This topic describes how to manage users in Data Management (DMS). You can add and remove users, and manage user permissions.

Prerequisites

You are a DMS administrator.

Usage notes

  • You can set DMS administrators as needed. Each tenant in DMS must have at least one DMS administrator. You can assign the DMS administrator role to another Alibaba Cloud account, a RAM user under another Alibaba Cloud account, or a RAM user under your Alibaba Cloud account.
    Note
    • After you use your Alibaba Cloud account to activate DMS, the account is automatically assigned the DMS administrator role.
    • A tenant is a logical concept in DMS. After you use your Alibaba Cloud account to activate DMS, a DMS tenant is created for your Alibaba Cloud account. For more information, see Tenant information.
  • You can add other Alibaba Cloud accounts, RAM users under other Alibaba Cloud accounts, or RAM users under your Alibaba Cloud account as DMS users under your tenant.

Add a user

  1. Log on to the DMS console.
  2. In the top navigation bar, choose System Management > User.
  3. Add a user.
    Manually add a user.
    1. On the User page, click New in the upper-left corner.
    2. In the Add User dialog box, enter the ID of an Alibaba Cloud account or a RAM user in the Alibaba Cloud Account field.
      Add User dialog box
      Note The owner of an Alibaba Cloud account or a RAM user can view the account ID on the Security Settings page, as shown in the following figure.
    3. Select a role for the user to be added.
      Note DMS provides the following user roles:
      • Common user: Common users can only log on to the DMS console. To perform operations, common users must apply for permissions. For more information, see Common user manual.
      • Database administrator (DBA): DBAs have permissions to query all databases and tables. They can manage instances, tasks, security rules, and configurations. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see DBA manual.
      • DMS administrator: DMS administrators have permissions to query all databases and tables. They can manage instances, tasks, security rules, configurations, users, operation logs, and IP addresses in the DMS whitelist. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see Administrator manual.
      • Security administrator: Security administrators have permissions to query all databases and tables. They can use the Intelligent Operation, Data Protection, and Data Plans features, and manage permissions, schemas, sensitive data, and operation logs. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see Security administrator manual.
    4. Click Send verification code. DMS sends a verification code to the mobile phone number that is bound to the account that you entered. Enter the verification code in the Verification Code field.
      Note If you are adding another Alibaba Cloud account or a RAM user under another Alibaba Cloud account as a DMS user, a verification code is required. If you are adding a RAM user under the current Alibaba Cloud account, a verification code is not required.
    5. Click Ok.
    Add RAM users that are under the current Alibaba Cloud account.
    1. On the User page, click Synchronize RAM User at the top.
    2. In the Synchronize RAM User dialog box, select one or more RAM users and click Add Selected Users.
      Note
      • You can add RAM users to DMS in this way only by using an Alibaba Cloud account or as a RAM user who is authorized to query detailed information about users in DMS.
      • By default, RAM users are added to DMS as common users. You can change the user roles as required. For more information, see Edit a user.

