Data Security Center (DSC) provides built-in identification templates to identify sensitive data for different industries, such as the financial, energy, and automotive industries. You can use identification templates to identify sensitive data in your assets. You can use built-in identification templates or configure custom identification templates based on built-in identification templates. This topic describes the concepts of identification templates. This topic also describes how to manage identification templates.
Identification template description
Identification templates are tailored to meet industry-specific standards for sensitive data classification. You can use identification templates to check whether sensitive data meets security compliance requirements.
Identification template definition
An identification template contains one or more identification models, and an identification model contains one or more identification features.
Term | Description |
identification feature | Identification features support content identification, metadata identification, and dictionary identification. The features use operators, such as regular expressions, Contains, and Does Not Contain, to identify sensitive data and create identification rules. You can associate multiple identification rules by using the AND and OR logical operators to create complex identification rules. This allows you to identify sensitive data in a more flexible manner. DSC provides built-in identification features for common sensitive data categories and supports custom identification features. |
identification model | An identification model is defined based on one or more identification features and generates final identification results. You can configure the scope of an identification model. For example, you can configure an identification model to support only specific data assets, such as database instances, tables, OSS buckets, Simple Log Service Logstores, and file directories. DSC provides built-in identification models for common sensitive data categories and supports custom identification models. |
For more information about how to use identification models and identification features, see View and configure identification models and identification features.
Identification template types
DSC provides built-in identification templates for common industries and supports custom identification templates. This helps you quickly configure data identification tasks. For more information, see Create a custom identification template.
Template type | Description |
Built-in identification template | DSC provides the data classification template for the financial industry, internal security template for cloud security, data classification template for the electricity industry, data classification template for the Internet of Vehicles (IoV) industry, and data classification template for the Internet industry. You can select a built-in identification template based on your business scenarios. Identification models included in built-in identification templates are known as built-in identification models. You can only enable or disable built-in identification templates and built-in identification models. You cannot configure custom sensitivity levels, identification features, or identification models for built-in identification templates. For more information, see View the details of a built-in identification template. |
Custom identification template | If built-in identification templates cannot meet your business requirements, you can create custom identification templates. You can configure identification features and identification models to create a custom identification template that meets your business requirements. The number of custom identification templates that you create cannot exceed 10. For more information, see Create a custom identification template. |
Sensitivity levels of an identification template
DSC uses S1 to S10 to classify sensitive data. A higher number indicates a higher sensitivity level. The range of sensitivity levels available for an identification model is based on the associated identification template. For more information, see Configure the sensitivity levels of an identification template.
Use an identification template
An identification task scans the data of the connected assets, identifies sensitive data, classifies sensitive data, and then generates scan results based on the identification models in the required identification template.
You must use enabled identification templates for an identification task. Enabled identification templates are classified into main identification templates, active identification templates, and common identification templates.
When you create a custom identification task, you can select the main identification template and active identification templates. You can select up to two identification templates. For more information, see Create a custom identification task.
Template type | Description |
Main identification template | The identification template used by default identification tasks by default. The default main identification template of DSC is the data classification template for the Internet industry. You cannot disable the main identification template. You can specify only one main identification template. You can use an active identification template as the main identification template. For more information, see Enable an identification template and Specify a main identification template. The DSC console displays the identification results based on the main identification template on pages such as the Asset Insight and Data Directory pages under Data Insights. |
Active identification template | You can enable built-in identification templates or custom identification templates as active identification templates. You can enable up to two active identification templates. |
Common identification template | The identification template that is used by default. You do not need to configure the common identification template in built-in identification tasks and custom identification tasks. A common identification template is used to protect personal information security and privacy rights in accordance with GB/T 35273-2020 Information security technology - Personal information security specification issued by the Standardization Administration of China. The common identification template can help organizations implement personal information management and risk control in an efficient manner. |
For more information about how to use an identification template, see Use an identification template.
View and configure identification models and identification features
View built-in identification models and identification features
Built-in identification models
Log on to the DSC console.
In the left-side navigation pane, choose .
Click the Identification Models tab and select Built-in from the All Sources drop-down list to view the built-in identification models provided by DSC.
You can enter the name of the identification model that you want to view in the search box and click the
icon to view information about the identification model. 
Find the required identification model and click Details in the Actions column to view the identification rules and identification thresholds of the identification model.
You can copy an identification feature and go to the Identification Features tab to view information about the identification feature. For more information, see Built-in identification features.
Built-in identification features
Log on to the DSC console.
In the left-side navigation pane, choose .
Click the Identification Features tab and select Built-in from the Sources drop-down list to view the built-in identification features provided by DSC.
You can enter the keyword of the identification feature that you want to view in the search box and click the
icon to view information about the identification feature. 
