Help Center/ Data Security Center/ User Guide/ Data Asset Protection/ Data Masking/ Static Data Masking/ Creating a Static Data Masking Task
Updated on 2024-12-27 GMT+08:00
View PDF
Share

Creating a Static Data Masking Task

DSC supports masking of database, big data, and OBS data. For details about the supported data types, see Constraints. This section describes how to create masking tasks of different data types.

Prerequisites

Constraints

  • Database masking:

    The following data sources are supported: SQLServer, MySQL, TDSQL, PostgreSQL, Dameng, Kingbase, GaussDB, Oracle, and DWS.

  • Big data masking:

    The value can be Elasticsearch, MRS_HIVE, Hive, HBase, or DLI.

  • OBS bucket masking:
    • DSC does not support the parallel file system of OBS.
    • DSC supports files such as .txt, .log, .xml, .ini, .sql, .inf, .java and .json or files whose mime type starts with text.

Creating a Static Data Masking Task

You can create a static data masking task on the DSC console and mask data sources based on the selected masking rule. For details about how to view and test masking rules, see Configuring and Viewing Masking Rules.

Creating and Running a Database Masking Task

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the left navigation pane, choose Data Asset Protection > Static Data Masking. The Static Data Masking page is displayed.
  5. On the Databases tab page, set Mask Sensitive Database Data to .
  6. Click Create Task. On the displayed Configure Data Source page, configure parameters according to Table 1.

    Figure 1 Configuring a database data masking task
    Table 1 Parameter description

    Parameter

    Description

    Task Name

    You can customize the name of a data masking task.

    The task name must meet the following requirements:
    • Contain 1 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).

    Select Data Source

    Select a data source. Available options are SQLServer, MySQL, TDSQL, PostgreSQL, Dameng, Kingbase, OpenGauss, Oracle, and DWS.

    Data Source

    NOTE:

    If no database instance is available, click Add Database to add or authorize a database. For details, see Adding Self-Built Database Instances and Authorizing Access to a Database Asset.

    Database Instance: Select the database instance to be masked.

    Database: Select the name of the database to be masked.

    Schema: This parameter is available only when SQLServer, KingBase, OpenGauss, PostgreSQL, or DWS is selected for Data Source.

    Table name: Select the name of the database table where the data you want to mask is located.

    Column Information

    The column information includes Column Name, Risk Level, Data Type, and Category.

    Masking Ratio

    Specify the database's masking ratio. For instance, setting it to 80% will mask the initial 800 rows in a database with 1000 rows.

  7. Click Next. The Set Masking Algorithm page is displayed.

    Figure 2 Configuring the data masking algorithm
    1. Select the data columns you want to mask.
    2. Select a proper masking algorithm based on the data type. For details about data masking algorithms, see Configuring and Viewing Masking Rules.

      If the decryption masking algorithm is selected for encrypted data, the encrypted data will be decrypted then masked.

      If the masking algorithm is selected for unencrypted data, data remains unchanged after masking.

    3. Click Edit. On the editing test page displayed, test the masking algorithm you selected. Enter the replacement string and raw data, click Test, and view the masking result. For details about masking rules, see Configuring and Viewing Masking Rules.

  8. Click Next. On the Configure Data Masking Period page that is displayed, configure the masking period.

    Click next to Incremental Masking to enable incremental masking.

    Incremental Key Value: Select an incremental key value from the drop-down list box, for example, id.

    • After incremental masking is enabled, the data added after the last masking task is completed is masked. Select a field that increases with time in the source data as the incremental column, such as the creation time and auto-increment ID.
    • Currently, incremental masking supports the following database field types: int, bigint, integer, date, and datetime.

    Select and set the execution period of a masking task.

    • Manual: Manually enable a masking task and execute it based on masking rules.
    • Hourly: Execute a data masking task every several hours.

      Example: If the masking task needs to be executed every two hours, set this parameter to 02:00.

    • Daily: Execute a data masking task at a specified time every day.

      Example: If the masking task needs to be executed at 12:00 every day, set this parameter to 12:00:00.

    • Weekly: Execute a data masking task at a specified time every week.

      Example: If the masking task needs to be executed at 12:00 every Monday, set this parameter to 12:00:00 every Monday.

    • Monthly: Execute a data masking task at a specified time on a specified day every month.

      Example: If the masking task needs to be executed at 12:00 on the 12th day of each month, set this parameter to 12:00:00 12th day of every month.

      If you want to execute a data masking task on the 31st day of each month, the system automatically executes the task on the last day of every month.

  9. Click Next. The Set Target Data page is displayed.

    Figure 3 Configuring a target data type
    1. Select a database instance, database name, schema (if any), and enter the table name.

