Configuring Sensitive Data Identification Policies
Constraints
Type |
Constraints |
---|---|
Creating an identification template |
A maximum of 20 identification templates can be created for an account. |
Deleting an Identification Template |
|
Modifying a rule category |
You can modify categories only for user-defined templates that are not currently referenced. |
Adding and Editing an Identification Template
By default, DSC provides a built-in identification template. You can create or copy a template to customize a new identification template. You can edit identification templates to view, add, and modify rules.
- Log in to the DSC console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane, choose Sensitive Data Identification > Identification Configuration.
- Click Create Template in the upper left corner of the page. In the Create Template dialog box, set parameters according to Table 1.
Table 1 Parameters for creating a template Parameter
Description
Template Name
Only letters, digits, hyphens (-), and underscores (_) are allowed.
Remark
Enter the description of the template.
Import Built-in Rules
This parameter is displayed when Template Type is set to Rule template.
- Yes: Import built-in rules.
- No: Create an empty template.
- Click OK. The new identification template is displayed in the identification template list.
- Log in to the DSC console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
- Locate the target template, Click Copy. In the displayed Copy Template dialog box, enter the new template name and description.
- Click OK.
You can edit rule categories and add rules in a customized template.
- Log in to the DSC console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
- Locate the target template, click Details. The template details page is displayed.
For built-in templates, you can only change the status of existing rules.
- Click the plus sign after All to create a category.
- Move the cursor to a Category Name:
- Click the edit button to edit the category name.
- Click Delete to delete a category.
- Select Category Name on the left and view the related category rules on the right.
- In the upper left corner of the classification rule list on the right, click Add Rule > Add Rule. On the Add Rule page that is displayed, add a custom rule. For details, see Customizing a Rule.
- Click Modify Category in the upper left corner of the category rule list on the right. In the Modify Category dialog box, select the target category. You can modify categories only for user-defined templates that are not currently referenced.
- Click Batch Delete to delete the selected rules.
- Click
in the Status column to enable or disable a rule. After the rule is disabled, it will not take effect during identification using the template.
- Click Details in the Operation column to edit the rule content.
- Click Delete in the Operation column to delete a rule.
Only rule templates can be exported to OBS buckets and then downloaded to the local PC.
- Log in to the DSC console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane, choose Sensitive Data Identification > Identification Configuration.
- Click Details of the template to be exported. The Template Hierarchy and Classification page is displayed.
- Click Export Template to OBS above the rule list.
- In the Export Template to OBS dialog box, select a value from the Export Target Bucket drop-down list.
- Click OK. The status of Export Template to OBS changes to Queuing or Running.
- Refresh the page. Click Download Result File from OBS Bucket when the button is available. In the dialog box that is displayed, view the file path and click OK to go to OBS to download the result file.
Adding a Custom Identification Rule
Sensitive data identification rules include built-in rules and user-defined rules. Users can also import rules in batches. You can select built-in or customized identification rules when creating or editing an identification template.
Ensure that there is a custom identification template available.
- Log in to the DSC console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
- Click the Identification Rule tab. The Identification Rule page is displayed.
- Click Create Rule > Create Rule. The Create Rule page is displayed.
- In the displayed dialog box, set required parameters based on Table 2.
Table 2 Parameter description Parameter
Description
Rule Name
You can customize a rule name.
The rule name must:
- Contain a maximum of 255 characters.
- Consist of letters, digits, underscores (_), hyphens (-), and brackets.
- Be unique.
Description
Enter a rule description.
Add to Template
- Select the template name, template rule category, and level from the drop-down list boxes to add the rule to a rule template.
- Click Add to add the rule to multiple templates.
- Click the deletion button to delete the template. Retain at least one template.
Match Type
This parameter can be set to Rule matching or Keyword matching.
- Keyword matching indicates that the rule can be executed using keywords.
- Regular matching is used to match (specify and identify) characters, words, and patterns.
NOTE:
For Hive data in MRS, sensitive data can be identified only when Match Type is Rule matching and Rule is
.
Matching Logic
Select the matching logic:- AND: All keywords are included.
- OR: Only one keyword is included.
Rule
This parameter is displayed when Match Type is set to Rule matching. Select the rule content from the drop-down list.
A new rule must include at least one matching item: a column name, column remark, or content. Rules cannot solely rely on the table name or table remark.
- Choose , , , , or , and enter a keyword to check whether the column name, column comment, table name, or table comment contains the keyword.
- Choose , , , , or , and enter the regular expression to check whether it is matched.
- Choose and enter multiple keywords. The relationship between the keywords is OR, meaning if any keyword is found in the content, it will be matched.
NOTE:For Hive data in MRS, sensitive data can be identified only when Match Type is Rule matching and Rule is
.Test Rule
- This parameter is displayed when Match Type is set to Rule Matching.