Create a custom identification model and an identification feature
Custom identification models
Directly create a custom identification model
On the Identification Models tab, click Create.
In the Create panel, configure the parameters and click OK.
Category
Parameter
Description
Basic Information
Model Name
Enter a name for the custom identification model.
Model Description
This parameter is optional. Enter a description for the custom identification model.
Tag
This parameter is optional. Select the tag that you want to add to the custom identification model. You can add the Personal sensitive information, Personal information, or General information tag to the custom identification model.
Data Category
This parameter is optional. Select an identification template, sensitive data category, and sensitivity level from the drop-down lists for the custom identification model.
You can select only custom identification templates.
Model Rule
Identification Features
Select the identification features that you want to use in the custom identification model from the drop-down list.
You can select built-in identification features or custom identification features.
You can select multiple identification features. The features are evaluated by using the OR logical operator.
Identification Scope
This parameter is optional. Select the asset types for which you want the custom identification model to take effect from the drop-down list. By default, you can select the types of assets that DSC is authorized to access and can be connected.
You can select multiple asset types. The asset types are evaluated by using the OR logical operator.
Advanced Settings
This parameter is optional. To configure a more precise scope for sensitive data identification, you can configure advanced settings. Procedure:
Select an asset type from the drop-down list.
You can select only the asset types that you selected for the Identification Scope parameter. To configure multiple asset types, click the
icon. Select a logical operator for different conditions. Valid values: AND and OR. To configure multiple condition groups, click Create Group. The added condition group is a subset of the first condition group.
Configure identification conditions. To add multiple identification conditions, click Add Condition.
Identification Threshold
Minimum Hits (Unstructured Data)
Specify the minimum threshold for the number of identification features that are hit for a single object in OSS.
If the minimum threshold is reached, the object meets the sensitive data defined by the model.
For example, if the minimum threshold is 1 and a file hits one feature in the identification model, the file is identified as sensitive data of the specified type and sensitivity level.
Hit Ratio (Structured Data)
Specify the hit ratio of structured data, such as ApsaraDB RDS.
If the percentage of hits among 200 data samples meets the hit ratio, the data is classified as sensitive.
For example, if the hit ratio is 50% and 100 data entries in a column meet the identification model, the column is identified as sensitive data of the specified type and sensitivity level.
Create a custom identification model by creating a submodel
On the Identification Models tab, find the built-in or custom identification model that you want to manage and click Create Submodel in the Actions column.
In the Create Submodel panel, configure the parameters and click OK.
The Model and Identification Features parameters cannot be modified. You can add a complementary feature. For more information about other parameters, see Directly create a custom identification model.
NoteIf the selected custom identification model is a submodel, the Model and Identification Features parameters of the custom identification model remain unchanged.
Custom identification features
On the Identification Models tab, click Add Feature.
In the Add Feature panel, configure the parameters and click OK.
Parameter
Description
Feature Name
The name of the custom identification feature.
Match Item
The following match types are supported.
Rule Match: Configure feature rules. You can click Add Rule to add multiple feature rules. The feature rules can be evaluated by using the AND or OR logical operator.
If you select Exception Rule, you can click Add Rule to add multiple exception rules. The exception rules can be evaluated by using the AND or OR logical operator.
The identification feature detects data that meets the feature rules but does not meet the exception rules.
Dictionary Match: Enter a keyword and press Enter. A keyword can be 1 to 128 characters in length. You can configure multiple keywords. A keyword cannot contain commas (,). Otherwise, the keyword is considered as two or more keywords separated by commas (,). Fuzzy match is supported.
Data Type
The type of data that you want to identify. Valid values: Structured Data and Unstructured Data.
Enable or disable an identification model
To ensure that an identification template takes effect in the required identification task, you must enable identification models in the identification template. By default, the built-in identification models in a built-in identification template are enabled. You can enable or disable identification models based on your business requirements.
On the Identification Models tab, find the built-in or custom identification model that you want to enable or disable, and click the 
or 
icon in the Status column.
Ongoing identification tasks are not affected. The status change takes effect on the next run of identification tasks.
View the details of a built-in identification template
Log on to the DSC console.
In the left-side navigation pane, choose .
On the Template Management tab, click Configure Template and find the identification template whose Type is Built-in in the template list.
Click View in the Actions column. You can view all sensitivity data categories and identification models in the template.
You can copy the name of an identification model and go to the Identification Models tab to view the identification features and identification thresholds for the identification model. For more information, see View built-in identification models and identification features.
Create a custom identification template
Directly create a custom identification template
Click Configure Template on the Template Management tab and then click New template.
On the New template page, configure Basic Information and click Next. The basic information includes the template name and template description.
