Data Management (DMS) provides the data security protection feature to protect data security when programs access databases. This feature allows you to manage data security, enable access control, de-identify data, and audit operations for the databases of your enterprise in a more comprehensive manner. The data security protection feature generates proxy endpoints for an instance. Then, programs can use the proxy endpoints to access databases in the instance in a secure manner over the MySQL or HTTPS protocol. To enable the data security protection feature for an instance, you must be a DMS administrator, a database administrator (DBA), or the owner of the instance. This topic describes how to enable the data security protection feature for an instance.

Prerequisites

  • The instance uses MySQL as the database engine. For example, the instance contains ApsaraDB RDS for MySQL databases, self-managed MySQL databases, or MySQL databases in a third-party cloud.
    Note To view the database engine that an instance uses, move the pointer over the instance name in the left-side navigation pane of the DMS console.
  • The instance resides in the China (Hangzhou) region.
    Note To view the region where an instance resides, move the pointer over the instance name in the left-side navigation pane of the DMS console.
  • You are a DMS administrator, a DBA, or the owner of the instance.

Background information

DMS has been devoted to ensuring secure access to databases in the DMS console. The data security protection feature of DMS is developed to deliver the same security protection capabilities for program-based access to databases as those DMS delivers for console-based access to databases. This feature reuses multiple DMS features, such as security rules, data permissions, and sensitive fields. You can use this feature to manage data security, enable access control, de-identify data, and audit operations for the databases of your enterprise in a more comprehensive manner. The data security protection feature generates proxy endpoints for an instance. Then, programs can use the proxy endpoints to access databases in the instance in a secure manner over the MySQL or HTTPS protocol.

dataprotect

Enable the data security protection feature

  1. Log on to the DMS console as a DMS administrator, a DBA, or the owner of the instance.
  2. In the left-side navigation pane, right-click the instance that you want to manage and select Data security protection.
    Note You can also go to the Data security protection tab by using the following methods:
    • On the Workbench tab, find the instance that you want to manage on the Instance List tab of the Resource List section. Move the pointer over More in the Actions column and select Data security protection.
    • In the top navigation bar, move the pointer over the All functions icon and choose System > Instance. On the Instance List tab, find the instance that you want to manage, move the pointer over More in the Actions column, and then select Data security protection.
  3. On the Data security protection tab, click Enable data security protection. switch_on_dataprotect
  4. In the Enable data security protection dialog box, enter the database account and password.
    The data security protection feature is enabled for the instance. dataprotecton

Related operations

Assume that you have enabled the data security protection feature for an instance. You can perform the following operations as a DMS administrator, a DBA, the owner of the instance, or the owner of data security protection for the instance:
  • Enable access from the Internet. To allow on-premises programs or programs that do not reside in the same virtual private cloud (VPC) as the instance to access the instance, click Open to obtain the public proxy endpoints.
  • Change the owner of data security protection for the instance. The owner of data security protection for the instance can grant and revoke permissions on databases, edit database accounts, enable or disable access from the Internet, and disable data security protection for the instance. You can click the Edit icon next to Owner to change the owner of data security protection for the instance.
  • Edit the database account that is used to log on to the instance. You can click the Edit icon next to Database account to edit the database account.

What to do next

A user must be authorized to use the data security protection feature to access an instance. For more information, see Authorize a user to access an instance by using proxy endpoints.