You can use classification and grading templates to automatically classify and grade data. After a template is associated with an instance, Data Management (DMS) scans the fields of databases and tables in the instance based on the identification rules in the template. If DMS detects sensitive fields that meet the rule conditions, DMS tags the sensitive fields with data categories and security levels. The sensitive fields are displayed in the identification results. DMS also protects the fields with a high sensitivity level, such as configuring access control for sensitive fields and masking sensitive fields when the fields are used. This topic describes how to create and edit a classification and grading template.
Usage notes
Different templates can be associated with different instances. However, an instance can be associated with only one classification and grading template. For more information about how to associate an instance with a classification and grading template, see the Associate a classification and grading template with an instance section of this topic.
If the sensitive data protection feature is enabled for the instance, DMS automatically associates the instance with a built-in classification and grading template. For more information about the sensitive data protection feature, see Enable the sensitive data protection feature.
A classification and grading template can be associated with multiple instances.
Built-in templates can only be viewed and cannot be edited.
Create a classification and grading template
- Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose
.NoteIf you use the DMS console in normal mode, choose
in the top navigation bar.Go to the Template Management tab.
Create a classification and grading template.
You can use one of the following methods to create a classification and grading template:
Copy a template
NoteYou can click Copy of a template displayed on the Template Management tab to copy an existing built-in or custom template. Alternatively, you can perform the following steps.
In the Custom Template section, click the icon.
Select Copy Existing Template from the drop-down list that appears and select an existing template.
In the Copy Template dialog box, use the default value of the Template Name parameter or change the value of the Template Name parameter based on your business requirements. Then, click OK.
The copied template is displayed in the Custom Template section.
Create a template
In the Custom Template section, click the icon.
Select Create Empty Template from the drop-down list that appears.
In the Add Template dialog box, configure the Template Name parameter and click OK.
The created template is displayed in the Custom Template section.
Edit a classification and grading template
- Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose
.NoteIf you use the DMS console in normal mode, choose
in the top navigation bar.Find the template that you want to manage and click the name or Edit of the template to go to the Template Rule Details page.
Perform one of the following operations based on your business requirements:
Set the security level
Click Security level settings. In the panel that appears, click Add Grade and configure the Security level parameter. You can specify whether to use ciphertext and the security level. The security level can be low sensitivity, moderate sensitivity, and high sensitivity.
Add a data category
In the Data Category section of the Template Rule Details page, click the icon and select Add Category.
In the Add Category dialog box, configure the Category Name and Parent Node parameters. If you do not specify a parent node, the category will be created on the root node.
Click OK.
NoteTo add a child category for an existing category, you can also perform the following operations: In the Data Category section, find the category for which you want to add a child category, move the pointer over the icon next to the category name, and then select Add Category. Enter a category name and click the icon.
Create a rule
In the Data Category section, click the icon.
NoteYou can also find the category for which you want to create a rule in the Data Category section, and move the pointer over the icon next to the category name.
Select Create Rule from the drop-down list that appears.
In the Add Custom Identification Rule panel, configure the Rule Name, Data Category, Security Level, Identification Model, and Identification Scope parameters. You can select one or more identification models.
NoteIf both built-in and custom identification models are added to the classification and grading template, the built-in and custom identification models do not overwrite each other. For more information about identification models, see Manage detection models.
Click Submit.
View the details of a rule
Find the rule that you want to view and click View in the Operation column to view the basic information and identification scope of the rule.
Delete a rule
Find the rule that you want to delete and click Delete in the Operation column. In the Delete message, click OK.
NoteTo delete multiple rules at a time, you can select the rules that you want to delete and click Batch delete.
Modify a rule
Find the rule that you want to modify and click Modify in the Operation column. After you modify the parameters, click Submit.
Modify a category name
In the Data Category section, find the category that you want to modify, move the pointer over the icon next to the category name, and then select Change. After you modify the name, click the icon.
Delete a category
In the Data Category section, find the category that you want to delete, move the pointer over the icon next to the category name, and then select Delete. In the message that appears, click OK.
