Managing Dynamic Masking Policies

Prerequisites

• Before creating an MRS Hive data masking policy, ensure that:
  • An MRS Ranger data connection has been created in Management Center. For details, see Creating a DataArts Studio Data Connection.
  • User information has been synchronized from IAM to the data source. For details, see Synchronizing IAM Users to the Data Source.
• Before creating a GaussDB(DWS) data masking policy, ensure that:
  • A GaussDB(DWS) data connection has been created in Management Center. For details, see Creating a DataArts Studio Data Connection.
  • User information has been synchronized from IAM to the data source. For details, see Synchronizing IAM Users to the Data Source.
  • The CN and DN values of the feature_support_options parameter of the GaussDB(DWS) cluster have been changed to enable_data_redaction, which enables data masking for GaussDB(DWS). For details, see Modifying Database Parameters.
  • The account in the connection must have the GRANT permission of the target table. (By default, only the owner of a database object or system administrator can run the GRANT command to grant the object permissions to other users.)
• MRS Hive and GaussDB(DWS) dynamic masking policies are associated with specified users or user groups on data sources. Therefore, if you want to use the current user for identity authentication to make the dynamic masking policies take effect during script execution and job tests in DataArts Factory, you must enable fine-grained authentication by referring to Enabling Fine-grained Authentication.
• If you want to view sensitive fields during the creation of a data masking policy, you need to create a sensitive data discovery task in advance and change the statuses of sensitive data fields to valid on the Sensitive Data Distribution page. For details, see Discovering Sensitive Data and Viewing Sensitive Data Distribution.

Constraints

• Only the DAYU Administrator, Tenant Administrator, or data security administrator can create, modify, or delete dynamic masking policies. Other common users do not have permission to perform these operations.
• MRS Hive and GaussDB(DWS) dynamic masking policies are associated with specified users or user groups on data sources. Therefore, if you want to use the current user for identity authentication to make the dynamic masking policies take effect during script execution and job tests in DataArts Factory, you must enable fine-grained authentication by referring to Enabling Fine-grained Authentication.
• Dynamic masking policies are only available for MRS Hive and GaussDB(DWS) data sources.
• A table can be associated with only one dynamic data masking policy. Policies take effect only after they are synchronized successfully.
• During dynamic masking of MRS Hive data, MRS Ranger allows you to configure different rules for the same column, and the rules are matched in the sequence of their configuration time. Therefore, you can configure multiple masking policies for different content in the same cluster, database, table, and column.
• Table 2 lists the masking rules supported by the MRS service. For Chinese characters, only null and hash masking are supported. If other masking methods are selected, masking does not take effect.

  The SM3, Custom/Show First x and Last y Characters, and Custom/Mask First x and Last y Characters masking rules for the MRS Hive data source are not provided by the MRS Ranger component. Instead, they are implemented by UDF-defined functions. Therefore, to use any of the three masking rules, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. For details, see Reference: Configuring UDF-related Permissions in the Ranger Component.

• GaussDB(DWS) dynamic masking is unavailable for GaussDB(DWS) logical clusters. Before masking data, enable GaussDB(DWS) dynamic masking by changing the CN and DN values of parameter feature_support_options to enable_data_redaction. For details, see Modifying Database Parameters. In addition, ensure that the user in the GaussDB(DWS) data connection has the GRANT permission on the table to be masked. ( By default, after a database object is created, only the object owner or system administrator can run the GRANT command to grant the object permissions to other users.)
• Table 3 lists the masking rules supported by GaussDB(DWS). Chinese characters cannot be masked. If you mask data that contains Chinese characters, garbled characters may be displayed.

Creating a Dynamic Masking Policy

1. On the DataArts Studio console, locate a workspace and click DataArts Security.
2. In the left navigation pane, choose Dynamic Masking.
   Figure 1 Dynamic Masking
   

3. Click Create and set the parameters listed in Table 1.
   Figure 2 Setting parameters for the dynamic masking policy
   
   The following table lists the parameters.