      If the entered data table name already exists, the system updates the data table in the target database.

      If the entered data table name does not exist, the system automatically creates a data table with the same name in the target database.

      • Do not fill in an existing service data table. Otherwise, services may be affected.
      • Do not select an original data table as the target data table. Otherwise, the original data may be overwritten.
    2. Set the column name of the target data type.

      By default, the system generates a name that is the same as the name of the data source column. You can retain the default name or change it as required.

  10. Click Finish.
  11. Click the Database tab and turn on the button under Enable/Disable to enable the task. In the Operation column of the target masking task, click Execute .

    The data masking task is executed as configured.

Creating and Running an Elasticsearch Data Masking Task

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the left navigation pane, choose Data Asset Protection > Data Masking and click the Elasticsearch tab. The Elasticsearch masking page is displayed.
  5. Click Authorizing Access to a Database Asset and set Elasticsearch to to enable Elasticsearch masking.
  6. Click Create Task. On the displayed Configure Data Source page, configure parameters according to Table 2.

    Table 2 Parameter description

    Parameter

    Description

    Task Name

    You can customize the name of a data masking task.

    The task name must meet the following requirements:
    • Contain 1 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).

    Select Data Source

    Select a data source. Currently, the value can only be Elasticsearch.

    Data Source

    NOTE:

    If no Elasticsearch instance is available, click Add to add Elasticsearch indexes. For details, see Authorizing Access to a Big Data Asset.

    Elasticsearch: Select the Elasticsearch instance where the data to be masked is.

    Index: Select the index where the data to be masked is.

    Type: Select the type of the data to be masked.

    Field Information

    The field information includes Field Name, Risk Level, Data Type, and Category.

  7. Click Next. The Set Masking Algorithm page is displayed.

    Figure 4 Configuring a masking algorithm
    1. Select the data columns you want to mask.
    2. Select a data masking algorithm. For details about data masking algorithms, see Configuring and Viewing Masking Rules.

  8. Click Next to switch to the Configure Data Masking Period page and configure the data masking period.

    Select and set the execution period of a masking task.

    • Manual: Manually enable a masking task and execute it based on masking rules.
    • Hourly: Execute a data masking task every several hours.

      Example: If the masking task needs to be executed every two hours, set this parameter to 02:00.

    • Daily: Execute a data masking task at a specified time every day.

      Example: If the masking task needs to be executed at 12:00 every day, set this parameter to 12:00:00.

    • Weekly: Execute a data masking task at a specified time every week.

      Example: If the masking task needs to be executed at 12:00 every Monday, set this parameter to 12:00:00 every Monday.

    • Monthly: Execute a data masking task at a specified time on a specified day every month.

      Example: If the masking task needs to be executed at 12:00 on the 12th day of each month, set this parameter to 12:00:00 12th day of every month.

      If you want to execute a data masking task on the 31st day of each month, the system automatically executes the task on the last day of every month.

  9. Click Next. The Set Target Data page is displayed.

    Figure 5 Setting target data
    1. Select an Elasticsearch instance and index, and set Type.

      If the type you entered already exists, the system updates the data of the type in the target data source.

      If the type you entered does not exist, the system automatically creates a type with the same name in the target data source.

      If you want to use an existing type, do not set Type. Otherwise, services may be affected.

    2. Set the column name of the target data type.

      By default, the system generates the same name as the data source column. You can retain the default name or change it as needed.

  10. Click Finish.
  11. Click the Elasticsearch tab. Locate the row containing the target data masking task and click Execute in the Operation column.
  12. The system starts to execute the data masking task as configured.

    If is displayed in the Enable/Disable column, the task is disabled, and you are not allowed to click Execute.

Creating and Running an MRS Data Masking Task

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the left navigation pane, choose Data asset protection > Static Data Masking and click the MRS tab. The MRS masking page is displayed.
  5. Click and set Mask Sensitive MRS Data to to enable MRS masking.
  6. Click Create Task. On the displayed Configure Data Source page, configure parameters according to Table 3.

    Table 3 Parameter description

    Parameter

    Description

    Task Name

    You can customize the name of a data masking task.

    The task name must meet the following requirements:
    • Contain 1 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).

    Select Data Source

    Select a data source. Only MRS_HIVE is available.

    Data Source

    NOTE:

    If no Hive database instance is available, click Authorize Database to add a big data instance asset. For details, see Authorizing Access to a Big Data Asset.

    Database Instance: Select the database instance where the data you want to mask is located.

    Database: Select the name of the database where the data you want to mask is located.

    Table Name: Select the name of the database table where the data you want to mask is located.

