Data Management (DMS) provides the data security protection feature. After you enable this feature for a database instance, you can provide authorized users with secure access to the database instance. To authorize a user to access a database instance by using proxy endpoints, you must be a DMS administrator, a database administrator (DBA), or the owner of data security protection for the database instance. This topic describes how to authorize a user to access a database instance by using proxy endpoints.

Prerequisites

  • The data security protection feature is enabled for the database instance. For more information about how to enable the feature, see Enable the data security protection feature.
    Note To enable the data security protection feature for the database instance, you must be a DMS administrator, a DBA, or the owner of the database instance.
  • You are a DMS administrator, a DBA, or the owner of data security protection for the database instance.
    Note By default, the owner of data security protection for the database instance is the user that enables the data security protection feature for the database instance. You can view the owner of data security protection for the database instance on the Data security protection tab.
  • You are not authorized to access the database instance by using the proxy endpoints generated by the data security protection feature.

Grant permissions to a user

  1. Log on to the DMS console. In the left-side navigation pane, right-click the database instance that you want to manage and select Data security protection.
    Note You can also go to the Data security protection tab by using the following methods:
    • On the Workbench tab, find the database instance that you want to manage on the Instance List tab of the Resource List section. Move the pointer over More in the Actions column and select Data security protection.
    • In the top navigation bar, move the pointer over the All functions icon and choose System > Instance. On the Instance List tab, find the database instance that you want to manage, move the pointer over More in the Actions column, and then select Data security protection.
  2. On the tab, click Authorize. dataprotecton
    Note To authorize a user to access the database instance by using proxy endpoints, you must be a DMS administrator, a DBA, or the owner of data security protection for the database instance.
  3. In the Data security protection - Authorize dialog box, select the user to whom you want to grant permissions.
  4. Click OK.
    The user is displayed in the list of authorized users. Then, the authorized user can access the database instance by using its certification information.
    Note DMS administrators and DBAs can view all authorized users. Regular users can view only their own certification information.
    authlist
Note You can also grant permissions to users by approving the tickets that they submit to apply for data security protection. For more information about how to approve a ticket, see Approve tickets.

What to do next

After the authorization is complete, you can perform the following operations:
  • Enable access from the Internet. To allow local programs or programs that do not reside in the same virtual private cloud (VPC) as the instance to access the instance, click Open to obtain the public proxy endpoints.
  • Edit the database account that is used to log on to the instance. You can click the Edit icon next to Database Account to edit the database account.
  • View the AccessSecret that you are authorized to use to connect to the proxy endpoints generated by the data security protection feature for the database instance. By default, the AccessSecret is redacted. To view the plaintext AccessSecret, click View.
  • Update the AccessSecret that an authorized user uses to connect to the proxy endpoints generated by the data security protection feature for the database instance. After you click Update, a new AccessSecret is generated. After the update, the programs of the authorized user cannot access the database instance by using the previous AccessSecret.
  • Release your permissions. If you do not need to access the database instance by using the proxy endpoints generated by the data security protection feature, click Release to release your permissions.
  • Revoke permissions from an authorized user. If an authorized user does not need to access the database instance by using the proxy endpoints generated by the data security protection feature, click Recycling to revoke permissions from the user.
Note If you are a regular user that is specified as the owner of data security protection for the database instance, you cannot update AccessSecrets for other authorized users, or revoke permissions from these users.

Related API operations

Operation Description
CreateProxyAccess Authorizes a user to access a database instance by using the proxy endpoints generated by the data security protection feature.
ListProxyAccesses Queries users that are authorized to access a database instance by using the proxy endpoints generated by the data security protection feature.
InspectProxyAccessSecret Queries the AccessSecret that an authorized user uses to connect to the proxy endpoints generated by the data security protection feature for a database instance.
ListProxies Queries proxy endpoints that are generated by the data security protection feature.
GetProxy Queries the details of a proxy endpoint that is generated by the data security protection feature.
DeleteProxyAccess Revokes permissions from an authorized user who no longer accesses a database instance by using the proxy endpoints generated by the data security protection feature.