Data Security Guard is a data security management product that provides features such as data discovery, data masking, watermarking, risk detection, and data tracing. It helps you quickly identify and securely manage sensitive data to ensure data security. This topic provides an example of using a built-in rule to mask the xc_dpe_e2_dev project's phone data and setting up an export risk audit to demonstrate the basic usage workflow of Data Security Guard.
Go to Data Security Guard
Log on to the DataWorks console. In the target region, click in the left-side navigation pane. On the page that appears, click Go to Security Center.
In the left-side navigation pane, click and then click Try Now to access Data Security Guard.
NoteIf your Alibaba Cloud account is already authorized, you are directed to the Data Security Guard homepage.
If your Alibaba Cloud account is not authorized, you are redirected to the Data Security Guard authorization page. To use Data Security Guard features for the first time, go to , select Data Security Guard in the pop-up dialog, and then complete the authorization.
Procedure
-
Step 1: Configure data classification and grading
Classify your data by sensitivity level based on its value, content sensitivity, scope of impact, and scope of distribution. Different sensitivity levels have different governance principles and data development requirements.
-
Step 2: Configure sensitive data detection rules
Define data categories and configure sensitive field types based on the data source and purpose to identify sensitive data within your workspace. DataWorks provides built-in data categories and detection rules. You can also create custom data categories and sensitive data detection rules.
-
Step 3: Configure data masking rules
Configure data masking rules for identified sensitive data. Data masking controls vary based on the sensitivity level and business requirements.
-
Step 4: Configure risk detection rules
Use intelligent analysis and risk detection rules to detect risky operations and trigger alerts. This helps you effectively identify and mitigate risks.
-
After you complete the configuration, you can view the results in the relevant modules of Data Security Guard.
Step 1: Configure data classification and grading
Classify your data assets by sensitivity level based on their value, content sensitivity, scope of impact, and scope of distribution. Different sensitivity levels have different governance principles and data development requirements. DataWorks provides built-in templates for data classification and grading. You can also edit the classification and grading settings based on your business needs. On the Data Security Guard page, in the left-side navigation pane, choose . This example uses the default data grades provided by DataWorks. For more information, see Configure data classification and grading.
Step 2: Configure sensitive data detection rules
DataWorks allows you to define sensitive field types based on their sensitivity level and category to help you identify sensitive data in your workspace. You can use built-in or custom rules to configure sensitive field types. For more information, see Configure data detection rules and run detection tasks.
This article provides an example of how to configure the phone sensitive field type. In this example, a built-in identification rule is used to define phone numbers as sensitive data and identify them in the xc_dpe_e2_dev workspace.
-
On the Data Security Guard page, choose in the left-side navigation pane to go to the Sensitive Data Detection page.
-
Configure data classification and grading.
In the Data classification configuration area, default data classifications are provided. You can also create new classifications as needed. This example uses the default classification
Basic Information. -
Configure a sensitive field type.
-
Click + Sensitive Field Type to create a sensitive field type.
-
Configure the basic information for the sensitive field type.
The following table describes the key parameters.
Parameter
Description
Sensitive field type
Customize the name of the sensitive field type based on your business requirements. In this example, the name is set to
phone.Data category
The data category to which the sensitive field type belongs. You can define data categories in the classification and grading configuration section.
The example configuration in this topic is for the default
Basic Informationcategory in DataWorks.Sensitivity level
The sensitivity level to which the sensitive field type belongs. You can define sensitivity levels in Step 1: Configure data classification and grading.
In this example, the configuration level is set to
3. -
Click Next Step.
-
Configure the rule for the sensitive field type.
This topic uses the rule configuration shown in the following figure.

The following table describes the parameters.
Parameter
Description
Hit criteria
Defines the matching logic for the detection rule. Valid values:
-
Satisfy any rule: A match occurs if any of the configured conditions (data content, field comment, or field name) are met.
-
Match all rules: A match occurs only if all configured conditions are met.
NoteThis topic describes only how to configure a Data Content Identification rule. For more information about rule configurations, see Configure data detection rules and run detection tasks.
This example uses Satisfy any rule.
Data Content Identification
Defines the content pattern that is used to match sensitive data. The pattern is based on the selected rule type.
In this example, the rule type is set to Built-in Rule, and the content to identify is Mobile Phone Number. Data is identified as sensitive if its content matches the characteristics of a phone number.
Hit ratio configuration
The minimum percentage of non-empty values in a column that must match the conditions to trigger a hit. If the percentage exceeds the threshold, the column is classified as this sensitive field type.
In this example, the threshold is set to 50%. This means that if more than 50% of the data in a column meets the specified conditions, the column is identified as sensitive data.
-
-
After the configuration is complete, click Publish to activate the rule.
The start time of a sensitive data detection task varies by task type.
Note-
A real-time task starts immediately.
-
A scheduled task starts at the configured scan time after you enable it. At the specified time, the platform performs sensitive data detection based on the task configuration.
-
A new detection task starts immediately after it is created, and its status is displayed as a progress bar. The task is complete when the progress reaches 100%. The progress is calculated by using the following formula: (Number of tables scanned in the current task / Total number of tables to be scanned in the current task) × 100%.
-
-
Step 3: Configure data masking rules
Configure data masking rules for the sensitive data that you have identified. Data masking controls vary based on the sensitivity level and your business requirements. DataWorks currently supports dynamic data masking and static data masking. For more information, see Create a data masking rule.
This topic provides an example of configuring a phone data masking rule for the sensitive data that is identified by the phone rule in Step 2.
-
On the Data Security Guard page, choose in the left-side navigation pane to go to the Data Masking Management page.
-
Configure a data masking rule.
-
Click the
icon to create a masking rule. -
Configure the rule information.
This topic uses the rule configuration shown in the following figure.

