All Products
Search

This Product

    Data Security Center:Authorize DSC to access MaxCompute

    Document Center

    Data Security Center:Authorize DSC to access MaxCompute

    Last Updated:Sep 09, 2024

    If you purchase Data Security Center (DSC) and you want to use DSC to detect sensitive data or monitor unusual operations in MaxCompute tables, you must authorize DSC to access MaxCompute.

    Prerequisites

    DSC is purchased and authorized to access cloud services. For more information, see Purchase DSC and Authorize DSC to access Alibaba Cloud resources.

    Step 1: Add an account that is used by DSC to the destination MaxCompute project

    Before you authorize DSC to access MaxCompute, you must add an account that is used by DSC to the destination MaxCompute project and grant the admin permission to the account to allow DSC to access data in the project.

    1. Run the following commands on the MaxCompute client by using an account that has the permissions of the Super_Administrator role to add the yundun_sddp account to the destination MaxCompute project and grant the admin permission to the account. This allows DSC to access and read data from the destination MaxCompute project.

      For more information about the permissions of the Super_Administrator role, see Role planning and RAM permissions. For more information about how to grant permissions to an Alibaba Cloud account, see ACL-based access control. For more information about how to connect to the MaxCompute client, see Select a connection tool.

      Replace project_name in the following commands with the name of the destination MaxCompute project. 

      use project_name;
add user aliyun$1165435448077224;
grant admin to aliyun$1165435448077224;

      If OK is displayed in the command output, the operation is successful. The configuration requires a specific amount of time to take effect.

    2. If you already configured an IP address whitelist for MaxCompute, run the following command to add the IP address used by DSC to the IP address whitelist. If you did not configure an IP address whitelist, skip this step.

      You can run the setproject; command to check whether the IP address whitelist feature is enabled. If the value of the odps.security.vpc.whitelist parameter is empty, the IP address whitelist feature is disabled. In this case, you can skip this step. 

      setproject odps.security.ip.whitelist=11.193.236.0/24,11.193.64.0/24,<CIDR blocks> odps.security.vpc.whitelist=<VPC ID>;
// 11.193.236.0/24,11.193.64.0/24,<CIDR blocks> are CIDR blocks used by DSC in the classic network.
// Replace VPC ID with the virtual private cloud (VPC) ID for the region where the MaxCompute project resides. The following table describes the mappings between regions, VPC IDs, and CIDR blocks.

      Region

      Region ID

      VPC ID

      CIDR block

      China (Zhangjiakou)

      cn-zhangjiakou

      vpc-8vbvzdb5egltk0yexldhs

      47.92.198.0/24

      China (Beijing)

      cn-beijing

      vpc-2zess7v6iegn01fy432e4

      47.94.162.0/24

      China (Shenzhen)

      cn-shenzhen

      vpc-wz995reiv7uropgo6bd8f

      47.107.126.0/24

      China (Shanghai)

      cn-shanghai

      vpc-uf6r63271gabvtahlh6w7

      101.132.115.0/24

      China (Hangzhou)

      cn-hangzhou

      vpc-bp1h80dnzbway3nckavj4

      118.31.7.0/24

      China (Chengdu)

      cn-chengdu

      vpc-2vcjetax6t3tfrb3zwzhv

      47.109.105.0/24

      China (Qingdao)

      cn-qingdao

      vpc-m5ec3lpwkxfydz19ynh3s

      47.104.137.0/24

      China (Hohhot)

      cn-huhehaote

      vpc-hp3gpc5pckssp3h4ptqhe

      39.104.60.0/24

      China (Hong Kong)

      cn-hongkong

      vpc-j6cem0kl1zs9wz5tjkpez

      47.244.246.0/24

      Singapore

      ap-southeast-1

      vpc-t4nabu5ninmsubrbxn51z

      47.241.177.0/24

      Indonesia (Jakarta)

      ap-southeast-5

      vpc-k1a2u6xg9kd1l9wlr3hdi

      147.139.163.0/24

      Malaysia (Kuala Lumpur)

      ap-southeast-3

      vpc-8ps2eulwxhwd93txl87gj

      47.254.216.0/24

      China East 2 Finance

      cn-shanghai-finance-1

      vpc-zm0cph8eb5lj8ulbjd5fg

      139.224.122.0/24

      China South 1 Finance

      cn-shenzhen-finance-1

      vpc-j5enthk830u0uo0djwf5q

      112.74.241.0/24

      China East 1 Finance

      cn-hangzhou-finance

      • vpc-bp1h80dnzbway3nckavj4

      • vpc-bp1w4mgfezh2zjrix02cv

      • 118.31.7.0/24

      • 47.96.56.0/24

      China North 2 Ali Gov 1

      cn-north-2-gov-1

      vpc-9dpf9bp63v1imf4kdx77i

      39.107.178.0/24

      After you configure the IP address whitelist, wait for 5 minutes before you proceed to the next step.

    Step 2: Authorize DSC to access MaxCompute

    1. Log on to the DSC console.

    2. In the left-side navigation pane, choose Asset Center > Authorization Management.

    3. In the left-side pane of the Authorization Management tab, click MaxCompute.

    4. Click Asset Authorization Management.

    5. Optional. In the Asset Authorization Management panel, click Asset synchronization.

      The first time you log on to DSC, DSC automatically synchronizes assets in the cloud. You do not need to synchronize assets. DSC scans for new assets at 00:00 every day and automatically synchronizes the assets to the lists of unauthorized assets. If you want to authorize DSC to access assets that are created on the current day, you must manually synchronize the assets.

    6. On the Not authorized tab, find the asset on which you want to grant permissions and click Authorization in the Actions column.

      You can also select multiple assets and click Batch Authorize.

      Important

      If you want to authorize DSC to access multiple MaxCompute projects at a time, make sure that the account is added to the MaxCompute projects.

    Step 3: Connect MaxCompute to DSC

    1. Return to the Authorization Management tab, find the MaxCompute project that you want to connect to DSC, and then click Connect in the Actions column.

    2. Optional. In the Connect dialog box, select Immediately scan database assets and identify data..

    3. In the Connect dialog box, click OK.

      If Connected is displayed in the Connection Status column, the MaxCompute project is connected. In this case, the 支持识别 and 支持脱敏 icons are displayed in the Feature Status column. The sensitive data identification feature and the data de-identification feature are enabled. You can click Modify to disable the sensitive data identification or data de-identification feature.

      image

    What to do next

    After you connect DSC to a MaxCompute project, DSC automatically creates a default data identification task.

    • If you click Connect on the Authorization Management tab and select Immediately scan database assets and identify data., DSC immediately runs the default data identification task.

    • If you click Connect on the Authorization Management tab and do not select Immediately scan database assets and identify data., you must manually run the default data identification task. To run the task, choose Data Insights > Tasks. On the Identification Tasks tab, click Default Tasks, find the task, and then click Rescan.

      Important

      Only DSC Enterprise supports the rescan operation. DSC Basic does not support the rescan operation.

      You can configure a custom rescan time and a custom scan cycle for a default data identification task. For more information, see Modify the scan settings of the default data identification task.

    The system automatically uses the main identification template and the common identification template to scan the connected MaxCompute assets. By default, the main template is the Internet industry classification template. You can check the status of a data identification task to confirm the completion time of the task.

    1. View the completion time of the default data identification task. For more information, see View the default data identification task.

    2. View data identification results. For more information, see View sensitive data identification results.