Managing Dynamic Masking Policies

Prerequisites

• Before creating MRS Hive data masking policies, you have created an MRS Ranger data connection. For details, see Creating a Data Connection.
• Before creating GaussDB(DWS) data masking policies, you have created a GaussDB(DWS) connection. For details, see Creating a Data Connection. The account in the GaussDB(DWS) connection must have the GRANT permission of the target table. (By default, only the owner of a database object or system administrator can run the GRANT command to grant the object permissions to other users.)
• Dynamic data masking policies need to be associated with data sources for specified users or user groups. Therefore, you need to synchronize user information from IAM to data sources first. For details, see Synchronizing Users.
• If you want to use the current user identity authentication to make the dynamic masking policy take effect during script execution and job tests in DataArts Factory, you need to enable permission applications by following the instructions in Enabling Permission Applications.
• If you want to view sensitive fields during the creation of a data masking policy, you need to create a sensitive data discovery task in advance and change the statuses of sensitive data fields to valid on the Sensitive Data Distribution page. For details, see Discovering Sensitive Data and Viewing Sensitive Data Distribution.

Constraints

• Only the DAYU Administrator, Tenant Administrator, or data security administrator can create, modify, or delete dynamic masking policies. Other common users do not have permission to perform these operations.
• Currently, dynamic masking policies support only MRS Hive and GaussDB(DWS) data sources, and do not support GaussDB(DWS) logical clusters. In addition, accounts in GaussDB(DWS) data connections must have the GRANT permission of the table to be masked. (After a database object is created, only the object owner or system administrator can grant the object permissions to other users using the GRANT command by default.)
• A table can be associated with only one dynamic data masking policy. Policies take effect only after they are synchronized successfully.
• During dynamic masking of MRS Hive data, MRS Ranger allows you to configure different rules for the same column, and the rules are matched in the sequence of their configuration time. Therefore, you can configure multiple masking policies for different content in the same cluster, database, table, and column.
• Dynamic data masking policies need to be associated with data sources for specified users or user groups. Therefore, you need to synchronize user information from IAM to data sources first. For details, see Synchronizing Users.
• Table 2 lists the masking rules supported by the MRS service. For Chinese characters, only null and hash masking are supported. If other masking methods are selected, masking does not take effect.

  The SM3, Custom/Show First x and Last y Characters, and Custom/Mask First x and Last y Characters masking rules for the MRS Hive data source are not provided by the MRS Ranger component. Instead, they are implemented by UDF-defined functions. Therefore, to use any of the three masking rules, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. For details, see Reference: Configuring UDF-related Permissions in the Ranger Component.

• Table 3 lists the masking rules supported by GaussDB(DWS). Chinese characters cannot be masked. If you mask data that contains Chinese characters, garbled characters may be displayed.

Creating a Dynamic Masking Policy

1. On the DataArts Studio console, locate an instance and click Access. On the displayed page, locate a workspace and click DataArts Security.
   Figure 1 DataArts Security
   

2. In the left navigation pane, choose Dynamic Masking.
   Figure 2 Dynamic Masking
   

3. Click Create and set the parameters listed in Table 1.
   Figure 3 Setting parameters for the dynamic masking policy
   
   The following table lists the parameters.

   Table 1 Policy parameters

   Parameter	Description
   *Policy Name	Unique identifier of the dynamic masking policy. It must be unique in a DataArts Studio instance. To facilitate policy management, you are advised to include the object to be masked and masking rule in the name.
   *User Group/Username	User or user group in the current workspace members. When a specified object queries or exports sensitive data from DataArts Factory, the system dynamically masks the sensitive data to protect the sensitive data from being disclosed.
   *Data Source Type	Currently, only MRS Hive and DWS are supported.
   *Data Connection	If no data connection is available, create one by referring to Creating a Data Connection.
   *Cluster Name	You do not need to set this parameter. The data source cluster in the data connection is automatically selected.
   *Database	Database where the sensitive data is stored
   *schema	Schema where the sensitive data is stored. This parameter is required only when Data Source Type is set to DWS.
   *Data Table	Data table where the sensitive data is stored
   *Data Column
   *Column Name	Column to be masked. Administrators can select multiple columns and configure different masking rules for them.
   Data type	You do not need to set this parameter. The data type of the current column is displayed.
   Security Level	If sensitive data discovery has been performed on the selected table column and the statuses of the sensitive data fields are valid, the security level is displayed.
   *Masking Rule	Select a proper masking rule based on the data type of the column. The supported data masking rules vary depending on the data source. For details, see Reference: Dynamic Masking Rules.

