All Products
Search
Document Center

Permission management

Last Updated: Jun 28, 2020

In Data Management Service (DMS), you can apply for the permissions to query or submit tickets to modify or export data in a database, table, or column. After the corresponding owner approves your application, you can perform the applied operation.

Permissions

  • Query: the permission to run SQL statements in SQLConsole to query data of the object on which you want to apply for the permission.
  • Export: the permission to submit tickets to export data of the object on which you want to apply for the permission. Note that you cannot export data without approval.
  • Modify: the permission to submit a data change ticket or a database and table synchronization ticket. Note that you cannot change data without approval.

Permissions of each control mode

Permission type Description Control mode
Flexible Management Stable Change Secure Collaboration
Permission to access instances You must first obtain the permission to access an instance and then use the preset database account and password to log on to the instance. X
Permission to view instance performance You can apply for the permission to view the performance of instances in the Secure Collaboration control mode. X X
Database permissions Database permissions are divided into three types: query, export, and change permissions. After being granted permissions on a database, you have access to all data in the database except for sensitive fields and row-level control tables.
  • Query permission: You can execute an SQL statement in the SQLConsole to query data.
  • Change permission: You can submit data change and data import tickets.
  • Export permission: You can submit data export tickets.
X X
Table permissions Table permissions are divided into three types: query, export, and change permissions. After being granted permissions on a table, you have access to all data in the table except for sensitive fields.
  • Query permission: You can execute an SQL statement in the SQLConsole to query data.
  • Change permission: You can submit data change and data import tickets.
  • Export permission: You can submit data export tickets.
X X
Sensitive field permissions Sensitive field permissions are divided into three types: query, export, and change permissions. After being granted permissions on sensitive fields in a table, you have access to all data in the table including sensitive fields. Before applying for permissions on certain sensitive fields, you must have access to the database and table that contain the sensitive fields.
  • Query permission: You can execute an SQL statement in the SQLConsole to query data.
  • Change permission: You can submit data change and data import tickets.
  • Export permission: You can submit data export tickets.
X X
Row permissions Row permissions are divided into three types: query, export, and change permissions. You can apply for permissions on certain control values of a row-level control table. You can also apply for permissions on all control values of a row-level control table.
  • Query permission: You can execute an SQL statement in the SQLConsole to query data.
  • Change permission: You can submit data change and data import tickets.
  • Export permission: You can submit data export tickets.
X X
Programmable object permissions Programmable object permissions are divided into three types: query, export, and change permissions.
  • Query permission: You can execute an SQL statement in the SQLConsole to query data.
  • Change permission: You can submit data change and data import tickets.
  • Export permission: You can submit data export tickets.
X X

Apply for permissions

  1. Log on to the DMS console.

  2. In the top navigation bar, choose Permission > Apply Permission and select the permission you want to apply for.

    You can also enter a database name or a table name in the top search box and click the Search icon or press Enter to search for a database or table. On the page that appears, click Apply for Permission in the Actions column of the target database or table.

  3. Configure the permission you want to apply for.Configure the permission

    • Permission Category: Select the category of the permission you want to apply for.

    • Select the databases, tables, or columns on which you want to apply for permissions: Enter keywords, set filters, and then click Search to search for databases or tables. The keywords you enter can contain percent signs (%) as wildcards. After the search result appears, select the databases or tables on which you want to apply for permissions and click Add.

      • The default permissions on a database include accessing non-sensitive and non-confidential fields in all tables existing in the database or added to the database in the future.
      • The default permissions on a table include only accessing non-sensitive and non-confidential fields in the table. The permissions remain the same even if the table schema changes.
      • To access sensitive or confidential fields in a table or a database on which you already have permissions, you must further apply for permissions on the target fields.
    • Select Permission: Select the type of the permission you want to apply for, specify the duration for which you want to have the permission, and enter the reason for applying for the permission.

  4. Click Submit. After your application is approved based on the approval processes specified in security rules, you are granted the applied permission.

    You can go to the Workbench homepage to view the statuses of your tickets.

Manage permissions

Manage your permissions

  • Release permissions

    Log on to the DMS console. On the Workbench homepage, click Effective Permissions in the Accessible Databases/Tables section on the right. On the Permissions page that appears, select the object for which you want to release permissions and click Release Permission.

    You can release all permissions or some permissions on the object. For example, you can only release the change permission for the object.

  • Renew permissions

    Log on to the DMS console. On the Workbench homepage, click Expiring Permissions in the Accessible Databases/Tables section on the right. On the Permissions (Expiring) page that appears, check the permissions to be expired. If you want to continue using an expiring permission, submit a ticket to apply for the permission.

Manage permissions of other users as an owner

For a table or database that you own, you can check and manage permissions granted to the users of the table or database.

You can view all operations of permission application, releasing, revoking, and granting in operations logs. To view operations logs, choose System Management > Security > Operation Logs in the top navigation bar.

  1. Log on to the DMS console.

  2. On the Workbench homepage, click Logical/Physical Databases or Logical/Physical Tables in the Owned Databases/Tables section.Owned Databases/Tables

  3. On the page that appears, find the target database or table and click Permission Management in the Actions column.

    • Revoke permissions

      1. On the Permission Management page, find the target user and click Recycle Permission in the Actions column.
      2. In the dialog box that appears, select the permission to revoke, such as Query, Export, or Change.
      3. Click OK.
    • Grant permissions

      1. Click Grant Permissions on Database or Grant Permissions on Table as needed.

      2. In the dialog box that appears, specify the database or table on which you want to grant permissions, the user to whom you want to grant permissions, the permissions to be granted, and the expiration date.

        You can set the permission to expire on a specified date.

      3. Click OK.

References

In DMS, you can customize different approval processes for databases and tables as required. For example:

  • Define a strict process for approving operations on databases and tables related to the core business and data in the production environment.
  • Define a simple process for approving operations on data related to edge business or in the test environment. You can even allow managing such data without approval.

For more information, see Customize approval processes.