How to enable the sensitive data protection feature and create an instance scan task-Data Management-阿里云帮助中心

Prerequisites

You must be an administrator, DBA, or security administrator.

Note
To view your role, hover over the icon in the upper-right corner of the console.
Supported databases
- Relational databases:
  - MySQL: ApsaraDB RDS for MySQL, PolarDB for MySQL, and MySQL databases from other sources
  - SQL Server: ApsaraDB RDS for SQL Server and SQL Server databases from other sources
  - PostgreSQL: ApsaraDB RDS for PostgreSQL, PolarDB for PostgreSQL, and PostgreSQL databases from other sources
  - MariaDB: ApsaraDB RDS for MariaDB and MariaDB databases from other sources
  - PolarDB for PostgreSQL (Compatible with Oracle)
  - PolarDB for Xscale (PolarDB-X)
  - OceanBase
  - Oracle
  - Db2
  - Dameng (DM)
  - Lindorm: Lindorm_CQL and Lindorm_SQL
  - openGauss
- Data warehouses
  - AnalyticDB for MySQL
  - AnalyticDB for PostgreSQL
  - Data Lake Analytics (DLA)
  - ClickHouse
  - MaxCompute
  - Hologres
  - Hive
You must have purchased the sensitive data protection feature. For more information, see Purchase DMS services.

Note
In the upper-right corner of the console, choose > DMS Order Management to check your remaining instance quota for sensitive data protection.

Enable sensitive data protection

You can enable the sensitive data protection feature for an instance by editing it or using the Sensitive Data page.

Edit an instance

Log on to the DMS 5.0 console.
In the database instance list on the left, right-click the target instance.
Click Edit.
In the Basic Information section, select the Sensitive Data Protection checkbox, and then select a classification and grading template. The system uses this template to scan and identify sensitive data in the database.

For example, you can select DMS Built-in Classification and Grading Template - Simplified from the Classification and Grading Template drop-down list.
Click Save.

Use the Sensitive Data page

Log on to the DMS 5.0 console.
In the top navigation bar, choose Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets.

Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets.
In the Instance List section, click the Not Enabled tab.
Find the target instance and click Enable Now in the Operation column.

Note
This page lists only instances that do not have sensitive data protection enabled.
In the Enable Sensitive Data Protection dialog box, choose whether to configure a scan task immediately.
- To configure the task later, turn off the Configure Scan Task switch. You can then go to the Sensitive Data Assets page and configure the scan task on the Instance List > Enabled tab.
- If necessary, configure the required parameters for the scan task, such as scan method, scope, and effective time of the scan results. For more information, see Configure a scan task.
Click OK.

Configure a scan task

In the Configure Scan Task dialog box, set the following parameters.

Note

When a scan task runs, the system scans the metadata and a small random sample of data (100–200 rows) from the target database. The system uses this data only for sensitive data analysis during the scan and does not store it.

Parameter	Description
Scan Method	Immediate Task: The system immediately scans the target database and marks sensitive fields after the configuration is complete. Scheduled Task: Set a future date and time. The system will automatically scan the target database and mark sensitive fields at the specified time. Periodic Task: Configure a schedule and time. The system will automatically scan the target database and mark sensitive fields at each scheduled interval.
Scope	Scan All Databases or Specific Databases (multiple selections allowed) in the selected instance.
Apply scan results immediately?	This setting determines whether to immediately apply classification and grading labels to the fields identified in the scan results. Yes: The results are applied immediately. No: The results are not applied. You must go to the Identification Result page to apply them manually.

Click OK.
You must authorize the instance to enable automatic sensitive data identification and configure scan tasks.

Note
If the instance is in Security Collaboration mode, the system authorizes it automatically. You can skip this step.
1. In the Operation column, click Account Authorization.
2. Enter the database account and database password for the target instance.
3. Click OK.

View identification results

View the identification results.

In the Data Overview section, click the number under Scan Succeeded to open the Identification Task Logs page. Then, find the target scan task and click the number in the Execution Result column to view the results in the Identification Result panel. The Task Information section on the Data Overview page displays the execution status of scan tasks, including the number of successful, ongoing, and failed tasks.

Note
Alternatively, in the Instance List section, find the target instance and click Task Details in the Operation column to view the scan task details and results.
Manually apply the identification results. If you chose to apply scan results immediately during task configuration, the system has already applied them, and you can skip this step.
1. Go to the Identification Task Logs page.
2. Click the number in the Execution Result column for the target scan task.
3. In the Identification Result panel, click Apply in the Operation column to manually apply the results.
Optional: To view the sensitivity levels and distribution of sensitive data for the instance, click Sensitive Data List in the Operation column, and then click the Field Control tab. On this tab, you can manage sensitive fields by adjusting sensitivity levels, changing data masking rules, and authorizing users. For more information, see Manage sensitive data.

To disable this feature, see Disable sensitive data protection.