Complete the Configure Template step and click OK.
Create sensitive data categories.
In the Configure Template Node section, click Create Category. In the Create Category dialog box, configure the Category parameter and click OK.
Click the
icon next to the category and then click Add Same-level Category or Add Subcategory to create a sensitive data category. You can repeat this operation to create multiple sensitive data categories.
Add an identification model for a sensitive data category. You can repeat the following steps to add multiple identification models.
Click the
icon next to a sensitive data category and click Create. In the Create dialog box, select the check box next to the identification model that you want to add, turn on
in the Status column, and then click OK. You can filter identification models by data tag, model type, and model name. You can select built-in identification models or custom identification models.
ImportantAfter an identification model in an identification template is enabled, identification rules take effect in the identification tasks that use the identification template.
Create a custom identification template by copying an identification template
Click Configure Template on the Template Management tab, find the built-in identification template that you want to copy, and then click Copy in the Actions column. Alternatively, find a custom identification template that you want to copy and choose
> Copy in the Actions column. In the Copy Template dialog box, the default value of the Template name parameter is
<Original template name> + copy. You can change the template name and click OK.Find the template and click Edit in the Actions column. Then, configure the template name, sensitive data categories, and identification models and click OK. You can change the name of a sensitive data category, create a sensitive data category, and delete a sensitive data category. You can add or remove an identification model.
Other operations
Delete an identification template: You can delete only custom identification templates. You cannot delete built-in identification templates. To delete a template, click Configure Template, find the template that you want to delete, click the
icon in the Actions column, and then click Delete. After you delete a template, the custom identification models that belong to the template are also deleted. Manage sensitive data categories:
You can configure only the sensitivity data categories of custom identification templates. You cannot modify the sensitivity data categories of built-in identification templates. To manage sensitivity data categories, click Configure Template, find the template that you want to manage, and then click Edit in the Actions column. Then, click Next. In the Configure Template Node section, perform the following operations:
Create a sensitivity data category: Click the
icon next to an existing sensitivity data category and then click Add Same-level Category to create a sensitivity data category. Change the name of a sensitivity data category: Click the input box to change the name of a sensitive data category.
Delete a sensitivity data category: Click the
icon next to an existing sensitivity data category and then click Delete to delete the sensitivity data category.
Manage the identification models of an identification template:
You can only enable or disable identification models in built-in identification templates. For custom identification templates, you can perform the following operations in the Configure Template Node section:
Add an identification model: Click the
icon next to an existing sensitivity data category and then click Create to add an identification model. Remove an identification model: Click the
icon next to an existing sensitivity data category, find the identification model that you want to remove, and then click the 
icon.
Configure the sensitivity levels of an identification template
For built-in identification templates, you cannot create or delete sensitivity levels. You can only modify the description of a sensitivity level.
For custom identification templates, you can create, modify, and delete sensitivity levels.
By default, 10 sensitivity levels are configured for custom identification templates that are directly created. You can delete only the sensitivity level of S10.
For custom identification templates that are created by copying an identification template, the default sensitivity levels are the same as the copied identification template. You cannot delete default sensitivity levels.
In a custom identification template, you can configure up to 10 sensitivity levels.
On the Sensitivity Level Configuration tab of the Template Management tab, configure the Templates Being Modified parameter. You can perform the following operations:
Delete a sensitivity level: Find the sensitivity level that you want to delete and click Delete in the Actions column.
Create a sensitivity level: Click Configure Custom Sensitivity Level to create a sensitivity level.
Modify a sensitivity level: Find the sensitivity level that you want to modify and then click Edit in the Actions column.
Use an identification template
Enable an identification template
If no identification templates are configured, the built-in data classification template for the Internet industry is enabled and used as the main template. If you want to use another identification template in an identification task, perform the following steps to enable a built-in or custom identification template.
You can enable up to two identification templates. The enabled template is displayed in the Enabled Templates section.
Click Configure Template on the Template Management tab. In the template list, find the built-in or custom identification template that you want to enable.
Click the
icon in the Status column to enable the identification template. Make sure that the status changes to 
. 
Configure the main identification template
Only an enabled identification template can be configured as the main identification template. Before you can change the main identification template, make sure that all identification tasks that are associated with the main identification template are terminated. For more information, see Terminate an identification task.
If you want to use another identification template in a default identification task, you can change the main identification template.
Click Configure Template on the Template Management tab. In the Enabled Templates section, find the identification template that you want to use as the main identification template and click Main Template.
In the message that appears, click Continue.
After the change is successful, the identification template is marked as Main Template and dimmed.
What to do next
When you create an identification task, you can use an enabled identification template to scan sensitive data in the assets that DSC can access. For more information, see Use identification tasks to scan sensitive data.