DataWorks provides multiple built-in level-1 masking scenarios. If these scenarios do not meet your specific masking requirements, you can create custom level-2 scenarios from a level-1 scenario. This topic describes how to create a data masking scenario.
Masking scenarios
DataWorks supports two types of data masking: static masking and dynamic masking.
-
Dynamic masking: Displays masked data on the query page when you query sensitive data. Scenarios include Data Studio/Data Map display masking, Data Analysis display masking, MaxCompute engine-layer masking, and Hologres engine-layer masking.
-
Static masking: Masks data and then stores the masked data in a specified database location. This includes the Data Integration static masking scenario.
The dynamic masking scenarios provided by DataWorks, such as Data Studio/Data Map display masking, Data Analysis display masking, MaxCompute engine-layer masking, and Hologres engine-layer masking, and the static masking scenario Data Integration static masking, are all level-1 scenarios. These are fixed scenarios and cannot be created, edited, or deleted. For each level-1 scenario, DataWorks provides a default level-2 scenario that you can edit. You can also create new level-2 scenarios based on your business needs. For more information, see the following table.
-
Operations may vary based on the level-2 scenario. For more information, see the page in the DataWorks console.
-
A masking scenario can have a maximum of two levels.
|
Level-1 scenario |
Level-2 scenario |
Description |
|
Data Studio/Data Map display masking |
|
Note
|
|
Data Analysis display masking |
Note
|
|
|
MaxCompute engine-layer masking |
Note
|
|
|
Hologres engine-layer masking |
|
Note Hologres engine-layer masking does not currently support pseudonymization or masking allowlists. If you configure pseudonymization, data is masked as "***" in this scenario. |
|
Data Integration static masking |
Editing or configuring level-2 scenarios is not supported. |
This scenario is typically used to mask batch synchronization data in Data Integration. In this scenario, sensitive data is identified and masked based on the configured masking rules during the storage process. The masked data is then stored in the specified database location. |
Access control
-
Create, edit, or delete masking scenarios:
-
Tenant Administrator and Tenant Security Administrator can select data from all projects under the tenant.
-
Workspace Administrator and Workspace Security Administrator can only select data from projects to which they have access.
-
-
View masking scenarios: Only users with the Tenant Administrator, Tenant Security Administrator, Workspace Administrator, or Workspace Security Administrator role can view masking scenarios.
To perform the related operations, you must be granted the corresponding role. For more information about authorization, see Manage permissions on workspace-level services and Permission control for global services.
Entry point for masking scenario configuration
Log on to the DataWorks console. In the target region, click in the left-side navigation pane. On the page that appears, click Go to Security Center.
In the left-side navigation pane, click and then click Try Now to access Data Security Guard.
NoteIf your Alibaba Cloud account is already authorized, you are directed to the Data Security Guard homepage.
If your Alibaba Cloud account is not authorized, you are redirected to the Data Security Guard authorization page. To use Data Security Guard features for the first time, go to , select Data Security Guard in the pop-up dialog, and then complete the authorization.
-
In the left-side navigation pane, click to go to the Data Masking Management page.
-
In the left-side Masking Scenarios section, click New Scenario.
Configure a masking scenario
In the New Masking Scenario dialog, configure the scenario information:
-
Select and create a masking scenario.
Select a level-1 scenario and enter a name for the level-2 scenario. The name can contain any characters and must be 1 to 30 characters in length.
-
Select a data scope.
Select the project data to which the masking scenario applies. After the selection, the masking scenario takes effect only on data in the selected projects.
-
(Optional) Select a user group scope.
If you want to apply the masking scenario only to specific users, you can create a user group for those users and select the user group here. For more information about configuring user groups, see Configure user groups.
NoteIf left empty, the configured masking scenario applies to all users under the current tenant.
-
Click Confirm to complete the masking scenario configuration.
Next step
After the masking scenario is configured, you can create data masking rules based on the scenario. For more information, see Create a data masking rule.