    Select a column name to copy the data in the column to the target database.

    Column Information

    The column information includes Column Name, Risk Level, Data Type, and Category.

  7. Click Next. The Set Masking Algorithm page is displayed.

    Figure 6 Setting a masking algorithm
    1. Select the data columns you want to mask.
    2. Select a data masking algorithm. For details about data masking algorithms, see Configuring and Viewing Masking Rules.

  8. Click Next to switch to the Configure Data Masking Period page and configure the data masking period.

    Select and set the execution period of a masking task.

    • Manual: Manually enable a masking task and execute it based on masking rules.
    • Hourly: Execute a data masking task every several hours.

      Example: If the masking task needs to be executed every two hours, set this parameter to 02:00.

    • Daily: Execute a data masking task at a specified time every day.

      Example: If the masking task needs to be executed at 12:00 every day, set this parameter to 12:00:00.

    • Weekly: Execute a data masking task at a specified time every week.

      Example: If the masking task needs to be executed at 12:00 every Monday, set this parameter to 12:00:00 every Monday.

    • Monthly: Execute a data masking task at a specified time on a specified day every month.

      Example: If the masking task needs to be executed at 12:00 on the 12th day of each month, set this parameter to 12:00:00 12th day of every month.

      If you want to execute a data masking task on the 31st day of each month, the system automatically executes the task on the last day of every month.

  9. Click Next. The Set Target Data page is displayed.

    Figure 7 Setting target data
    1. Select a database instance and database name, and enter the database table name.

      If the entered data table name already exists, the system updates the data table in the target database.

      If the entered data table name does not exist, the system automatically creates a data table with the same name in the target database.

      Do not fill in an existing service data table. Otherwise, services may be affected.

    2. Set the column name of the target data type.

      By default, the system generates a name that is the same as the name of the data source column. You can retain the default name or change it as required.

  10. Click Finish.
  11. Click the MRS tab. Locate the row containing the target data masking task and click Execute in the Operation column.
  12. The data masking task is executed as configured.

Creating and Running a Hive Masking Task

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the left navigation pane, choose Data Asset Protection > Static Data Masking and click the Hive tab. The Hive masking page is displayed.
  5. Click and set Mask Sensitive Hive Data to to enable Hive masking.
  6. Click Create Task. On the displayed Configure Data Source page, configure parameters according to Table 4.

    Table 4 Parameter description

    Parameter

    Description

    Task Name

    You can customize the name of a data masking task.

    The task name must meet the following requirements:
    • Contain 1 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).

    Select Data Source

    Select a data source. Only Hive is supported.

    Data Source

    NOTE:

    If no Hive database instance is available, click Add Database to add a big data asset. For details, see Authorizing Access to a Big Data Asset.

    Database Instance: Select the database instance where the data you want to mask is located.

    Database: Select the name of the database where the data you want to mask is located.

    Table name: Select the name of the database table where the data you want to mask is located.

    If you select the check box, data in this column is copied to the Data Type column.

    Column Information

    The column information includes Column Name, Risk Level, Data Type, and Category.

  7. Click Next. The Set Masking Algorithm page is displayed.

    Figure 8 Setting a masking algorithm
    1. Select the data columns you want to mask.
    2. Select a data masking algorithm. For details about data masking algorithms, see Configuring and Viewing Masking Rules.

  8. Click Next to switch to the Configure Data Masking Period page and configure the data masking period.

    Select and set the execution period of a masking task.

    • Manual: Manually enable a masking task and execute it based on masking rules.
    • Hourly: Execute a data masking task every several hours.

      Example: If the masking task needs to be executed every two hours, set this parameter to 02:00.

    • Daily: Execute a data masking task at a specified time every day.

      Example: If the masking task needs to be executed at 12:00 every day, set this parameter to 12:00:00.

    • Weekly: Execute a data masking task at a specified time every week.

      Example: If the masking task needs to be executed at 12:00 every Monday, set this parameter to 12:00:00 every Monday.

    • Monthly: Execute a data masking task at a specified time on a specified day every month.

      Example: If the masking task needs to be executed at 12:00 on the 12th day of each month, set this parameter to 12:00:00 12th day of every month.

      If you want to execute a data masking task on the 31st day of each month, the system automatically executes the task on the last day of every month.

  9. Click Next. The Set Target Data page is displayed.

    Figure 9 Setting target data
    1. Select a database instance and database name, and enter the database table name.

      If the entered data table name already exists, the system updates the data table in the target database.

      If the entered data table name does not exist, the system automatically creates a data table with the same name in the target database.

      Do not fill in an existing service data table. Otherwise, services may be affected.

