Help Center/ Data Security Center/ User Guide/ Sensitive Data Identification/ Configuring Sensitive Data Identification Policies
Updated on 2025-08-12 GMT+08:00

Configuring Sensitive Data Identification Policies

Constraints

Type

Constraints

Creating an identification template

A maximum of 20 identification templates can be created for an account.

Deleting an Identification Template

  • A built-in template and the default identification template cannot be deleted.
  • Templates associated with identification tasks cannot be deleted.

Modifying a rule category

You can modify categories only for user-defined templates that are not currently referenced.

Adding and Editing an Identification Template

By default, DSC provides a built-in identification template. You can create or copy a template to customize a new identification template. You can edit identification templates to view, add, and modify rules.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane, choose Sensitive Data Identification > Identification Configuration.
  4. Click Create Template in the upper left corner of the page. In the Create Template dialog box, set parameters according to Table 1.

    Table 1 Parameters for creating a template

    Parameter

    Description

    Template Name

    Only letters, digits, hyphens (-), and underscores (_) are allowed.

    Remark

    Enter the description of the template.

    Import Built-in Rules

    This parameter is displayed when Template Type is set to Rule template.

    • Yes: Import built-in rules.
    • No: Create an empty template.

  5. Click OK. The new identification template is displayed in the identification template list.
  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
  4. Locate the target template, Click Copy. In the displayed Copy Template dialog box, enter the new template name and description.
  5. Click OK.

You can edit rule categories and add rules in a customized template.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
  4. Locate the target template, click Details. The template details page is displayed.

    For built-in templates, you can only change the status of existing rules.

    • Click the plus sign after All to create a category.
    • Move the cursor to a Category Name:
      • Click the edit button to edit the category name.
      • Click Delete to delete a category.
    • Select Category Name on the left and view the related category rules on the right.
    • In the upper left corner of the classification rule list on the right, click Add Rule > Add Rule. On the Add Rule page that is displayed, add a custom rule. For details, see Customizing a Rule.
    • Click Modify Category in the upper left corner of the category rule list on the right. In the Modify Category dialog box, select the target category. You can modify categories only for user-defined templates that are not currently referenced.
    • Click Batch Delete to delete the selected rules.
    • Click in the Status column to enable or disable a rule. After the rule is disabled, it will not take effect during identification using the template.
    • Click Details in the Operation column to edit the rule content.
    • Click Delete in the Operation column to delete a rule.

Only rule templates can be exported to OBS buckets and then downloaded to the local PC.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane, choose Sensitive Data Identification > Identification Configuration.
  4. Click Details of the template to be exported. The Template Hierarchy and Classification page is displayed.
  5. Click Export Template to OBS above the rule list.
  6. In the Export Template to OBS dialog box, select a value from the Export Target Bucket drop-down list.
  7. Click OK. The status of Export Template to OBS changes to Queuing or Running.
  8. Refresh the page. Click Download Result File from OBS Bucket when the button is available. In the dialog box that is displayed, view the file path and click OK to go to OBS to download the result file.

Adding a Custom Identification Rule

Sensitive data identification rules include built-in rules and user-defined rules. Users can also import rules in batches. You can select built-in or customized identification rules when creating or editing an identification template.

Ensure that there is a custom identification template available.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
  4. Click the Identification Rule tab. The Identification Rule page is displayed.
  5. Click Create Rule > Create Rule. The Create Rule page is displayed.
  6. In the displayed dialog box, set required parameters based on Table 2.

    Table 2 Parameter description

    Parameter

    Description

    Rule Name

    You can customize a rule name.

    The rule name must:

    • Contain a maximum of 255 characters.
    • Consist of letters, digits, underscores (_), hyphens (-), and brackets.
    • Be unique.

    Description

    Enter a rule description.

    Add to Template

    • Select the template name, template rule category, and level from the drop-down list boxes to add the rule to a rule template.
    • Click Add to add the rule to multiple templates.
    • Click the deletion button to delete the template. Retain at least one template.

    Match Type

    This parameter can be set to Rule matching or Keyword matching.

    • Keyword matching indicates that the rule can be executed using keywords.
    • Regular matching is used to match (specify and identify) characters, words, and patterns.
      NOTE:

      For Hive data in MRS, sensitive data can be identified only when Match Type is Rule matching and Rule is Content > Include.

    Matching Logic

    Select the matching logic:
    • AND: All keywords are included.
    • OR: Only one keyword is included.

    Rule

    This parameter is displayed when Match Type is set to Rule matching. Select the rule content from the drop-down list.

    A new rule must include at least one matching item: a column name, column remark, or content. Rules cannot solely rely on the table name or table remark.

    • Choose Column Name > Include, Column Comment > Include, Content > Include, Table Name > Include, or Table Comment > Include, and enter a keyword to check whether the column name, column comment, table name, or table comment contains the keyword.
    • Choose Column Name > Regex, Column Remark > Regex, Content > Include, Table Name > Include, or Table Comment > Include, and enter the regular expression to check whether it is matched.
    • Choose Content > Keyword and enter multiple keywords. The relationship between the keywords is OR, meaning if any keyword is found in the content, it will be matched.
    NOTE:

    For Hive data in MRS, sensitive data can be identified only when Match Type is Rule matching and Rule is Content > Include.

