Data Management (DMS) provides the access control feature. You can use the feature to allow only users who have permissions on a database or an instance to view information about and access the database or instance. Before you enable access control for a common user, the common user can view all the databases and instances of your Alibaba Cloud account. After you enable access control for the common user, the common user must be granted permissions on a database or an instance before the common user can view information about and access the database or instance. This protects the data of enterprises.

Background information

As a centralized data management service, DMS provides different roles that are assigned different permissions. This helps you manage data in your enterprise in a secure manner. After you enable metadata access control for an instance or a database, only users who have permissions on the instance or database can view information about and access the instance or database. This way, users can view information about and access only databases on which they have permissions. This further enhances data security.
Note In DMS, permissions on a database include the query, export, and change permissions. If you have one of these permissions on a database, you can view the following information about the database:
  • Information about the database. The database name will be displayed in the left-side navigation pane of the DMS console. You can search for the database in the search box at the top of the left-side navigation pane. You can also apply for other permissions on the database. Whether you can query data in the database depends on whether you have the query permission on the database.
  • Information about the instance to which the database belongs. Whether you can view information about another database in this instance depends on whether you have permissions on the database.
You can enable metadata control access for the following objects:
  • A user: The user can view information about and access only databases on which the user has permissions.
  • A database: Only users who have permissions on the database can view information about and access the database.
  • An instance: Only users who have the access permission on the instance can view information about and access the instance. If a user has permissions on a database in this instance, the user can view information about and access the database.

Prerequisites

Query permissions on the poc_dev instance are granted to a common user. All permissions on the poc_prod instance are revoked from the common user.

Procedure

This example demonstrates how to enable access control for a common user.

  1. Search for instances by using the poc keyword as a common user before access control is enabled for the common user.
    1. Log on to the DMS console as a common user.
    2. In the search box of the left-side navigation pane, enter poc and click the Search icon.

      The matched result contains the poc_dev instance on which the common user has query permissions and the poc_prod instance on which the common user has no permissions.

      Search for instances by using the poc keyword 1
  2. Enable access control for the common user as a DMS administrator.
    1. Log on to the DMS console as a DMS administrator.
    2. In the top navigation bar, choose System > User.
    3. Find the user that you want, move the pointer over More in the Actions column, and then select Access control.Access control
    4. In the User access control dialog box, turn on Metadata access control and click OK.Metadata access control switch
  3. Search for instances by using the poc keyword as the common user.
    1. Log on to the DMS console as the common user.
    2. In the search box of the left-side navigation pane, enter poc and click the Searchicon.

      In this case, access control is enabled for the common user. Therefore, the matched result shows only the poc_dev instance on which the common user has query permissions.

      Search for instances by using the poc keyword 2