- Enter the rule content and click Test. The test result of the rule is displayed in the Test Result area.
- You can click Add to add multiple rules for test.
- Both built-in rules and user-defined rules support rule tests. To test a built-in rule, click Details in the Operation column of the rule list. On the Edit Rule page, enter the rule for test.
NOTE:
- Image rules cannot be tested.
- The rule test is not supported when the Match Type is Keyword matching.
- Only the first matching result of the test content is displayed.
Content
- This parameter is displayed when Match Type is set to Keyword Matching.
- Multiple keywords are separated by line breaks.
Identification Threshold Configuration
- Hit Number: Applicable to unstructured data. You can select a low, medium, or high threshold. A higher threshold requires more hits.
- Hit Rate: Applicable to structured data. You can drag the slider to set the value. A larger value indicates a higher hit rate.
- Click OK.
Ensure that there is a custom identification template available. Identification rules can be imported in batches only for rule templates.
- Log in to the DSC console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
- Click the Identification Rule tab. The Identification Rule page is displayed.
- Click Create Rule in the upper left corner and choose Batch Import Rules. The Batch Import Rules dialog box is displayed.
Import requirements:
- Maximum of 5,000 records per import; exceeding this limit will prevent import.
- Duplicate data will be ignored during import.
- Files must be in XLSX format and not exceed 5,000 KB.
- Click Download Identification Template to download the template to the local host.
- Select an identification template from the drop-down list, click Add File, and select the file prepared based on the template.
- Click Import to import the rule to the selected identification template.
- You can also click Add Rule on the details page of the identification template and select Batch Import Rule to import rules in batches to the template.
Creating or Disabling a Category
DSC offers four built-in sensitive data levels (L1 to L4). Refer to Table 3 for their security and level definitions. If these built-in levels are insufficient, you can customize them as described in this section.
Security |
Level |
Definition |
---|---|---|
Extremely high |
L4 |
Disclosure, tampering, or illegal use of personal data at this level will have a particularly severe impact on the rights and interests of individuals and organizations. Examples: Prolonged or permanent damage to an individual's property safety, dignity, or physical/mental health; enterprise business qualification cancellation, prolonged business suspension, or risk of bankruptcy; significant harm to economic operations, social order, and public interests. |
High |
L3 |
Disclosure, tampering, or illegal use of personal data at this level will have a serious impact on the rights and interests of individuals and organizations. Examples: Individual unemployment, fraud, fund theft, or reputational damage; enterprise business qualification suspension, or significant economic, technological, or reputational loss. |
Medium |
L2 |
Disclosure, tampering, or illegal use of personal data at this level will have an adverse impact on the rights and interests of individuals and organizations. Examples: Individual psychological harm or harassment; enterprise service interruption, or minor economic, technological, or reputational damage. |
Low |
L1 |
Disclosure, tampering, or illegal use of personal data at this level will have no impact or only a minimal impact on the rights and interests of individuals and organizations. Example: Individual disturbance. |
A maximum of 20 sensitivity levels can be created.
- Log in to the DSC console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
- Click the Sensitivity Configuration tab and click Adding a Level in the upper left corner.
- In the displayed dialog box, set required information based on Table 4.
Table 4 Parameter description Parameter
Description
Level Name
Enter a user-defined level name.
Level Color
You can select a color based on the sensitivity level. A higher level color value indicates a higher sensitivity.
For example, name and gender are low-sensitivity data, and the ID card number and encryption key are high-sensitivity data.
- Click OK.
A built-in level cannot be disabled.
- Log in to the DSC console.
- Click
in the upper left corner and select a region or project.
- In the navigation pane on the left, choose Sensitive Data Identification > Identification Configuration. The Identification Template tab is displayed.
- Click the Sensitivity Configuration tab to view the sensitivity level configuration list.
- Locate the target level to be disabled, click Disable in the Operation column.
- Disabled levels are not displayed when you create or edit a template.
- To enable a level, click Enabled in the Operation column of the row that contains the level.
Related Operations
- Click Set as Default to set the template as the default template. The default template is the built-in identification template.
- Click Overview to view the template type and level.
- Click Details to add rules or modify categories. For built-in templates, you can only change the status of existing rules.
- Click Delete in the Operation column of the row that contains the classification and grading template to be deleted, and click OK to delete the template. The classification and grading template in use cannot be deleted. Delete the corresponding identification task first and then delete the classification and grading template. A built-in template and the default identification template cannot be deleted.
- In the Identification Rule tab, locate the target rule and click Edit in the Operation column to view and modify the rule. For built-in rules, only Add to Template and Test Rule can be modified.
- In the Sensitivity Configuration tab, locate the target level and click Edit in the Operation column to modify the level content. Built-in levels cannot be edited.
- In the Sensitivity Configuration tab, locate the target level and click Delete in the Operation to delete the level. Only custom levels that are not referenced can be deleted.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot