Jobs and job triggers

A job is an action that Cloud Data Loss Prevention (DLP) runs to either scan content for sensitive data or calculate the risk of re-identification. Cloud DLP creates and runs a job resource whenever you tell it to inspect your data.

There are currently two types of Cloud DLP jobs:

  • Inspection jobs inspect your content for sensitive data according to your criteria and generate summary reports of where and what type of sensitive data exists.
  • Risk analysis jobs analyze de-identified data and return metrics about the likelihood that the data can be re-identified.

You can schedule when Cloud DLP runs jobs by creating job triggers. A job trigger is an event that automates the creation of DLP jobs to scan Google Cloud Platform storage repositories, including Cloud Storage buckets, BigQuery tables, and Cloud Datastore kinds.

Job triggers enable you to schedule scan jobs by setting intervals at which each trigger goes off. They can be configured to look for new findings since the last scan run to help monitor changes or additions to content, or to generate up-to-date findings reports. Scheduled triggers run on an interval that you set, from 1 day to 60 days.

Next steps

More information about how to create, edit, and run jobs and job triggers in the following topics:

In addition, the following quickstart is available:

The JobTrigger object

A job trigger is represented in the DLP API by the JobTrigger object.

Job trigger configuration fields

Each JobTrigger contains several configuration fields, including:

  • The trigger's name and display name, and a description.
  • A collection of Trigger objects, each of which contains a Schedule object, which defines the scan recurrence in seconds.
  • An InspectJobConfig object, which contains the configuration information for the triggered job.
  • A Status enumeration, which indicates whether the trigger is currently active.
  • Timestamp fields representing creation, update, and last run times.
  • A collection of Error objects, if any were encountered when the trigger was activated.

Job trigger methods

Each JobTrigger object also includes several built-in methods. Using these methods you can:

Using Job triggers

This section describes how to use job triggers to only scan new content, and how to trigger jobs every time a file is uploaded to Cloud Storage using Cloud Functions.

Limit scans to only new content

You can also set an option to automatically set the timespan date for files stored in either Cloud Storage or BigQuery. Once you've set the TimespanConfig object to auto-populate, Cloud DLP will only scan data that has been added or modified since the last trigger ran:

...
  timespan_config {
        enable_auto_population_of_timespan_config: true
      }
...

Trigger jobs at file upload

In addition to the support for job triggers that is built into Cloud DLP, the GCP also has a variety of other components that can be used to integrate or trigger DLP jobs. For example, you can use Cloud Functions to trigger a DLP scan every time a file is uploaded to Cloud Storage.

For step-by-step instructions about how to do this, see Automating the Classification of Data Uploaded to Cloud Storage.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Data Loss Prevention