ImportantIf you delete a category, all rules are recursively deleted. If you need to delete only a category without the need to delete the rules in the category, migrate the rules to another category before you delete the category.
Migrate multiple rules at a time
Select the rules that you want to migrate and click Batch Migrate. In the Batch Move dialog box, select the category to which you want to migrate the rules and click OK.
Perform other operations
View the details of a template: Click Preview of a template to view the security level, classification, and grading.
Delete a template: Find the custom template that you want to delete, click the icon, and then select Delete. In the Delete Template message, click OK.
Modify the name of a template: Find the custom template that you want to modify, click the icon, and then select Modify. In the Modify a template dialog box, modify the Template Name parameter and then click OK.
Associate a classification and grading template with an instance
You can manually associate a classification and grading template with an instance by using one of the following methods:
Method 1: Associate a template with an instance by editing the instance
- Log on to the DMS console V5.0.
In the left-side navigation pane, find the instance that you want to manage and right-click the instance.
Select Edit.
In the Edit dialog box, select a template from the Classification template drop-down list.
NoteTo select a classification and grading template, you must enable the sensitive data protection feature for the instance. For more information about the sensitive data protection feature, see Enable the sensitive data protection feature.
Click Submit.
In the Prompt message that reminds you to confirm whether to perform a full scan on metadata, click Scan Now.
NoteIf you click Cancel, the existing sensitive data may not match the template rules because a full scan is not performed. To resolve this issue, choose Configure a scan task for the instance section of this topic.
in the top navigation bar to manually configure the scan task. For more information, see theView the status and execution results of the scan task.
In the top navigation bar, choose
. In the Overview section, you can view the number of scan tasks in each state. Click the number below Scanned to view the number of detected sensitive fields.
Method 2: Associate a template with an instance by using the top navigation bar in the DMS console
- Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose
.NoteIf you use the DMS console in normal mode, choose
in the top navigation bar.In the Instance List section, click the Enabled tab.
Associate a classification and grading template with an instance.
Select the instance with which you want to associate a template and click Configure Identification Template above the instance list.
In the Configure Identification Template dialog box, select a template from the Classification template drop-down list.
Click OK.
Configure a scan task for the instance.
Select the instance for which you want to configure a scan task and click Configure Scan Task above the instance list.
In the Configure Scan Task dialog box, configure the parameters based on your business requirements. The following table describes the parameters.
Parameter
Description
Scan Method
The execution method of the scan task. This parameter specifies when to start the scan task. Valid values:
Immediate Task (Task Immediately Run Only Once): starts the scan task immediately to scan the databases that belong to the selected instance.
Scheduled Task (Task Run at Specified Time Only Once): starts the scan task at a specific point in time to scan the databases that belong to the selected instance.
Periodic Task: schedules the scan task by hour, day, week, or month to scan the databases that belong to the selected instance.
Scope
The scan scope. Valid values: All Databases and Specific Databases. If you select Specific Databases, you can select multiple databases.
Apply scan results immediately?
Specifies whether to tag the fields in the identification results with data categories and security levels immediately. Valid values:
Yes: tags the fields immediately.
No (Go to the identification result to apply it manually.): does not tag the fields immediately. You must go to the Identification Result panel to manually apply the identification results.
Click OK.
View the identification results.
In the Overview section, click the number below Scanned to go to the Identification Task Log page. Find the scan task whose identification results you want to view and click the number in the Execution History column. In the Identification Result panel, you can view the identification results.
NoteAlternatively, go to the Instance List section, find the instance whose scan task and identification results you want to view and click Task details in the Operations column.
Manually apply the identification results. If you set the Apply scan results immediately? parameter to Yes when you configure the scan task, the system automatically applies the identification results. In this case, skip the following steps.
Go to the Identification Task Log page.
Find the scan task whose identification results you want to view and click the number in the Execution History column.
In the Identification Result panel, click Take Effect in the Actions column to manually apply the identification results.