All Products
Search

This Product

    Data Security Center:Authorize DSC to access MaxCompute

    Document Center

    Data Security Center:Authorize DSC to access MaxCompute

    Last Updated:Dec 13, 2024

    If you purchase Data Security Center (DSC) and you want to use DSC to detect sensitive data or monitor unusual operations in MaxCompute tables, you must authorize DSC to access MaxCompute.

    Prerequisites

    Step 1: Authorize DSC to access ApsaraDB RDS

    1. Log on to the DSC console.

    2. In the left-side navigation pane, click Asset Center.

    3. In the left-side pane of the Authorization Management tab, click MaxCompute.

    4. Click Asset Authorization Management.

    5. Optional. In the Asset Authorization Management panel, click Asset synchronization.

      The first time you log on to DSC, DSC automatically synchronizes assets in the cloud. You do not need to synchronize assets. DSC scans for new assets at 00:00 every day and automatically synchronizes the assets to the lists of unauthorized assets. If you want to authorize DSC to access the assets that are created on the current day, you must manually synchronize the assets.

    6. On the Not authorized tab, find the asset on which you want to grant permissions and click Authorization in the Actions column.

      You can also select multiple assets and click Batch Authorize.

    Step 2: Connect MaxCompute to DSC

    1. Return to the Authorization Management tab, find the MaxCompute project that you want to connect to DSC, and then click Connect in the Actions column.

    2. Optional. In the Connect dialog box, select Immediately scan database assets and identify data.

    3. In the Connect dialog box, click OK.

      • After you use the one-click connection mode to connect DSC to the MaxCompute project, DSC creates an account named yundun_sddp and grants the admin permission to the account. This way, DSC can access and read data from the MaxCompute project.

      • This first time you connect DSC to a MaxCompute project for which the whitelist feature is enable, MaxCompute adds the public CIDR block used by DSC and the virtual private cloud (VPC) ID of the region in which DSC resides to the whitelist to allow DSC to access data in the MaxCompute project. The CIDR block and VPC ID vary based on the region.

        Note

        If the whitelist feature is disabled for the MaxCompute project, no whitelist is configured.

        The following table describes the mappings between regions, VPC IDs, and CIDR blocks.

        Region

        Region ID

        VPC ID

        CIDR block

        China (Zhangjiakou)

        cn-zhangjiakou

        vpc-8vbvzdb5egltk0yexldhs

        47.92.198.0/24

        China (Beijing)

        cn-beijing

        vpc-2zess7v6iegn01fy432e4

        47.94.162.0/24

        China (Shenzhen)

        cn-shenzhen

        vpc-wz995reiv7uropgo6bd8f

        47.107.126.0/24

        China (Shanghai)

        cn-shanghai

        vpc-uf6r63271gabvtahlh6w7

        101.132.115.0/24

        China (Hangzhou)

        cn-hangzhou

        vpc-bp1h80dnzbway3nckavj4

        118.31.7.0/24

        China (Chengdu)

        cn-chengdu

        vpc-2vcjetax6t3tfrb3zwzhv

        47.109.105.0/24

        China (Qingdao)

        cn-qingdao

        vpc-m5ec3lpwkxfydz19ynh3s

        47.104.137.0/24

        China (Hohhot)

        cn-huhehaote

        vpc-hp3gpc5pckssp3h4ptqhe

        39.104.60.0/24

        China (Hong Kong)

        cn-hongkong

        vpc-j6cem0kl1zs9wz5tjkpez

        47.244.246.0/24

        Singapore

        ap-southeast-1

        vpc-t4nabu5ninmsubrbxn51z

        47.241.177.0/24

        Indonesia (Jakarta)

        ap-southeast-5

        vpc-k1a2u6xg9kd1l9wlr3hdi

        147.139.163.0/24

        Malaysia (Kuala Lumpur)

        ap-southeast-3

        vpc-8ps2eulwxhwd93txl87gj

        47.254.216.0/24

        Germany (Frankfurt)

        eu-central-1

        vpc-gw84wgtfbbssiln9sqcgi

        47.254.143.0/24

        China East 2 Finance

        cn-shanghai-finance-1

        vpc-zm0cph8eb5lj8ulbjd5fg

        139.224.122.0/24

        China South 1 Finance

        cn-shenzhen-finance-1

        vpc-j5enthk830u0uo0djwf5q

        112.74.241.0/24

        China East 1 Finance

        cn-hangzhou-finance

        • vpc-bp1h80dnzbway3nckavj4

        • vpc-bp1w4mgfezh2zjrix02cv

        • 118.31.7.0/24

        • 47.96.56.0/24

        China North 2 Ali Gov 1

        cn-north-2-gov-1

        vpc-9dpf9bp63v1imf4kdx77i

        39.107.178.0/24

        For example, the whitelist feature is enabled for a MaxCompute project.

        odps.security.ip.whitelist=10.232.1.18
odps.security.vpc.whitelist=vpc-rhs****

        After you use the one-click connection mode to connect DSC in the China (Zhangjiakou) region to the MaxCompute project, the whitelist is updated.

        odps.security.ip.whitelist=10.232.1.18,47.92.198.0/24
odps.security.vpc.whitelist=vpc-rhs****,vpc-8vbvzdb5egltk0yexldhs

      If Connected is displayed in the Connection Status column, the MaxCompute project is connected. In this case, the 支持识别 and 支持脱敏 icons are displayed in the Feature Status column. The sensitive data identification feature and the data masking feature are enabled. You can click Modify to disable the sensitive data identification or data masking feature.

      image

    What to do next

    After you connect DSC to a MaxCompute project, DSC automatically creates a default data identification task.

    • If you click Connect on the Authorization Management tab and select Immediately scan database assets and identify data., DSC immediately runs the default data identification task.

    • If you click Connect on the Authorization Management tab and do not select Immediately scan database assets and identify data., you must manually run the default data identification task. To run the task, choose Data Insights > Tasks. On the Identification Tasks tab, click Default Tasks, find the task, and then click Rescan.

      Important

      Only DSC Enterprise supports the rescan operation. DSC Basic does not support the rescan operation.

      You can configure a custom rescan time and a custom scan cycle for a default data identification task. For more information, see Modify the scan settings of the default data identification task.

    The system automatically uses the main identification template and the common identification template to scan the connected MaxCompute assets. By default, the main template is the Internet industry classification template. You can check the status of a data identification task to confirm the completion time of the task.

    1. View the completion time of the default data identification task. For more information, see View default identification task.

    2. View data identification results. For more information, see View sensitive data identification results.