Manage assets with data domains and limit a RAM user to specific domains-Data Security Center(DSC)-阿里云帮助中心

Use cases

Your enterprise has a large number of data assets that belong to different departments. You need to partition the data assets by department so data administrators can manage them efficiently.
You need to assign data assets to different data administrators. Each data administrator can manage only the data assets within their permission scope to control permissions for data asset management.

Prerequisites

You have completed asset authorization. For more information, see asset authorization.
If you are a RAM user, you must have the AliyunYundunSDDPFullAccess policy attached. For more information about how to grant permissions, see Authorize a RAM user to access DSC.

Background information

Data Security Center (DSC) provides a default data domain that includes all authorized data assets. By default, Alibaba Cloud accounts and RAM users with the AliyunYundunSDDPFullAccess policy can manage all data domains and data assets. If you need to partition data assets and assign corresponding data administrators, you can do the following:

Create custom data domains, classify data assets, and add them to the custom data domains. You can then view the sensitive data detection results for data assets by data domain. For more information, see View sensitive data detection results.
Authorize a RAM user to manage only specific custom data domains and their data assets. This allows you to implement fine-grained management of different types of data assets.

Limits

A data asset can be assigned to only one data domain.
Data assets that are not added to any custom data domain belong to the default data domain.

Add data domains and classify assets

Before you add data domains, we recommend that you plan the names and hierarchical relationships of the data domains based on your business units or organizational structure. You can create up to three levels of data domains. Then, follow these steps to add custom data domains, set their hierarchical relationships, and classify data assets.

You can manage data domains and their assets individually or in bulk.

Individual management

Step 1: Add a data domain

Log on to the DSC console.

In the navigation pane on the left, select System Settings > Data Management.

To the right of Custom Data Domain, click Add.
In the Add Data Domain dialog box, enter a name and description for the data domain and click OK.
Add multiple data domains and adjust their hierarchical relationships by using one of the following methods:
- Repeat the preceding steps to add multiple data domains. Then, drag the data domains to change their positions and adjust their hierarchical relationships.
- Hover the pointer over the asset count to the right of an existing data domain, click the manage icon, and select one of the following operations:
  - Add Child Node: Creates a child data domain under the current data domain. You can create up to three levels of data domains.
  - Add Sibling Node: Adds a data domain at the same level as the current data domain.

Step 2: Add data assets

Follow these steps to add data assets to a custom data domain.

Add data assets directly

Important

You can select only data assets that are in the default data domain.

In the data domain list on the left, click the name of the data domain to which you want to add data assets.
Click Add Asset.
In the Add data assets panel, select the data assets that you want to add and click OK.

Move data assets

In the data domain list on the left, click the name of the source data domain that contains the data assets you want to move.
In the asset list, find the data asset that you want to move and click Move in the Actions column.

You can also select multiple data assets to move and click Batch Move below the list.
In the dialog box, select the target data domain from the drop-down list and click OK.

More operations

To modify or delete a data domain, follow these steps.

In the navigation pane on the left, select System Settings > Data Management.

On the Data Domain Configuration page, hover the pointer over the asset count to the right of the target data domain, click the manage icon, and select one of the following operations:
- Modify Data Domain: Modifies the name and description of the data domain.
- Delete: Deletes the current data domain. If a data domain has child data domains, you must delete the child data domains before you can delete the parent data domain. After you delete a data domain, the data assets in the data domain are automatically moved to the default data domain.

Bulk management

You can download and modify the Data Security Center Data Domain Template.xlsx file to quickly manage data domains and their data assets.

File parsing rules

After you upload the data domain template file, DSC parses the data domain and asset information from top to bottom. Configurations in lower rows of the file overwrite those in higher rows.

The following rule is applied: a data asset can belong to only one data domain.

If different asset instances are listed under the same data domain, the asset instances are all added to that data domain.
If the same asset instance is listed under different data domains, DSC moves the asset instance to the data domain that is listed lower in the file.
If you omit an asset instance when you modify the file, it remains in its current data domain.

For example:

You add a custom data domain and its corresponding asset instances at the top of the file. If the same asset instances appear in the default data domain lower in the file, only the custom data domain is added after you upload the file. The corresponding asset instances remain in the default data domain.
You delete an existing custom data domain and its asset instances from the top of the file but do not add the corresponding asset instances to the default data domain lower in the file. After you upload the file, the custom data domain and its asset instances remain unchanged and are not deleted.

Upload the template

Log on to the DSC console.
In the navigation pane on the left, select System Settings > Data Management.
On the Data Management page, click Batch Manage in the upper-right corner.
In the Batch Manage dialog box, click Data Security Center Data Domain Template.xlsx to download the template.

The template contains the following columns: First-level data domain, Second-level data domain, Third-level data domain, Instance name, Instance type, and Instance region. The template also includes the current data domain and asset information. If custom data domains already exist, the custom data domain information appears at the top and the default data domain information appears at the bottom. If a data domain contains no data assets, it is not included in the file.
Modify the data domain and asset information as described in File parsing rules, and then save the file.

For example:
- To add a data asset to a new data domain, change its value in the First-level data domain column to the new domain name, and if necessary, enter child domain names in the Second-level data domain and Third-level data domain columns.
- To delete a first-level custom data domain, change the value in the First-level data domain column to Default data domain in the row that contains the data assets of the domain. If the data domain contains child data domains, you must also delete the values in the Second-level data domain and Third-level data domain columns.
In the Batch Manage dialog box, click Import Local Files, import the modified template file, and then click OK.

After you add custom data domains and their data assets, the number to the right of a data domain name indicates the total number of data assets in that data domain and its child data domains.

Authorize RAM users for specific data domains

The following table describes the policies related to data domains.

Policy	Description
AliyunYundunSDDPFullAccess	Grants full permissions on DSC. RAM users with this policy can perform all operations supported by data domains.
AliyunYundunSDDPReadOnlyAccess	Grants read-only permissions on DSC. RAM users with this policy can view all data domains but cannot perform other operations such as editing or deleting data domains, or moving data assets.
AliyunYundunSDDPDataManager	Grants management permissions on data domains in DSC. After you grant this policy to a RAM user and synchronize the user information in the DSC console, you can specify the data domains that the RAM user can manage. The RAM user can then view and manage the data assets within the authorized data domains. Management operations include modifying data domains, adding data assets, and moving data assets.

An Alibaba Cloud account can have multiple RAM users. You can grant the AliyunYundunSDDPDataManager policy to specific RAM users and use the user synchronization feature to synchronize the RAM users to the Data Security Center console as custom data domain administrators. You can configure a RAM user to view and manage only the data assets within their authorized data domains. These management operations include modifying data domains, adding data assets, and moving data assets. Data assets can be moved only to data domains within the authorized scope.

Note

This configuration applies only to data domain management. A RAM user with the AliyunYundunSDDPFullAccess policy can still view all data assets when using other DSC features such as data insights, data auditing, and data masking.
You can authorize a RAM user to view and manage specific custom data domains and their data assets only by granting the AliyunYundunSDDPDataManager policy to the user. You cannot configure a RAM user to only view, but not manage, specific custom data domains and their data assets. If you grant only the AliyunYundunSDDPReadOnlyAccess policy to a RAM user, the user can view all data domains.

Step 1: Synchronize RAM user information