    2. Set the column name of the target data type.

      By default, the system generates a name that is the same as the name of the data source column. You can retain the default name or change it as required.

  10. Click Finish.
  11. On the Hive page. In the Operation column of the target anonymization task, click Execute.
  12. The data masking task is executed as configured.

Creating and Running an HBase Masking Task

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the navigation pane, choose Data Asset Protection > Static Data Masking and click the HBase tab. The HBase masking page is displayed.
  5. Click and set Mask Sensitive HBase Data to to enable HBase masking.
  6. Click Create Task. On the displayed Configure Data Source page, configure parameters according to Table 5.

    Table 5 Parameter description

    Parameter

    Description

    Task Name

    You can customize the name of a data masking task.

    The task name must meet the following requirements:
    • Contain 1 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).

    Select Data Source

    Select a data source. Only HBase is supported.

    Data Source

    NOTE:

    If no database instance is available, click Add Database to add a big data asset. For details, see Authorizing Access to a Big Data Asset.

    Database Instance: Select the database instance where the data you want to mask is located.

    Namespace: Select the namespace where the data to be masked is located.

    Table name: Select the name of the database table where the data you want to mask is located.

    Column Family: Select the column where the data to be masked is located.

    If you select a column, data in this column will be copied to the target database.

    Column Information

    The column information includes Column Name, Risk Level, Data Type, and Category.

  7. Click Next. The Set Masking Algorithm page is displayed.

    Figure 10 Setting a masking algorithm
    1. Select the data columns you want to mask.
    2. Select a data masking algorithm. For details about data masking algorithms, see Configuring and Viewing Masking Rules.

  8. Click Next. On the Configure Data Masking Period page that is displayed, configure the masking period.

    Select and set the execution period of a masking task.

    • Manual: Manually enable a masking task and execute it based on masking rules.
    • Hourly: Execute a data masking task every several hours.

      Example: If the masking task needs to be executed every two hours, set this parameter to 02:00.

    • Daily: Execute a data masking task at a specified time every day.

      Example: If the masking task needs to be executed at 12:00 every day, set this parameter to 12:00:00.

    • Weekly: Execute a data masking task at a specified time every week.

      Example: If the masking task needs to be executed at 12:00 every Monday, set this parameter to 12:00:00 every Monday.

    • Monthly: Execute a data masking task at a specified time on a specified day every month.

      Example: If the masking task needs to be executed at 12:00 on the 12th day of each month, set this parameter to 12:00:00 12th day of every month.

      If you want to execute a data masking task on the 31st day of each month, the system automatically executes the task on the last day of every month.

  9. Click Next. The Set Target Data page is displayed.

    Figure 11 Setting target data
    1. Select the database instance, namespace, and data table name, and enter the column family.

      If the entered column name already exists, the system updates the data in the column.

      If the entered column name does not exist, the system automatically creates the column in the target data table.

      Do not fill in an existing service data table. Otherwise, services may be affected.

    2. Set the column name of the target data type.

      By default, the system generates a name that is the same as the name of the data source column. You can retain the default name or change it as required.

  10. Click Finish.
  11. On the HBase page. In the Operation column of the target anonymization task, click Execute.
  12. The data masking task is executed as configured.

Creating and Running a DLI Masking Task

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the navigation pane, choose Data Asset Protection > Static Data Masking and click the DLI tab. The DLI masking page is displayed.
  5. Click and set Masking Sensitive DLI Data to to enable DLI masking.
  6. Click Create Task. On the displayed Configure Data Source page, configure parameters according to .

    Table 6 Parameter description

    Parameter

    Description

    Task Name

    You can customize the name of a data masking task.

    The task name must meet the following requirements:
    • Contain 1 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).

    Select Data Source

    Select a data source. Only DLI is supported.

    Data Source

    (If no database instance is available, click Add Database to add a database. For details, see Authorizing Access to a Big Data Asset.)

    Database Instance: Select the database instance where the data you want to mask is located.

    Database Name: Enter the name of the database for masking.

    Table Name: Enter the name of the table to be masked.

    NOTE:

    Only assets with read and write permissions can use the masking function.

    Select the columns to be masked. You can select multiple columns.

    AK/SK

    Enter an access key. For details, see Access Keys. You can obtain the AK from the access key list and SK from the downloaded CSV file.

    Column Information

    The column information includes Column Name, Risk Level, Data Type, and Category.

  7. Click Next. The Set Masking Algorithm page is displayed.

    Figure 12 Setting a masking algorithm
    1. Select the data columns you want to mask.
    2. Select a data masking algorithm. For details about data masking algorithms, see Configuring and Viewing Masking Rules.

