Jobs and job triggers

A job is an action that Cloud Data Loss Prevention runs to either scan content for sensitive data or calculate the risk of re-identification. Cloud DLP creates and runs a job resource whenever you tell it to inspect your data.

There are currently two types of Cloud DLP jobs:

  • Inspection jobs inspect your content for sensitive data according to your criteria and generate summary reports of where and what type of sensitive data exists.
  • Risk analysis jobs analyze de-identified data and return metrics about the likelihood that the data can be re-identified.

You can schedule when Cloud DLP runs jobs by creating job triggers. A job trigger is an event that automates the creation of DLP jobs to scan Google Cloud storage repositories, including Cloud Storage buckets, BigQuery tables, and Datastore kinds.

Job triggers enable you to schedule scan jobs by setting intervals at which each trigger goes off. They can be configured to look for new findings since the last scan run to help monitor changes or additions to content, or to generate up-to-date findings reports. Scheduled triggers run on an interval that you set, from 1 day to 60 days.

Next steps

More information about how to create, edit, and run jobs and job triggers in the following topics:

In addition, the following quickstart is available:

The JobTrigger object

A job trigger is represented in the DLP API by the JobTrigger object.

Job trigger configuration fields

Each JobTrigger contains several configuration fields, including:

  • The trigger's name and display name, and a description.
  • A collection of Trigger objects, each of which contains a Schedule object, which defines the scan recurrence in seconds.
  • An InspectJobConfig object, which contains the configuration information for the triggered job.
  • A Status enumeration, which indicates whether the trigger is currently active.
  • Timestamp fields representing creation, update, and last run times.
  • A collection of Error objects, if any were encountered when the trigger was activated.

Job trigger methods

Each JobTrigger object also includes several built-in methods. Using these methods you can:

Limit scans to only new content

You can configure your job trigger to automatically set the timespan date for files stored in Cloud Storage or BigQuery. When you set the TimespanConfig object to auto-populate, Cloud DLP only scans data that was added or modified since the trigger last ran:

...
  timespan_config {
        enable_auto_population_of_timespan_config: true
      }
...

Trigger jobs at file upload

In addition to the support for job triggers—which is built into Cloud DLP—Google Cloud also has a variety of other components that you can use to integrate or trigger DLP jobs. For example, you can use Cloud Functions to trigger a DLP scan every time a file is uploaded to Cloud Storage.

For information about how to set up this operation, see Automating the classification of data uploaded to Cloud Storage.