This topic describes how to manage users in Data Management (DMS). You can add users, remove users, and manage user permissions.

Prerequisites

You are a DMS administrator.

Usage notes

  • You can manage DMS administrators as needed. Each tenant in DMS must have at least one DMS administrator. You can assign the DMS administrator role to another Alibaba Cloud account or a RAM user of your Alibaba Cloud account.
    Note
    • After you use your Alibaba Cloud account to activate DMS, the account is automatically assigned the DMS administrator role.
    • If a RAM user has the AdministratorAccess permission to manage all the resources of your Alibaba Cloud account, the RAM user is automatically assigned the DMS administrator role.
    • A tenant is a logical concept in DMS. After you use your Alibaba Cloud account to activate DMS, a DMS tenant is created for your Alibaba Cloud account. For more information, see Manage DMS tenants.
  • You can add another Alibaba Cloud account or a RAM user of your Alibaba Cloud account as a DMS user within your tenant account.

Add a user

  1. Log on to the DMS console V5.0.
    Note To switch to the previous version of the DMS console, click the 5租户头像 icon in the lower-right corner of the page. For more information, see Switch to the previous version of the DMS console.
  2. Add a user.
    Add a RAM user of your Alibaba Cloud account.
    1. On the User tab, click Synchronize RAM User.
    2. Select one or more RAM users and click Add Selected Users.
      Note
      • To add a RAM user of your Alibaba Cloud account to DMS in this way, you must log on to the DMS console by using your Alibaba Cloud account or as a RAM user that is granted the ListUser permission to query detailed information about RAM users.
      • By default, RAM users that are added to DMS in this way are assigned the regular user role. You can change the user roles as required. For more information, see Modify a user.
    Add another Alibaba Cloud account.
    1. On the User tab, click New in the upper-left corner.
    2. In the Alibaba Cloud Account field, enter the ID of another Alibaba Cloud account.
      Add User dialog box
      Note The owner of an Alibaba Cloud account can view the account ID on the Basic Information page.
    3. Assign a role to the user to be added.
      Note The following user roles are provided:
      • Regular user: Regular users can only log on to the DMS console. To perform operations, regular users must apply for permissions. For more information, see Regular user.
      • Database administrator (DBA): DBAs have permissions to query all databases and tables. They can manage database instances, tasks, security rules, and configurations. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see Database administrator.
      • DMS administrator: DMS administrators have permissions to query all databases and tables. They can manage database instances, tasks, security rules, configurations, users, operation logs, and IP addresses in the whitelist. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see DMS administrator.
      • Security administrator: Security administrators have permissions to query all databases and tables. They can perform intelligent O&M operations, implement data protection, and develop data plans. They can also manage permissions, schemas, sensitive data, and operation logs. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see Security administrator.
      • Schema read-only: Even if you have no permissions to query, change, or export the data of database instances, databases, or tables, you can query the metadata of database instances, databases, and tables. For example, you can view the metadata of a table and export the schema of a database. For more information, see System roles.
    4. Enter the verification code in the Verification Code field.
      Note If you are adding another Alibaba Cloud account to DMS, a verification code is required.
    5. Click Ok.

