All Products
Search

This Product

    Data Security Center:Configure data domains to manage assets

    Document Center

    Data Security Center:Configure data domains to manage assets

    Last Updated:Dec 16, 2024

    You can use data domains to classify and manage assets from different dimensions, such as business attributes, organizational structures, and data characteristics. You can add assets that have the same attributes to a single data domain to manage the assets and sensitive data in the assets in an efficient manner. This topic describes how to use the data domain feature to classify and manage assets.

    Scenarios

    • A large number of assets belong to different departments. The assets need to be allocated by department for efficient management.

    • Assets need to be allocated to different data administrators. Data administrators can manage only assets within the scope of their permissions to implement asset permission management.

    Prerequisites

    • Data Security Center (DSC) is authorized to access assets. For more information, see Asset authorization.

    • If you use a Resource Access Management (RAM) user, the AliyunYundunSDDPFullAccess policy is attached to the RAM user. For more information, see Authorize a RAM user to access DSC.

    Background information

    DSC provides the default data domain that contains all authorized assets. By default, an Alibaba Cloud account or a RAM user to which the AliyunYundunSDDPFullAccess policy is attached can manage all data domains and assets. To classify assets and specify data administrators, you can perform the following operations:

    • Create custom data domains, classify and add assets to the custom data domains, and then view the sensitive data identification results of the assets by data domain. For more information, see View sensitive data identification results.

    • Allow a RAM user to manage only specific custom data domains and assets in the data domains. This way, different types of assets can be managed in a fine-grained manner.

    Limits

    • An asset can be added to only one data domain.

    • Assets that are not added to custom data domains belong to the default data domain.

    Create a custom data domain to classify and manage assets

    Before you create custom data domains, we recommend that you plan the names and hierarchical relationships of the data domains based on business units or organizational structures. You can create up to three levels of data domains. Then, you can follow the instructions in this section to create custom data domains, configure hierarchical relationships, and classify assets.

    You can use one of the following methods to manage data domains and assets in the data domains based on the data domains and asset size.

    Manage a single data domain and add assets to the data domain

    Step 1: Create a data domain

    1. Log on to the DSC console.

    2. In the left-side navigation pane, choose System Settings > Data Management.

    3. Click Add next to Custom Data Domain.

    4. In the Add Data Domain dialog box, enter a name and description for the data domain, and click OK.

    5. Use one of the following methods to create multiple data domains and configure the hierarchical relationships.

      • Repeat the preceding steps to create multiple data domains. Then, drag the data domains to change their positions and configure the hierarchical relationships of the data domains.

      • Move the pointer over the number of assets next to the data domain that is created, click the 更多图标 icon, and then perform one of the following operations:

        • Click Add Child Node to create a child data domain for the current data domain. You can create up to three levels of data domains.

        • Click Add Sibling Node to create a same-level data domain.

    Step 2: Add assets to the data domain

    To add assets to a custom data domain, refer to the operations in this section.

    Add assets to a custom data domain

    Important

    You can select only assets in the default data domain.

    1. In the left-side data domain list, click the name of the data domain to which you want to add assets.

    2. Click Add Asset.

    3. In the Add data assets panel, select the assets that you want to add and click OK.

    Move assets from other data domains to the destination data domain

    1. In the left-side data domain list, click the name of the data domain whose assets you want to move.

    2. In the asset list, find the asset that you want to move and click Move in the Actions column.

      You can select multiple assets and click Batch Move below the list.

    3. In the dialog box that appears, select the destination data domain from the drop-down list and click OK.

    What to do next

    To modify or delete a data domain, perform the following steps:

    1. In the left-side navigation pane, choose System Settings > Data Management.

    2. On the Data Domain Configuration page, move the pointer over the number of assets next to the data domain that you want to manage, click the 更多图标 icon, and then perform the following operations based on your business requirements:

      • Click Modify Data Domain to modify the name and description of the data domain.

      • Click Delete to delete the current data domain. To delete a data domain that has a child data domain, you must delete the child data domain first. After you delete a data domain, the assets in the data domain are automatically moved to the default data domain.

    Batch manage data domains and add assets

    You can download and modify a data domain template file named DSC Data Domain Template.xlsx to manage data domains and assets in the data domains.

    Description of data domain file parsing

    After the data domain template file is uploaded, DSC parses data domain and asset information from top to bottom in the file. The configuration information in the bottom overrides the configuration information at the top.

    During the parsing process, the system follows the principle that an asset can belong to only one data domain.

    • If different assets exist in the same data domain, the assets are added to the data domain.

    • If an asset exists in different data domains, the asset is added to the data domain in the bottom of the file.

    • If an asset is not included in the file, the asset belongs to its original data domain.

    Examples:

    • A custom data domain is created at the top of the file, an asset is added to the custom data domain, and the asset is also added to the default data domain in the bottom of the file. In this case, the custom data domain is created, but the asset is added to the default data domain.

    • If you delete an existing custom data domain that is located at the top of the file and assets in the custom data domain, and do not add the assets to the default data domain in the bottom of the file, the custom data domain and assets remain unchanged and are not deleted.

