All Products
Search

This Product

    DataWorks:Risk identification rules

    Document Center

    DataWorks:Risk identification rules

    Last Updated:Nov 08, 2024

    Security Center allows an administrator to register risk identification capabilities to DataWorks as extensions and use the extensions as risk identification rules to identify risks in user operations. If a user performs an operation for which a risk identification rule is defined in a DataWorks service, the risk identification rule is triggered to determine whether the operation is risky. If the operation is risky, a response is made based on the configured response policy. An operation is determined risky if the related extension returns Failed or Warning. This topic describes how to configure a risk identification rule and a response to the identified risky operation.

    Background information

    Security Center provides risk identification and response capabilities based on extensions. You can directly use the default extensions provided by DataWorks to manage high-risk operations. You can also use DataWorks Open Platform to develop and deploy an extension as a risk identification rule to identify risks in more complex scenarios. This extends the capabilities of your internal risk management platform to DataWorks.

    image

    Limits

    • You can configure a risk response only for an extension whose extension point type is pre-event for data download (file generation) and whose status is Published. For information about the list of extension point events supported by an extension and the extension states, see List of supported extension point events and Publish and manage extensions.

    • You can set the risk response policy only to Approval or Blocking.

    • Only RAM users to which the AliyunDataWorksFullAccess policy is attached and workspace members that are assigned the tenant administrator or tenant security administrator role can create and manage risk identification rules. For more information, see View the permissions of a RAM user and Grant permissions to a RAM user.

    Supported operation events

    • Pre-event for data download (file generation)

    • Pre-event for data upload

    Go to the Risk identification rules page

    1. Log on to the DataWorks console.

    2. In the left-side navigation pane, choose Data Governance > Security Center. On the Security Center page, click Go to Security Center.

    3. In the top navigation bar, click Security policy. In the left-side navigation pane, click Risk identification rules.

    Configure a risk identification rule

    On the Risk identification rules page, all extensions that are used to process a specific type of event are displayed below the name of the related operation in the Extension Name column. The Extension Name column displays a default extension that is provided by Security Center to process a specific type of event. If the default extension cannot meet your business requirements, you can develop an extension based on your risk management requirements and register the extension to DataWorks on the Extensions page in the DataWorks console. If the extension is developed to process events that are supported by risk identification rules in Security Center, which indicates that the type of extension point event is pre-event for data download (file generation), the developed extension is automatically added to Security Center as a risk identification rule.

    Description of a default risk identification rule

    The pre-event for data download (file generation), which is supported by Security Center, is used as an example. If a default extension that is used to trigger request processing is enabled in Security Center, the risk response policy Approval is applied to the data download operation in all workspaces.image.png

    Note

    Default extensions in Security Center support only request processing policies that take effect in all workspaces. This indicates that you must select global as the effective scope of a request processing policy that you configure for a default extension. For more information, see Create a request processing policy.

    Develop a custom risk identification rule

    1. Click Create Extensions. The Extensions page of Open Platform appears.image.png

    2. Develop an extension on the Extensions page of Open Platform. For more information, see Procedure.

      You can register existing risk identification logic on your on-premises machine as a risk identification rule in DataWorks Security Center. You can also develop risk identification logic on your on-premises machine based on actual scenarios and register the risk identification logic as a DataWorks extension.image.png

      Note

      Only an extension whose extension point type is pre-event for data download (file generation) can be automatically added as a risk identification rule in Security Center. This indicates that you must select the pre-event for data download (file generation) for the extension point type when you register an extension.

    Configure a risk response

    1. Find the desired extension and click Configure Response in the Operation column.

    2. Configure a risk response.

      Two types of response policies are supported: Blocking and Approval:

      • Blocking: If the custom extension returns Not Passed, a blocking operation is performed by default. This indicates that if the extension is triggered to identify risky operations and Not Passed is returned, the risky operation performed by the current user is directly blocked. For example, User A downloads data and the extension that is used to check for data download operations is triggered. If the extension returns Not Passed, the data download operation performed by User A is terminated.

      • Approval: If the extension returns Warning and you added a request processing response policy, the request processing procedure that is associated with the extension is automatically triggered.

        Note

        A default extension of Security Center returns a warning state by default. In this case, you can configure a request processing response policy for the related event.

    3. Configure a request processing policy.

      On the View and configure risk response page, click the image.png icon to add an existing request processing policy. If the existing request processing policies do not meet your business requirements, you can click Create an approval policy to create a request processing policy. For more information, see Request processing policies for extensions.image.png

      • For an extension, if Risk Response is set to Approval and the check result of the event that triggers the extension is Warning, the request processing policy that is configured in the related workspace is triggered.

      • A global extension takes effect in all workspaces after the extension is enabled. If no response policy is configured for a global extension in a specified workspace, the related event directly passes the check by default and the related process is not blocked. The extension that is used to check for the operation related to the pre-event for data download (file generation) is used as an example. If the extension is enabled, the data download operation in all workspaces is blocked until the extension returns a result. Follow-up procedure if the extension returns a warning state:

        • If a request processing policy is configured for the workspace in which a data download operation is identified, the request processing procedure is automatically triggered.

        • If no request processing policy is configured for the workspace in which a data download operation is identified, the data can be downloaded as expected.

      Note

      • A smaller priority value of the request processing policy indicates a higher priority.

      • If an operation hits multiple request processing policies, the request processing policy with a higher priority is used.

    References

    Example of responding to a risky operation identified based on a risk identification rule