Parameter
Description
Sensitive field type
Select the sensitive field type to desensitize. In this example, select the
phonesensitive field type that you configured in Step 2.Masking Rule Name
Specify a name for the data masking rule. This topic uses
phoneas an example.Data masking scenario
Select the scenarios where this masking rule applies. By default, the scenario selected in Step 1 is used. You can also change the scenario or add multiple scenarios as required.
Masking Method
The method used to mask the data. This example uses . For a phone number, this method shows the first three and last two digits, and replaces all other digits with asterisks (*).
For more information about masking rule configuration, see Create a data masking rule.
-
-
Enable data masking for the workspace.
After configuring a masking rule, ensure that query result masking is enabled for the target workspace. The rule takes effect only after it is enabled.
-
Go to DataStudio.
-
In the lower-left corner, click the
icon to open the settings page. -
On the Security Settings and Others tab, in the Data Security section, enable data masking for page query content.
-
-
Verify that the data masking rule is in effect.
In DataStudio, create an ad hoc query to query the relevant phone number data and verify the masking effect in the query results. The specific table data and query statements depend on your business configuration. The following figure shows an example of the masking effect.

Step 4: Configure risk detection rules
Risk detection management uses advanced analytics to identify high-risk operations and trigger alerts, providing centralized and visual auditing. DataWorks provides built-in risk detection rules for various scenarios, and you can also create custom rules based on your business scenarios. For more information, see Risk detection management.
This topic provides an example of creating a custom rule to perform risk detection on sensitive data that is identified by the phone rule configured in Step 2. If the number of data exports that match the phone rule from the xc_dpe_e2_dev project is greater than or equal to 10 within 10 minutes, the export operation is identified as a high-risk operation.
-
On the Data Security Guard page, choose in the left-side navigation pane to go to the Risk Detection Management page.
-
Configure a risk detection rule.
-
Click the
icon to create a risk detection rule. -
Configure the rule information.
This topic uses the rule configuration shown in the following figure.
The following table describes the parameters.Section
Parameter
Description
Basic Information
Rule Name
Specify a custom rule name. In this example, the name is set to
Phone Data Export Risk.Rule Type
The type of data risk, such as data access, data export, or data operation.
This example selects data export risk, meaning any export of phone data is considered a risky operation.
Rule Level
The risk level of the operation. In this example, the export of phone data is defined as a high risk.
Rule Definition
Conditions
Defines the conditions for the risk detection rule. You can configure rules based on conditions such as data location, data properties, user information, and operation time.
In this example, a data attribute is selected to configure a rule that is triggered if sensitive data of the
phonetype in Step 2 is exported 10 or more times within 10 minutes.Alert settings
Alert Notification Method
You can choose to send alerts by email or webhook.
This example uses a webhook. For information about how to configure a DingTalk robot webhook, see Send alert messages to a DingTalk group.
For more information about risk detection configurations, see Risk detection management.
-
-
Enable the rule.
Because a custom rule is disabled by default after creation, you must go to the risk detection management page, find the
phone data export riskrule, and click Re-enable to manually enable it.
Step 5: View data
After you configure sensitive data and risk detection rules, you can view the resulting risk data in the various modules of Data Security Guard. Risk data is generated on the next day (T+1).
|
Module |
Description |
|
This page visualizes your data assets from different dimensions, such as workspace and sensitivity level. It shows the total number and proportion of fields and tables that hit detection rules, as well as the distribution and inventory of fields by sensitivity level and project. |
|
|
Displays the access volume, access trends, export volume, and export details for sensitive data identified by your rules. This helps you monitor every access to sensitive data. |
|
|
Presents risk events identified by your rules from multiple dimensions. This module helps you understand risk distribution, trends over time, and project risk rankings to identify high-risk periods and projects. You can also view details of a risk event, such as the user, time, and operation, allowing for timely identification and remediation. |
|
|
Extracts watermark information from leaked data files to trace the source of a data leak. |
The following table describes the parameters.