk response
Find the desired extension and click Configure Response in the Operation column.
Configure a risk response.
Two types of response policies are supported: Blocking and Approval:
Blocking: If the custom extension returns Not Passed, a blocking operation is performed by default. This indicates that if the extension is triggered to identify risky operations and Not Passed is returned, the risky operation performed by the current user is directly blocked. For example, User A downloads data and the extension that is used to check for data download operations is triggered. If the extension returns Not Passed, the data download operation performed by User A is terminated.
Approval: If the extension returns Warning and you added a request processing response policy, the request processing procedure that is associated with the extension is automatically triggered.
NoteA default extension of Security Center returns a warning state by default. In this case, you can configure a request processing response policy for the related event.
Configure a request processing policy.
On the View and configure risk response page, click the icon to add an existing request processing policy. If the existing request processing policies do not meet your business requirements, you can click Create an approval policy to create a request processing policy. For more information, see Request processing policies for extensions.
For an extension, if Risk Response is set to Approval and the check result of the event that triggers the extension is Warning, the request processing policy that is configured in the related workspace is triggered.
A global extension takes effect in all workspaces after the extension is enabled. If no response policy is configured for a global extension in a specified workspace, the related event directly passes the check by default and the related process is not blocked. The extension that is used to check for the operation related to the pre-event for data download (file generation) is used as an example. If the extension is enabled, the data download operation in all workspaces is blocked until the extension returns a result. Follow-up procedure if the extension returns a warning state:
If a request processing policy is configured for the workspace in which a data download operation is identified, the request processing procedure is automatically triggered.
If no request processing policy is configured for the workspace in which a data download operation is identified, the data can be downloaded as expected.
NoteA smaller priority value of the request processing policy indicates a higher priority.
If an operation hits multiple request processing policies, the request processing policy with a higher priority is used.
References
Example of responding to a risky operation identified based on a risk identification rule