Authorize DSC to access a self-managed database hosted on an ECS instance - Data Security Center

If you purchase Data Security Center (DSC) and you want to use DSC to detect sensitive data or monitor unusual operations in a self-managed database hosted on an Elastic Compute Service (ECS) instance, you must authorize DSC to access the database.

Limits

The self-managed database hosted on an ECS instance must reside in a virtual private cloud (VPC).
Database types of MySQL, SQL Server, and Oracle are supported.

Prerequisites

DSC is purchased and authorized to access cloud services. For more information, see Purchase DSC and Authorize DSC to access Alibaba Cloud resources.

Step 1: Authorize DSC to access a self-managed database

Log on to the database that you want to manage and run the following command to authorize DSC to access the database as a specific database user. In the following example, a self-managed MySQL database hosted on an ECS instance is used. For databases of other types hosted on ECS instances, run the relevant authorization commands.

GRANT SELECT ON *.* TO 'Username'@'CIDR block' IDENTIFIED BY 'Password';

Command description:

Username: the username of the self-managed database.
CIDR block: The CIDR block varies based the region. For example, the CIDR blocks of the China (Qingdao) region are 100.104.69.0/26,100.104.48.128/26. For more information about CIDR blocks, see CIDR blocks.
Password: the password of the self-managed database.

Note

If you want to configure data de-identification for the database, you must add ,INSERT after SELECT in the preceding command.

Step 2: Authorize DSC to access an ECS instance

Log on to the DSC console.
In the left-side navigation pane, choose Asset Center > Authorization Management.
On the Authorization Management tab, click Asset Authorization Management.
In the left-side pane of the Asset Authorization Management panel, click ECS self-built database.

Click Add Asset. In the Add Asset dialog box, configure the parameters and click OK or Add and Configure Permissions.

Parameter	Description
Database Engine Type	Select the database engine and version from the drop-down list.
Server Type	The default value is ECS Instance and cannot be changed.
Region	Select the region where the database is deployed. The region must be the same as the region of the IP address in Step 1: Authorize DSC to access a self-managed database.
Instance ID	Select the ECS instance where the database is deployed from the drop-down list.
Port	Enter the port that is used to connect to the database.
Permission Configuration Item	You must select at least one permission configuration item: Data Identification: Select this item if you want to use DSC to detect sensitive data in the database and perform classification or de-identification on the sensitive data. Audit: Select this item if you want to use DSC to audit database activities. For more information about the audit configuration, see Configure the audit mode.

In the Configure Permissions dialog box, click Add Account, enter a database name, select the permissions of the database user, enter the database username and password, and then click OK.
Return to the Authorization Management page to view the connection status of the self-managed database.

What to do next

After you connect DSC to a database, DSC automatically creates a default data identification task.

If you click Connect on the Authorization Management tab and select Immediately scan database assets and identify data., the system immediately runs the default data identification task.
If you click Connect on the Authorization Management tab and do not select Immediately scan database assets and identify data., you must manually run the default data identification task. To run the task, choose Data Insights > Tasks. On the Identification Tasks tab, click Default Tasks, find the task, and then click Rescan.
Note
Only DSC Enterprise supports the rescan operation. DSC Basic does not support the rescan operation.
You can configure a custom rescan time and a custom scan cycle for the default data identification task. For more information, see Modify the scan settings of the default identification task.

The system automatically uses the main identification template and the common identification template to scan the connected assets. By default, the main template is the Internet industry classification template. You can check the status of a default data identification task to confirm the completion time of the task.

View the completion time of a default data identification task. For more information, see View the default identification task.
View data identification results. For more information, see View sensitive data identification results.

CIDR blocks

Region	CIDR block
China (Qingdao)	100.104.69.0/26 100.104.48.128/26
China (Beijing)	100.104.250.0/26 100.104.51.192/26
China (Zhangjiakou)	100.104.37.128/26 100.104.191.64/26
China (Hohhot)	100.104.234.192/26 100.104.26.128/26
China (Hangzhou)	100.104.207.192/26 100.104.232.64/26
China (Shanghai)	100.104.238.64/26 100.104.198.192/26
China (Shenzhen)	100.104.247.0/26 100.104.150.64/26
China (Hong Kong)	100.104.153.64/26 100.104.65.192/26
Alibaba Gov Cloud	100.104.88.64/26 100.104.1.0/26
China East 2 Finance	100.104.254.0/26 100.104.40.128/26
China East 1 Finance	100.104.207.192/26 100.104.232.64/26
China (Chengdu)	100.104.152.128/26 100.104.199.192/26

References

Database overview