Create a data masking scenario

更新时间:
复制 MD 格式

DataWorks provides multiple built-in level-1 masking scenarios. If these scenarios do not meet your specific masking requirements, you can create custom level-2 scenarios from a level-1 scenario. This topic describes how to create a data masking scenario.

Masking scenarios

DataWorks supports two types of data masking: static masking and dynamic masking.

  • Dynamic masking: Displays masked data on the query page when you query sensitive data. Scenarios include Data Studio/Data Map display masking, Data Analysis display masking, MaxCompute engine-layer masking, and Hologres engine-layer masking.

  • Static masking: Masks data and then stores the masked data in a specified database location. This includes the Data Integration static masking scenario.

The dynamic masking scenarios provided by DataWorks, such as Data Studio/Data Map display masking, Data Analysis display masking, MaxCompute engine-layer masking, and Hologres engine-layer masking, and the static masking scenario Data Integration static masking, are all level-1 scenarios. These are fixed scenarios and cannot be created, edited, or deleted. For each level-1 scenario, DataWorks provides a default level-2 scenario that you can edit. You can also create new level-2 scenarios based on your business needs. For more information, see the following table.

Note
  • Operations may vary based on the level-2 scenario. For more information, see the page in the DataWorks console.

  • A masking scenario can have a maximum of two levels.

Level-1 scenario

Level-2 scenario

Description

Data Studio/Data Map display masking

  • Number of scenarios: You can configure a maximum of 30 scenarios.

  • Scenario operations: You can customize a level-2 scenario. The name can contain any characters and must be 1 to 30 characters in length.

  • Masks data queried in Data Studio and Data Map based on the configured data masking rules.

  • Data scope: Supports OPS and EMR data engines.

  • When you query data using the SQL Query feature in DataAnalysis, sensitive data in the query results is masked based on the configured data masking rules.

Note
  • The masking rules for sensitive data in the Data Studio/Data Map scenario take effect only after workspace masking is enabled.

  • The EMR engine - Data Map scenario is not subject to workspace masking settings. Masking rules take effect as long as they are configured.

  • The Data Studio/Data Map and Data Analysis scenarios share unified workspace management. Changing the workspace masking setting of one scenario automatically changes the setting of the other.

  • The Hologres engine does not currently support Data Studio/Data Map display masking.

Data Analysis display masking

  • When you query data using SQL Notes in Data Analysis, sensitive data in the query results is masked based on the configured data masking rules.

  • Data scope: Supports OPS data engines.

Note
  • The masking rules for sensitive data in the Data Analysis scenario take effect only after workspace masking is enabled.

  • The Data Studio/Data Map and Data Analysis scenarios share unified workspace management. Changing the workspace masking setting of one scenario automatically changes the setting of the other.

MaxCompute engine-layer masking

  • Data queried through the MaxCompute CLI/client (odpscmd) or Logview entry is masked at the display layer based on the configured masking rules. This method does not change the data in the storage layer of the data engine.

  • Data scope: Supports OPS data engines.

  • Project and user group scope: Select from the drop-down list. Multiple selections are supported.

  • For best practices on using the MaxCompute dynamic masking feature, see Example: Masking MaxCompute data.

Note
  • The new MaxCompute underlying masking and the upper-layer scenario masking are complementary. To enable this underlying masking scenario, you must also configure the corresponding column masking rules. Otherwise, the upper-layer masking takes effect.

Hologres engine-layer masking

  • Number of scenarios: Only one scenario can be configured.

  • Scenario operations: You can only edit the default level-2 scenario. Creating new level-2 scenarios is not supported.

  • When you query Hologres data in Data Studio, sensitive data is masked based on the configured masking rules.

  • Data scope: Supports HOLO data engines.

Note

Hologres engine-layer masking does not currently support pseudonymization or masking allowlists. If you configure pseudonymization, data is masked as "***" in this scenario.

Data Integration static masking

Editing or configuring level-2 scenarios is not supported.

This scenario is typically used to mask batch synchronization data in Data Integration. In this scenario, sensitive data is identified and masked based on the configured masking rules during the storage process. The masked data is then stored in the specified database location.

Access control

  • Create, edit, or delete masking scenarios:

    • Tenant Administrator and Tenant Security Administrator can select data from all projects under the tenant.

    • Workspace Administrator and Workspace Security Administrator can only select data from projects to which they have access.

  • View masking scenarios: Only users with the Tenant Administrator, Tenant Security Administrator, Workspace Administrator, or Workspace Security Administrator role can view masking scenarios.

To perform the related operations, you must be granted the corresponding role. For more information about authorization, see Manage permissions on workspace-level services and Permission control for global services.

Entry point for masking scenario configuration

  1. Log on to the DataWorks console. In the target region, click Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Go to Security Center.

  2. In the left-side navigation pane, click Data Security > Sensitive Data Management and then click Try Now to access Data Security Guard.

    Note
    • If your Alibaba Cloud account is already authorized, you are directed to the Data Security Guard homepage.

    • If your Alibaba Cloud account is not authorized, you are redirected to the Data Security Guard authorization page. To use Data Security Guard features for the first time, go to Data Security > Sensitive Data Management, select Data Security Guard in the pop-up dialog, and then complete the authorization.

  1. In the left-side navigation pane, click Rule Setting > Data Masking Management to go to the Data Masking Management page.

  2. In the left-side Masking Scenarios section, click New Scenario.

Configure a masking scenario

In the New Masking Scenario dialog, configure the scenario information:

  1. Select and create a masking scenario.

    Select a level-1 scenario and enter a name for the level-2 scenario. The name can contain any characters and must be 1 to 30 characters in length.

  2. Select a data scope.

    Select the project data to which the masking scenario applies. After the selection, the masking scenario takes effect only on data in the selected projects.

  3. (Optional) Select a user group scope.

    If you want to apply the masking scenario only to specific users, you can create a user group for those users and select the user group here. For more information about configuring user groups, see Configure user groups.

    Note

    If left empty, the configured masking scenario applies to all users under the current tenant.

  4. Click Confirm to complete the masking scenario configuration.

Next step

After the masking scenario is configured, you can create data masking rules based on the scenario. For more information, see Create a data masking rule.