    Upload the data domain template file

    1. Log on to the DSC console.

    2. In the left-side navigation pane, choose System Settings > Data Management.

    3. In the upper-right corner of the Data Management page, click Batch Manage.

    4. In the Batch Manage dialog box, click DSC Data Domain Template.xlsx to download the template.

      The following figure shows the template. The template contains the following columns: First Data Domain, Second Data Domain, Third Data Domain, Instance Name, Instance Type, and Instance Region. The template also contains information about existing data domains and assets in the data domains. If a custom data domain is created, the custom data domain is located in the top of the file and the default data domain is located at the bottom of the file. If no assets exist in an existing data domain, the data domain is not included in the file.

      image

    5. Modify the information about data domains and assets in the data domains based on Description of data domain file parsing. Then, save the modifications.

      Examples:

      • Create a data domain: Find the row of the asset that you want to manage and change the value in the First Data Domain column to a custom data domain name. You can also specify values in the Second Data Domain and Third Data Domain columns based on your business requirements. For example, you can change Default Data Domain in the First Data Domain column to a custom data domain name.

      • Delete a first-level custom data domain: Find the row of the data domain that you want to delete and change the value in the First Data Domain column to Default Data Domain. If the data domain contains child data domains, you must also delete the values in the Second Data Domain and Third Data Domain columns.

    6. In the Batch Manage dialog box, click Import Local Files, import the modified template file, and then click OK.

    After you create a custom data domain and add assets to the data domain, the number next to the data domain indicates the total number of assets in the data domain and its child data domains.

    Authorize a RAM user to manage only specific custom data domains

    The following table describes data domain-related policies.

    Policy

    Description

    AliyunYundunSDDPFullAccess

    All permissions on DSC, which include the permissions to manage data domains. RAM users who have the permissions can perform all operations supported by data domains.

    AliyunYundunSDDPReadOnlyAccess

    The read-only permissions on DSC. RAM users who have the permissions can only view all data domains but cannot perform other operations on data domains, such as modifying data domains, deleting data domains, and moving assets.

    AliyunYundunSDDPDataManager

    The permissions to manage data domains in DSC.

    RAM users who have the permissions are synchronized in the DSC console. After you specify the scope of data domains that the RAM user can manage, the RAM user can view and manage the data domains within the scope and assets in the domain names. For example, you can modify data domains, add assets to domain names, and move assets from domain names.

    An Alibaba Cloud account can create multiple RAM users. You can attach the AliyunYundunSDDPDataManager policy to a specific RAM user and synchronize the RAM user to the DSC console to use the RAM user as a data administrator. Then, you can specify the scope of data domains that the RAM user can manage and allow the RAM user to view and manage the data domains within the scope and assets in the domain names. For example, you can allow the RAM user to modify data domains, add assets to domain names, and move assets to other domain names within the scope.

    Note

    • The operations on AliyunYundunSDDPDataManager and RAM user take effect only for data domains. RAM users to which the AliyunYundunSDDPFullAccess policy is attached can view all assets when the RAM users use the features of DSC, such as data insights, data auditing, and data masking.

    • You can attach the AliyunYundunSDDPDataManager policy to a RAM user to allow the RAM user to view and manage specific custom data domains and assets in the data domains. You cannot allow a RAM user to only view but not manage specific custom data domains and assets in the data domains. If you attach the AliyunYundunSDDPReadOnlyAccess policy to a RAM user, the RAM user can view all data domains.

    Step 1: Synchronize RAM user information

    Important

    • The AliyunYundunSDDPFullAccess policy must be attached to the RAM user that you want to synchronize.

    • On the Asset Center > Data Management page, synchronized RAM users can manage only authorized custom data domains and assets within the data domains.

    1. On the Data Management page, click the Data Administrator tab.

    2. If existing RAM users do not meet your business requirements or you require more RAM users, click Create User to create RAM users.

      1. In the Create User panel, click RAM Console.

      2. On the Create User page in the RAM console, enter user information and click OK. For more information about how to create a RAM user, see Create a RAM user.

      3. Go back to the DSC console. In the Create User panel, click Created.

    3. Grant the RAM user the permissions to manage the data domains of DSC.

      1. On the Users page of the RAM console, find the RAM user and click Add Permissions in the Actions column.

      2. In the Grant Permission panel, grant permissions to the RAM user. For more information, see Grant permissions to a RAM user.

        You must select the AliyunYundunSDDPDataManager system policy. If the AliyunYundunSDDPFullAccess policy is not attached to the RAM user, you must also select AliyunYundunSDDPFullAccess.

    4. Go back to the Data Administrator tab of the Asset Center > Data Management page in the DSC console and click Synchronize User.

      DSC synchronizes all RAM users to which the AliyunYundunSDDPDataManager policy is attached within the current Alibaba Cloud account to the data administrator list.

    Step 2: Configure data domains for the RAM user

    After you synchronize RAM users, you must configure the custom data domain scope that can be managed for the RAM users.

    1. On the Data Management tab, find the RAM user that you want to manage and click Edit Manageable Data Domain in the Actions column.

    2. In the Modify Manageable Data Domain panel, select data domains for the RAM user and click OK.

    References