  8. Click Next to switch to the Configure Data Masking Period page and configure the data masking period.

    Select and set the execution period of a masking task.

    • Manual: Manually enable a masking task and execute it based on masking rules.
    • Hourly: Execute a data masking task every several hours.

      Example: If the masking task needs to be executed every two hours, set this parameter to 02:00.

    • Daily: Execute a data masking task at a specified time every day.

      Example: If the masking task needs to be executed at 12:00 every day, set this parameter to 12:00:00.

    • Weekly: Execute a data masking task at a specified time every week.

      Example: If the masking task needs to be executed at 12:00 every Monday, set this parameter to 12:00:00 every Monday.

    • Monthly: Execute a data masking task at a specified time on a specified day every month.

      Example: If the masking task needs to be executed at 12:00 on the 12th day of each month, set this parameter to 12:00:00 12th day of every month.

      If you want to execute a data masking task on the 31st day of each month, the system automatically executes the task on the last day of every month.

  9. Click Next. The Set Target Data page is displayed.

    Figure 13 Setting target data
    1. Select a database instance and database name, and enter the table name.

      If the entered table name already exists, the system will update the data in the existing table.

      If the table name is new, it will automatically create and name the table in the target database.

      Do not fill in an existing service data table. Otherwise, services may be affected.

    2. Set the column name of the target data type.

      By default, the system generates a name that is the same as the name of the data source column. You can retain the default name or change it as required.

  10. Click Finish.
  11. On the DLI page. In the Operation column of the target anonymization task, click Execute.
  12. The data masking task is executed as configured.

Creating and Running an OBS Masking Task

  1. Log in to the management console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation tree on the left, click . Choose Security & Compliance > Data Security Center .
  4. In the navigation pane, choose Data Asset Protection > Static Data Masking and click the OBS tab. The OBS masking page is displayed.
  5. Click and set Mask Sensitive OBS Data to to enable OBS masking.
  6. Click Create Task. On the displayed Configure Data Source page, configure parameters according to Table 7.

    Table 7 Parameter description

    Parameter

    Description

    Task Name

    You can customize the name of a data masking task.

    The task name must meet the following requirements:
    • Contain 1 to 255 characters.
    • Consist of letters, digits, underscores (_), and hyphens (-).

    Select Data Source

    Select a data source. Only OBS is supported.

    Data Source

    Bucket Name: Select an OBS bucket name from the drop-down list box.

    OBS Storage Path: Select the path of the OBS bucket file from the drop-down list box.

    File Type: Currently, only the text type is supported.

    NOTE:

    Only assets with read and write permissions can use the masking function.

  7. Click Next. The Set Masking Algorithm page is displayed.

    Figure 14 Setting a masking algorithm
    1. Identification Template: Select an identification template from the drop-down list box.

      If a sensitive data identification rule is disabled in the sensitive data identification template, the corresponding sensitive information is not displayed.

    2. Click the switch in the Status column to disable masking for the sensitive data type.

      If the Status button is disabled, the identification rule is enabled but masking is not performed after identification.

    3. Data masking algorithms:

      By default, Simulation masking is selected, meaning the amount of information is not lost and the data format is not changed after masking. For details about the sensitive data types supported by simulation masking, refer to Simulation Masking. You can also choose the following masking algorithms from the drop-down list:

      Hash: For details, see Hash.

      Character masking: For details, see Character Masking.

      Keyword replacement: For details, see Keyword Replacement.

      Value change: For details, see Value Change.

  8. Click Next. The Configure Data Masking Period page is displayed.

    • Traverse Sub-directories: If you enable this option, the subdirectories in the source directory will be masked.
    • Rename File: If you enable this option, the masked files will be renamed.
      • File Prefix/File Suffix: The value can contain only letters, digits, underscores (_), and hyphens (-), and cannot exceed 16 characters.
      • Example of renaming a file: The original file name is Test.txt, the prefix is DSC_, and the suffix is 1. The renamed file is DSC_Test1.txt.

  9. Click Next. The Set Target Data page is displayed.

    Figure 15 Setting target data
    1. Bucket Name: Select a bucket from the drop-down list for storing the masked file.
    2. OBS Storage Path: Click to select an OBS file path.

      The path of the target OBS bucket cannot be the same as that of the source OBS bucket or the subdirectory of the source OBS bucket.

  10. Click Finish. The OBS masking task is created.
  11. Go to the OBS tab page, locate the target masking task, click Enable/Disable to enable the task, and click Execute in the Operation column.
  12. After the task is executed, the system starts to perform masking based on the settings.
Parent Topic: Static Data Masking