   Table 1 Policy parameters

   Parameter	Description
   *Policy Name	Unique identifier of the dynamic masking policy. It must be unique in a DataArts Studio instance. To facilitate policy management, you are advised to include the object to be masked and masking rule in the name.
   *Data Source Type	Currently, only MRS Hive and DWS are supported.
   MRS Hive
   *User Group/Username	User or user group in the current workspace members. When a specified object queries or exports sensitive data from DataArts Factory, the system dynamically masks the sensitive data to protect the sensitive data from being disclosed.
   *Data Connection	If no data connection is available, create one by referring to Creating a DataArts Studio Data Connection.
   *Cluster Name	You do not need to set this parameter. The data source cluster in the data connection is automatically selected.
   *Database	Database where the sensitive data is stored
   *Data Table	Data table where the sensitive data is stored
   *Data Column	Select one or more columns to be masked and select a proper masking rule for each column based on the data type. Supported data masking rules vary depending on the data type of each data source. For details, see Reference: Dynamic Masking Rules. If sensitive data discovery has been performed on the selected columns and the statuses of the sensitive data fields are valid, the data security levels and classifications are displayed in the Data Column area.
   DWS
   *User Group/Username	User or user group in the current workspace members. When a specified object queries or exports sensitive data from DataArts Factory, the system dynamically masks the sensitive data to protect the sensitive data from being disclosed.
   *Data Connection	If no data connection is available, create one by referring to Creating a DataArts Studio Data Connection.
   *Cluster Name	You do not need to set this parameter. The data source cluster in the data connection is automatically selected.
   *Database	Database where the sensitive data is stored
   *schema	Schema where the sensitive data is stored
   *Data Table	Data table where the sensitive data is stored
   *Data Column	Select one or more columns to be masked and select a proper masking rule for each column based on the data type. Supported data masking rules vary depending on the data type of each data source. For details, see Reference: Dynamic Masking Rules. If sensitive data discovery has been performed on the selected columns and the statuses of the sensitive data fields are valid, the data security levels and classifications are displayed in the Data Column area.

4. After setting all required parameters, click OK. After the dynamic masking policy is created, you need to click Synchronize to synchronize the policy to the data source.

Related Operations

• Synchronizing a policy: On the Dynamic Masking page, locate a policy and click Synchronize in the Operation column to synchronize the policy to the data source. To synchronize multiple policies, select them and click Synchronize above the list.

  Policies take effect only after they are synchronized successfully. If the policy synchronization fails, you can view the policy run log in the policy details to locate the failure cause. After rectifying the fault, synchronize the policy again. If the synchronization still fails, contact technical support.

• Editing a policy: On the Dynamic Masking page, locate a policy and click Edit in the Operation column.
• Deleting policies: On the Dynamic Masking page, locate a policy and click Delete in the Operation column. In the displayed dialog box, confirm the policy to delete and click Yes. To delete multiple policies, select them and click Delete above the list.
  

  Deleted dynamic masking policies are moved to the recycle bin. You can restore them within 30 days. After 30 days, they will be deleted permanently. For details, see Managing the Recycle Bin.

• Viewing policy details: On the Dynamic Masking page, locate a policy and click its name to view its details. You can also filter policies by Sync Status.
  Figure 3 Viewing policy details
  

Reference: Dynamic Masking Rules

• MRS Hive dynamic masking rules are provided by MRS Ranger. Table 2 lists the supported rules.
  

  The SM3, Custom/Show First x and Last y Characters, and Custom/Mask First x and Last y Characters masking rules for the MRS Hive data source are not provided by the MRS Ranger component. Instead, they are implemented by UDF-defined functions. Therefore, to use any of the three masking rules, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. For details, see Reference: Configuring UDF-related Permissions in the Ranger Component.

• GaussDB(DWS) dynamic masking rules are provided by GaussDB(DWS). Table 3 lists the supported rules.

Reference: Configuring UDF-related Permissions in the Ranger Component

If you choose the SM3, Custom/Show First x and Last y Characters, or Custom/Mask First x and Last y Characters masking rule when configuring a dynamic masking policy for MRS Hive data, you must upload the JAR package on which the algorithm depends to the MRS cluster, and grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users in advance. The procedure is as follows:

1. Log in to MRS Manager as user admin.
2. On the Manager page, choose Cluster > Services > Ranger. On the Ranger overview page, click RangerAdmin to go to the Ranger WebUI.
   Figure 4 Accessing the Ranger WebUI
   

3. Log out of the current account and use the Ranger administrator account to log in again. For a common cluster, the admin account for the Manager page can be used as the Ranger administrator account. For a security cluster, rangeradmin is the Ranger administrator account. For details about the default password of rangeradmin, see User Account List.
   Figure 5 Logging out of the current account
   

4. On the home page, click the component plug-in name in the HADOOP SQL area, for example, Hive.
5. On the Access tab page, click Add New Policy.
   Figure 6 Policy list
   

6. On the Create Policy page, configure the policy parameters to grant the UDF creation permission to the account in the Ranger data connection and the UDF usage permission to all users.
   • Policy Name: Enter a policy name, for example, creat_udf_access.
   • database: Select default. The created UDF is stored in the default database by default.
   • udf: Select * to match all UDFs.
   • Permission 1 – UDF creation permission for the account in the Ranger data connection:
     • Select User: Select the account in the Ranger data connection.
     • Permissions: Select Create, which indicates the UDF creation permission.
   • Permission 2 – UDF usage permission for all users:
     • Select Group: Select public, which indicates all users.
     • Permissions: Select select, which indicates the UDF usage permission.
     Figure 7 Creating a policy
     

7. Click add to finish configuring the permissions.