All Products
Search
Document Center

Data Management:Enable the sensitive data protection feature

Last Updated:May 24, 2024

This topic describes how to enable the sensitive data protection feature, create a scan task for a database instance, and view the scan result.

Prerequisites

  • You are a Data Management (DMS) administrator, a database administrator (DBA), or a security administrator.

    Note

    To view the role of your account, move the pointer over the 头像 icon in the upper-right corner of the DMS console.

  • Supported databases

    • Relational databases:

      • MySQL: ApsaraDB RDS for MySQL, PolarDB for MySQL, and MySQL databases from other sources

      • SQL Server: ApsaraDB RDS for SQL Server and SQL Server databases from other sources

      • PostgreSQL: ApsaraDB RDS for PostgreSQL, PolarDB for PostgreSQL, and PostgreSQL databases from other sources

      • MariaDB: ApsaraDB RDS for MariaDB and MariaDB databases from other sources

      • PolarDB for PostgreSQL (Compatible with Oracle)

      • PolarDB for Xscale (PolarDB-X)

      • OceanBase

      • Oracle

      • Db2

      • Dameng (DM)

      • Lindorm: Lindorm_CQL and Lindorm_SQL

      • openGauss

    • Data warehouses

      • AnalyticDB for MySQL

      • AnalyticDB for PostgreSQL

      • Data Lake Analytics (DLA)

      • ClickHouse

      • MaxCompute

      • Hologres

      • Hive

  • The sensitive data protection feature is purchased. For more information, see Purchase the DMS service.

    Note

    To purchase the feature, move the pointer over the 5售卖 icon in the upper-right corner of the DMS console and select DMS Order Management. In the dialog box that appears, view the available number of instances for which the sensitive data protection feature can be enabled.

Enable the sensitive data protection feature

You can enable the sensitive data protection feature for an instance in the Edit dialog box of the instance or in the Sensitive Data module.

Enable the sensitive data protection feature in the Edit dialog box

  1. Log on to the

    DMS console V5.0.

  2. In the left-side database instance list of the Home tab, find the database instance that you want to manage and right-click the database instance.

  3. Select Edit.

  4. In the Basic Information section of the Edit dialog box, select Sensitive Data Protection for the Advanced Feature Pack parameter and select a classification and grading template from the Classification template drop-down list. The classification and grading template is used to scan and identify sensitive data in the database instance.

    image

  5. Click Save.

Enable the feature in the Sensitive Data module

  1. Log on to the

    DMS console V5.0.

  2. In the top navigation bar, choose Security and Specifications > Sensitive Data > Sensitive Data Assets.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All functions > Security and Specifications > Sensitive Data > Sensitive Data Assets.

  3. On the Sensitive Data Assets tab, click the Not opened tab in the Instance List section.

  4. Find the database instance that you want to manage and click Enable Now in the Operation column.

    Note

    Only instances for which the sensitive data protection feature is disabled appear on this tab.

  5. In the Enable Sensitive Data Protection dialog box, specify whether you want to immediately configure a scan task.

    • If you do not want to immediately configure a scan task, turn off Configure Scan Task. After you enable the feature, you can go to the Sensitive Data Assets tab, click the Enabled tab in the Instance List section, and configure a scan task.

    • If you want to immediately configure a scan task, select the scan method and scope, and specify whether to immediately apply scan results. For more information, see the Configure a scan task section of this topic.

  6. Click OK.

Configure a scan task

  1. On the Sensitive Data Assets tab, click the Enabled tab in the Instance List section. Find the database instance that you want to manage and click Configure Scan Task in the Operation column.

    Note

    When DMS runs a scan task for a database instance, DMS scans the metadata of the specified database and randomly scans 100 to 200 data entries in the database. The data is used only for sensitive data analysis in the scan task and is not saved for other purposes.

    Parameter

    Description

    Scan Method

    • If you select Immediate Task (Task Immediately Run Only Once), DMS immediately scans the specified database and marks sensitive data after the task is configured.

    • If you select Scheduled Task (Task Run at Specified Time Only Once), you must select a date and point in time. DMS automatically scans the specified database and marks sensitive data as scheduled.

    • If you select Periodic Task, you must configure the scheduling cycle and specific point in time. DMS automatically scans the specified database and marks sensitive data on a regular basis.

    Scope

    The scan scope. Valid values: All Databases and Specific Databases. If you select Specific Databases, you can select multiple databases.

    Apply scan results immediately?

    Specifies whether to immediately add tags to the fields in the identification results with data categories and security levels. Valid values:

    • Yes

    • No (Go to the identification result to apply it manually.) You must go to the Identification Result panel to manually apply the identification results.

  2. Click OK.

  3. Grant access to the instance. After you grant access to an instance, sensitive data in the instance can be automatically detected. You must grant access to an instance before you configure a scan task for the instance.

    Note

    If the database instance is managed in Security Collaboration mode, the system automatically grants access to the instance. In this case, skip this step.

    1. On the Enabled tab, find the database instance to which you want to grant access and click Account Authorization in the Operation column.

    2. In the Account Authorization dialog box, enter the database account and database password of the database instance.

    3. Click OK.

View identification results

  1. View the identification results.

    In the Overview section, click the number below Scanned to go to the Identification Task Log page. Find the scan task whose identification results you want to view and click the number in the Execution History column. In the Identification Result panel, you can view the identification results.

    Note

    Alternatively, go to the Instance List section, find the instance whose scan task and identification results you want to view and click Task details in the Operations column.

  2. Manually apply the identification results. If you set the Apply scan results immediately? parameter to Yes when you configure the scan task, the system automatically applies the identification results. In this case, skip the following steps.

    1. Go to the Identification Task Log page.

    2. Find the scan task whose identification results you want to view and click the number in the Execution History column.

    3. In the Identification Result panel, click Take Effect in the Actions column to manually apply the identification results.

  3. Optional. To view the distribution and sensitivity levels of the sensitive data in the database instance, click Sensitive Data List in the Operation column. On the page that appears, click the Field Control tab. You can also manage sensitive fields on the Field Control tab. For example, you can adjust the sensitivity levels of fields, change the data masking rules for fields, and grant permissions on fields. For more information, see Manage sensitive data.

For information about how to disable the sensitive data protection feature, see Disable the sensitive data protection feature.