background ：

In the business database, some table data belong to very confidential data , such as , Quotation information 、 Wages . If this batch of data is leaked , It will seriously affect the management of enterprises 、 Production and operation , Usually, it is only allowed to be used by high-level data analysts or data Owner visit , General Data Engineer 、 Average analyst , Do not allow access or only allow desensitization 、 Encrypted or aggregated data . that , How to be in DGC This kind of data is strictly controlled in ？

programme ：

Introduce a good practical scheme , First map

Solutions that ：

1、 stay DWS（ Here to DWS For example ,DLI、MRS Also can reference ） Create a secret in Schema, Strictly control access . Be able to access this Schema Your account and password need to be strictly controlled .

2、DGC Create a separate secret space on , Configure sensitive business database connections in this space 、 Have access to DWS confidential Schema The connection of （ The connection account usually also needs to have a common Schema Access rights of , Facilitate the correlation analysis of confidential data ）. Because in DGC Of workspace Inside , Generally, the developer role can use the data source connection to access data without distinction , And can modify and execute scripts and jobs , therefore , The workspace All members of the must be confidential personnel who can access confidential data .

3、 confidential Schema Table data in , Space developers can customize UDF Encrypt confidential fields , Ensure that the confidential field of the disk is the ciphertext storage , When accessing sensitive fields, use UDF Decrypt . actually , use UDF Encryption is optional , Only do it before removing the data from the data area , such as , Use CDM Migrate the table to the normal data warehouse schema Before , You need to encrypt the data first .

4、DGC If ordinary space developers need to use desensitized or aggregated confidential data , The developer of the confidential space needs to export the desensitization results . Cross space dependency can be established between jobs to coordinate operation .