Edit a user

  1. Log on to the DMS console.
  2. In the top navigation bar, choose System Management > User.
  3. Edit a user.
    Modify the information about a user.
    1. On the User page, select the target user and click Edit User at the top.
    2. In the Edit User dialog box, modify the information about the user as required, such as the display name, mobile phone number that is bound to a DingTalk account, email address, role, notification method, maximum number of queries per day, and maximum number of rows to be queried per day.
      Note To query data after a system is published or track the status of a system, a user may query more rows than the upper limit for a day, or query data more times than the upper limit for a day. In this case, you can increase the corresponding upper limit for the user as required.
    3. Click Confirm Change.
    Grant permissions.
    1. On the User page, select one or more users, click Authorize user at the top, and then select Authorize instance.
      Note In this example, permissions on a database instance are granted to the one or more users. You can also grant permissions on a database or table to the one or more users. Alternatively, you can move the pointer over Authorize in the Actions column of a user to grant permissions to the user, such as permissions on a database, table, column, or row. For more information about permissions, see Permission management.
    2. In the Authorize instance dialog box, set the parameters as described in the following table and click OK.
      Section Parameter Description
      Authorized instance N/A The one or more database instances whose logon or performance view permission you want to grant to the target user.
      Permission Configuration Permission The type of permission to be granted to the target user. For instances whose control mode is not Security Collaboration, set Permission to Instance-Login(Not Common only). For instances whose control mode is Security Collaboration, set Permission to Performance view(Security Collaboration only).
      Expire Date The date on which the permission expires.
    Enable or disable a user.
    1. On the User page, select one or more users, click Operation user at the top, and then select Enable User or Disable User as required.
      Note
      • Enable a user:
        • After you enable a disabled user, the permissions that were granted to the user before the user was disabled automatically become valid again.
        • After you enable a removed user, all permissions and configurations of the user are invalid. You must configure the user and grant permissions to the user again.
      • Disable a user:
        • If you need to disable a user who is the DBA of a database instance, you must first assign the DBA role to another user. For more information about how to change the DBA of a database instance, see Modify an instance.
        • After you disable a user, the user is still counted as a DMS user under your tenant. The permissions of the user are also retained. However, the user cannot log on to the DMS console until the user is enabled again. After the user is enabled, the permissions of the user automatically become valid again.
    2. In the message that appears, click OK.

Enable access control for a user

After you enable access control for a user, the following limits apply to the user:
  • The user can view information about and access only the databases on which the user has permissions. The user can go to the Permissions page to view the databases on which the user has permissions. For more information, see View owned permissions.
  • The user cannot view the instances and databases on which the user has no permissions. Specifically, these instances and databases are not displayed in the left-side navigation pane, and cannot be found by using the search bar at the top of the left-side navigation pane. In addition, the user cannot apply for permissions on these instances or databases.
  1. Log on to the DMS console.
  2. In the top navigation bar, choose System Management > User.
  3. On the User page, find the target user, move the pointer over More in the Actions column, and then select Access control.
    Access control
    Note To enable access control for multiple users at a time, select the users and click Access control at the top.
  4. In the User access control dialog box, turn on the Metadata access control switch and click OK.
    Metadata access control switch

Remove a user

  1. Log on to the DMS console.
  2. In the top navigation bar, choose System Management > User.
  3. On the User page, find the target user, move the pointer over More in the Actions column, and then select Delete.
    Note
    • Before you remove a user, make sure that the user is not associated with data resources. For example, if you need to remove a user who is the DBA of a database instance or an approver in security rules, you must first assign the corresponding role to another user.
    • After you remove a user, the user is no longer counted as a DMS user under your tenant. All data ownership configurations of the user are deleted, and all permissions of the user are revoked. However, the user information and relevant operation logs are retained and marked as Deleted.
  4. In the message that appears, click OK.

FAQ

  • Q1: Can I assign the DMS administrator or DBA role to a RAM user? A: Yes. You can assign the DMS administrator or DBA role to a RAM user. After that, the RAM user can apply for permissions to perform operations as required.
  • Q2: What do I do if I find that the operations of a user are questionable? A1: If you find that the operations of a user are questionable and you want to retain the configurations and permissions of the user, you can disable the user. After that, the user cannot log on to the DMS console. Then, you can choose System Management > Operation Logs in the top navigation bar to audit the operations that are performed by the user. If the user did not violate rules, you can enable the user. All the configurations and permissions of the user become valid again. The user can continue to work. A2: If you find that the operations of a user are questionable and you do not want to retain the configurations or permissions of the user, you can remove the user. For more information, see Remove a user. After you remove the user, the user cannot log on to the DMS console. All permissions of the user are revoked, and all data ownership configurations of the user are deleted.
  • Q3: How do I find a user under my DMS tenant? A: You can search for a user by using a keyword of the display name, email address, or Alibaba Cloud account ID of the user. You can also filter users by status.