    Test Rule

    • This parameter is displayed when Match Type is set to Rule Matching.
    • Enter the rule content and click Test. The test result of the rule is displayed in the Test Result area.
    • You can click Add to add multiple rules for test.
    • Both built-in rules and user-defined rules support rule tests. To test a built-in rule, click Details in the Operation column of the rule list. On the Edit Rule page, enter the rule for test.
      NOTE:
      • Image rules cannot be tested.
      • The rule test is not supported when the Match Type is Keyword matching.
      • Only the first matching result of the test content is displayed.

    Content

    • This parameter is displayed when Match Type is set to Keyword Matching.
    • Multiple keywords are separated by line breaks.

    Identification Threshold Configuration

    • Hit Number: Applicable to unstructured data. You can select a low, medium, or high threshold. A higher threshold requires more hits.
    • Hit Rate: Applicable to structured data. You can drag the slider to set the value. A larger value indicates a higher hit rate.

  7. Click OK.

Ensure that there is a custom identification template available. Identification rules can be imported in batches only for rule templates.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
  4. Click the Identification Rule tab. The Identification Rule page is displayed.
  5. Click Create Rule in the upper left corner and choose Batch Import Rules. The Batch Import Rules dialog box is displayed.

    Import requirements:

    • Maximum of 5,000 records per import; exceeding this limit will prevent import.
    • Duplicate data will be ignored during import.
    • Files must be in XLSX format and not exceed 5,000 KB.

  6. Click Download Identification Template to download the template to the local host.
  7. Select an identification template from the drop-down list, click Add File, and select the file prepared based on the template.
  8. Click Import to import the rule to the selected identification template.
  9. You can also click Add Rule on the details page of the identification template and select Batch Import Rule to import rules in batches to the template.

Creating or Disabling a Category

DSC offers four built-in sensitive data levels (L1 to L4). Refer to Table 3 for their security and level definitions. If these built-in levels are insufficient, you can customize them as described in this section.

Table 3 Definition

Security

Level

Definition

Extremely high

L4

Disclosure, tampering, or illegal use of personal data at this level will have a particularly severe impact on the rights and interests of individuals and organizations. Examples: Prolonged or permanent damage to an individual's property safety, dignity, or physical/mental health; enterprise business qualification cancellation, prolonged business suspension, or risk of bankruptcy; significant harm to economic operations, social order, and public interests.

High

L3

Disclosure, tampering, or illegal use of personal data at this level will have a serious impact on the rights and interests of individuals and organizations. Examples: Individual unemployment, fraud, fund theft, or reputational damage; enterprise business qualification suspension, or significant economic, technological, or reputational loss.

Medium

L2

Disclosure, tampering, or illegal use of personal data at this level will have an adverse impact on the rights and interests of individuals and organizations. Examples: Individual psychological harm or harassment; enterprise service interruption, or minor economic, technological, or reputational damage.

Low

L1

Disclosure, tampering, or illegal use of personal data at this level will have no impact or only a minimal impact on the rights and interests of individuals and organizations. Example: Individual disturbance.

A maximum of 20 sensitivity levels can be created.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
  4. Click the Sensitivity Configuration tab and click Adding a Level in the upper left corner.
  5. In the displayed dialog box, set required information based on Table 4.

    Table 4 Parameter description

    Parameter

    Description

    Level Name

    Enter a user-defined level name.

    Level Color

    You can select a color based on the sensitivity level. A higher level color value indicates a higher sensitivity.

    For example, name and gender are low-sensitivity data, and the ID card number and encryption key are high-sensitivity data.

  6. Click OK.

A built-in level cannot be disabled.

  1. Log in to the DSC console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
  4. Click the Sensitivity Configuration tab to view the sensitivity level configuration list.
  5. Locate the target level to be disabled, click Disable in the Operation column.

    • Disabled levels are not displayed when you create or edit a template.
    • To enable a level, click Enabled in the Operation column of the row that contains the level.

Related Operations

  • Click Set as Default to set the template as the default template. The default template is the built-in identification template.
  • Click Overview to view the template type and level.
  • Click Details to add rules or modify categories. For built-in templates, you can only change the status of existing rules.
  • Click Delete in the Operation column of the row that contains the classification and grading template to be deleted, and click OK to delete the template. The classification and grading template in use cannot be deleted. Delete the corresponding identification task first and then delete the classification and grading template. A built-in template and the default identification template cannot be deleted.
  • In the Identification Rule tab, locate the target rule and click Edit in the Operation column to view and modify the rule. For built-in rules, only Add to Template and Test Rule can be modified.
  • In the Sensitivity Configuration tab, locate the target level and click Edit in the Operation column to modify the level content. Built-in levels cannot be edited.
  • In the Sensitivity Configuration tab, locate the target level and click Delete in the Operation to delete the level. Only custom levels that are not referenced can be deleted.