4. After setting all required parameters, click OK. After the dynamic masking policy is created, you need to click Synchronize to synchronize the policy to the data source.

Related Operations

• Synchronizing a policy: On the Dynamic Masking page, locate a policy and click Synchronize in the Operation column to synchronize the policy to the data source. To synchronize multiple policies, select them and click Synchronize above the list.

  Policies take effect only after they are synchronized successfully. If the policy synchronization fails, you can view the policy run log in the policy details to locate the failure cause. After rectifying the fault, synchronize the policy again. If the synchronization still fails, contact technical support.

• Editing a policy: On the Dynamic Masking page, locate a policy and click Edit in the Operation column.
• Deleting policies: On the Dynamic Masking page, locate a policy and click Delete in the Operation column. To delete multiple policies, select them and click Delete above the list.
  

  The deletion operation cannot be undone. Exercise caution when performing this operation.

• Viewing policy details: On the Dynamic Masking page, locate a policy and click its name to view its details.
  Figure 4 Viewing policy details
  

Reference: Dynamic Masking Rules

• MRS Hive dynamic masking rules are provided by MRS Ranger. Table 2 lists the supported rules.
  

  The SM3, Custom/Show First x and Last y Characters, and Custom/Mask First x and Last y Characters masking rules for the MRS Hive data source are not provided by the MRS Ranger component. Instead, they are implemented by UDF-defined functions. Therefore, to use any of the three masking rules, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. For details, see Reference: Configuring UDF-related Permissions in the Ranger Component.

• GaussDB(DWS) dynamic masking rules are provided by GaussDB(DWS). Table 3 lists the supported rules.

Reference: Configuring UDF-related Permissions in the Ranger Component

If you choose the SM3, Custom/Show First x and Last y Characters, or Custom/Mask First x and Last y Characters masking rule when configuring a dynamic masking policy for MRS Hive data, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. The procedure is as follows:

1. Log in to MRS Manager as user admin.
2. On the Manager page, choose Cluster > Services > Ranger. On the Ranger overview page, click RangerAdmin to go to the Ranger WebUI.
   Figure 5 Accessing the Ranger WebUI
   

3. Log out of the current account and use the Ranger administrator account to log in again. For a common cluster, the admin account for the Manager page can be used as the Ranger administrator account. For a security cluster, rangeradmin is the Ranger administrator account. For details about the default password of rangeradmin, see User Account List.
   Figure 6 Logging out of the current account
   

4. On the home page, click the component plug-in name in the HADOOP SQL area, for example, Hive.
5. On the Access tab page, click Add New Policy.
   Figure 7 Policy list
   

6. On the Create Policy page, configure the policy parameters to grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users.
   • Policy Name: Enter a policy name, for example, creat_udf_access.
   • database: Select default. The created UDF is stored in the default database by default.
   • udf: Select * to match all UDFs.
   • Permission 1 – UDF creation permission for the account in the Ranger data connection:
     • Select User: Select the account in the Ranger data connection.
     • Permissions: Select Create, which indicates the UDF creation permission.
   • Permission 2 – UDF usage permission for all users:
     • Select Group: Select public, which indicates all users.
     • Permissions: Select select, which indicates the UDF usage permission.
     Figure 8 Creating a policy
     

7. Click add to finish configuring the permissions.