All Products
Search
Document Center

User management

Last Updated: Jul 22, 2020

This topic describes how to manage users in Data Management Service (DMS). You can add and remove users, and manage user permissions.

Important notes

  • Only DMS administrators can manage users. This feature is invisible to other roles.

    If you use an Alibaba Cloud account to activate DMS, you can use the Alibaba Cloud account to log on as the default DMS administrator.

  • You can set DMS administrators as needed. Each tenant in DMS must have at least one DMS administrator.

  • You can set any user as a DMS administrator, regardless of whether the user is a Resource Access Management (RAM) user or uses an Alibaba Cloud account to log on to DMS.

Add a user

  1. Log on to the DMS console.

  2. In the top navigation bar, choose System Management > User.

  3. Add a user.

    • Manually add a user.

      1. On the User page, click New in the upper-left corner.

      2. In the dialog box that appears, enter an Alibaba Cloud account ID in the Alibaba Cloud Account field.
        Add User

        The account owner can view the Alibaba Cloud account ID on the Security Settings page, as shown in the following figure.**
        uid

      3. Select a role for the user to be added.

        Permissions of roles:

        • Common users can only log on to the DMS console and are required to apply for permissions to perform other operations. For more information, see Common user manual.
        • Database administrators (DBAs) have permissions to query all databases and tables, and manage instances, tasks, security rules, and configurations. DBAs can submit tickets to apply for corresponding permissions so that they can submit tickets of other types. For more information, see DBA manual.
        • DMS administrators have permissions to query all databases and tables, and manage instances, tasks, security rules, configurations, users, operations logs, and IP addresses in the DMS whitelist. DMS administrators can submit tickets to apply for corresponding permissions so that they can submit tickets of other types. For more information, see Administrator manual.
        • Security administrators have permissions to query all databases and tables, use the Intelligent Operation and Data Protection features, and manage operations logs, sensitive data, permissions, schemes, and data plans. Security administrators can submit tickets to apply for corresponding permissions so that they can submit tickets of other types. For more information, see Security administrator manual.
      4. Click OK.

    • Add RAM users under an Alibaba Cloud account to DMS.

      1. On the User page, click Synchronize RAM User at the top.
      2. In the dialog box that appears, select one or more RAM users as required and click Add Selected Users.
        Synchronize RAM User

        Note:

        • You can only add RAM users to DMS in this way by using an Alibaba Cloud account or as a RAM user who is authorized to query detailed information about users in DMS.
        • By default, RAM users are added to DMS as common users. You can change the user roles as required. For more information, see Edit a user.

Edit a user

  1. Log on to the DMS console.

  2. In the top navigation bar, choose System Management > User.

  3. Edit a user.

    • Modify the information about a user.

      1. On the User page, select the target user and click Edit User at the top.

      2. In the dialog box that appears, modify the information about the user as required, such as Display Name, Role, Maximum query times of the day, and Maximum query rows of the day.

        To query data after a system is published or track the status of a system, a user may execute more SQL statements than the upper limit for a day, or query data more times than the upper limit for a day. In this case, you can increase the corresponding upper limit for the user as required.

        edit user

      3. Click Confirm Change.

    • Grant permissions.

      1. On the User page, select one or more users, click Authorized user at the top, and then select Authorization instance.

        This topic takes Authorization instance as an example. You can also select another option as required, such as Authorization database or Authorization table.
        Alternatively, you can find a user and click Authorization in the Actions column to grant permissions to the user, such as the permissions on a database, table, column, or line. For more information about permissions, see Permission management.

      2. In the dialog box that appears, set the parameters as described in the following table and click OK.

        Section Parameter Description
        Authorized instance None Select one or more database instances whose permissions you want to grant to the target user.
        Permission Configuration Permission For instances whose control mode is not Secure Collaboration, only the Instance-Login option is available. For instances whose control mode is Secure Collaboration, only the Performance view option is available.
        Expire Date Select the date when the permission expires.

        Authorize instance

    • Enable or disable a user.

      1. On the User page, select one or more users, click Operation user at the top, and then select Enable User or Disable User as required.

        • Enable a user:
          • After a disabled user is enabled, all permissions and configurations of the user are valid.
          • After a removed user is enabled, all permissions and configurations of the user are invalid. You must configure the user and grant permissions to the user again.
        • Disable a user:
          • You cannot disable a user who takes the DBA role of a database instance unless you assign the DBA role to another user. For more information about how to change the DBA of a database instance, see Modify an instance.
          • After a user is disabled, the user cannot log on to the DMS console. DMS does not revoke permissions or delete configurations of the user. After the disabled user is enabled, the user can still use these resources. A disabled user is still considered as an active user in DMS for your enterprise.
      2. In the message that appears, click OK.

Remove a user

  1. Log on to the DMS console.

  2. In the top navigation bar, choose System Management > User.

  3. On the User page, find the target user and click Delete in the Actions column.

    • Make sure that the user you want to remove does not play the data owner role. For example, if a user is the DBA of a database instance or an approver in security rules, you must specify another user to replace the original user and assume such responsibilities. After that, you can remove the original user.
    • After a user is removed, the user is no longer a data owner and all permissions for the user are revoked. DMS retains the user information and operations logs, but marks the user with Deleted. A removed user is not considered as an active user in DMS for your enterprise.

    Delete check

  4. In the message that appears, click OK.

FAQ

  • Q1: Can a RAM user be configured as a DMS administrator or a DBA?
    A1: Yes, a RAM user who is added to DMS can take the DMS administrator or DBA role and manage data by applying for corresponding permissions.
  • Q2: What can I do if I find a user being questionable?
    A1: If you want to retain configurations and permissions for the user, you can disable the user. The user cannot log on to the DMS console. Then, you can choose System Management > Security > Operation Logs to audit the operations that are performed by the user. If the user did not violate rules, you can enable the user. Configurations and permissions for the user are still valid.
    A2: If you do not want to retain configurations and permissions for the user, you can remove the user. The user cannot log on to the DMS console. Permissions and configurations such as data ownership of the user are cleared.
  • Q3: How can I find a user in DMS?
    A1: DMS allows you to enter a keyword to search for users whose display name, email, or Alibaba Cloud account ID contains the keyword. In addition, you can filter users by status.