Modify a user

  1. Log on to the DMS console V5.0.
    Note To switch to the previous version of the DMS console, click the 5租户头像 icon in the lower-right corner of the page. For more information, see Switch to the previous version of the DMS console.
  2. Modify a user.
    Modify the information about a user.
    1. Select the user whose information you want to modify and click Edit User in the upper part of the tab.
    2. Modify the information about the user as required, such as the display name, mobile phone number that is bound to a DingTalk account, email address, role, notification method, maximum number of queries per day, and maximum number of rows to be queried per day.
      Note To query data after a system is published or track the status of a system, a user may query more rows than the upper limit for a day, or query data more times than the upper limit for a day. In this case, you can set the upper limit to a greater value for the user as required.
    3. Click Confirm Change.
    Grant permissions.
    1. Select the user to whom you want to grant permissions, click Authorize user in the upper part of the tab, and then select Authorize instance.
      Note In this example, permissions on a database instance are granted to the user. You can also grant permissions on a database or table to the user. You can also find the user, move the pointer over Authorize in the Actions column, and then select an option to grant permissions to the user, such as permissions on a database, table, column, or row. For more information about permissions, see Permission management.
    2. Set the parameters that are described in the following table and click OK.
      Section Parameter Description
      Authorized instance N/A The one or more database instances on which permissions are granted to the user.
      Permission Configuration Permission The type of permission to be granted to the user. For database instances that are not managed in Security Collaboration mode, set this parameter to Instances-Login(Not Common only). For database instances that are managed in Security Collaboration mode, set this parameter to Performance view(Security Collaboration only).
      Expire Date The date on which the permission expires.
    Enable or disable a user.
    1. Select the user that you want to enable or disable, and choose Operation user > Enable User or Operation user > Disable User as required in the upper part of the tab.
      Note
      • Enable a user:
        • After you enable a disabled user, the permissions that were granted to the user before the user was disabled automatically become valid again.
        • After you enable a removed user, all permissions and configurations of the user become invalid. You must configure the user and grant permissions to the user again.
      • Disable a user:
        • If you need to disable a user who manages a database instance as a DBA, you must first assign the DBA role to another user. For more information about how to change the DBA of a database instance, see Modify a database instance.
        • After you disable a user, the user is still counted as a DMS user within your tenant account. The permissions of the user are also retained. However, the user cannot log on to the DMS console until the user is enabled again. After the user is enabled, the permissions of the user automatically become valid again.
    2. In the message that appears, click OK.

Enable access control for a user

After you enable metadata access control for a user, the following limits apply to the user:
  • The user can view and access only the databases on which the user has permissions. The user can go to the Accessible Assets tab in the lower part of the Home page to view the databases on which the user has permissions. For more information, see View owned permissions.
  • The user cannot view the database instances and databases on which the user has no permissions. These database instances and databases are not displayed in the left-side navigation pane. The user cannot find these database instances and databases by using the search box in the top navigation bar or by searching for the database in the Select the databases, tables, or columns on which you want to apply for permissions field on the Permission Application Ticket page. In addition, the user cannot apply for permissions on these database instances or databases.
  1. Log on to the DMS console V5.0.
    Note To switch to the previous version of the DMS console, click the 5租户头像 icon in the lower-right corner of the page. For more information, see Switch to the previous version of the DMS console.
  2. Find the user for whom you want to enable access control, move the pointer over More in the Actions column, and then select Access control.
    Access control
    Note To enable access control for multiple users at a time, select the users and click Access control in the upper part of the tab.
  3. In the User access control dialog box, turn on Metadata access control and click OK.
    Turn on Metadata access control

Remove a user

  1. Log on to the DMS console V5.0.
    Note To switch to the previous version of the DMS console, click the 5租户头像 icon in the lower-right corner of the page. For more information, see Switch to the previous version of the DMS console.
  2. Find the user that you want to remove, move the pointer over More in the Actions column, and then select Delete.
    Note
    • Before you remove a user, make sure that the user is not associated with data resources. For example, if you need to remove a user who manages a database instance as a DBA or an approver that is specified in security rules, you must first assign the role to another user.
    • After you remove a user, the user is no longer counted as a DMS user within your tenant account. All data ownership configurations of the user are deleted, and all permissions of the user are revoked. However, the user information and relevant operation logs are retained and marked as Deleted.
  3. Click OK.

FAQ

  • Q1: Can I assign the DMS administrator or DBA role to a RAM user?

    A: Yes. You can assign the DMS administrator or DBA role to a RAM user. After that, the RAM user can apply for permissions to perform operations as required.

  • Q2: What can I do if suspicious user activities are detected?

    A1: If you detect suspicious activities of a user and you want to retain the permissions of the user, you can disable the user. After that, the user cannot log on to the DMS console. Then, choose Security and Specifications > Operation Audit to audit the operations that were performed by the user. If the user did not violate rules, you can enable the user. All the configurations and permissions of the user become valid again. The user can continue to work.

    A2: If you do not want to retain the permissions of a user, remove the user. After you remove the user, the user cannot log on to the DMS console. All permissions of the user are revoked, and all data ownership configurations of the user are deleted.

  • Q3: How can I find a user within my DMS tenant account?

    A: You can search for a user by using a keyword of the display name, email address, or Alibaba Cloud account ID of the user. You can also filter users by status.