This topic describes how to manage users in Data Management (DMS). You can add users, remove users, and manage user permissions.

Prerequisites

You are a DMS administrator.

Usage notes

  • You can manage DMS administrators as needed. Each tenant in DMS must have at least one DMS administrator. You can assign the DMS administrator role to another Alibaba Cloud account or a RAM user of your Alibaba Cloud account.
    Note
    • After you use your Alibaba Cloud account to activate DMS, the account is automatically assigned the DMS administrator role.
    • If a RAM user has the AdministratorAccess permission to manage all the resources of your Alibaba Cloud account, the RAM user is automatically assigned the DMS administrator role.
    • A tenant is a logical concept in DMS. After you use your Alibaba Cloud account to activate DMS, a DMS tenant is created for your Alibaba Cloud account. For more information, see Tenant information.
  • You can add another Alibaba Cloud account or a RAM user of your Alibaba Cloud account as a DMS user within your tenant account.

Add a user

  1. Log on to the DMS console.
  2. In the top navigation bar, move the pointer over the More icon and choose System > User.
  3. Add a user.
    Add a RAM user of your Alibaba Cloud account.
    1. On the User tab, click Synchronize RAM User.
    2. Select one or more RAM users and click Add Selected Users.
      Note
      • To add a RAM user of your Alibaba Cloud account to DMS in this way, you must log on to the DMS console by using your Alibaba Cloud account or as a RAM user who is granted the ListUser permission to query detailed information about RAM users.
      • By default, RAM users that are added to DMS in this way are assigned the common user role. You can change the user roles as required. For more information, see Edit a user.
    Add another Alibaba Cloud account.
    1. On the User tab, click New in the upper-left corner.
    2. In the Alibaba Cloud Account field, enter the ID of another Alibaba Cloud account.
      Add User
      Note The owner of an Alibaba Cloud account can view the account ID on the Security Settings page.
    3. Assign a role to the user to be added.
      Note The following user roles are provided:
      • Common user: Common users can only log on to the DMS console. To perform operations, common users must apply for permissions. For more information, see Common user.
      • Database administrator (DBA): DBAs have permissions to query all databases and tables. They can manage instances, tasks, security rules, and configurations. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see Database administrator.
      • DMS administrator: DMS administrators have permissions to query all databases and tables. They can manage instances, tasks, security rules, configurations, users, operations logs, and IP addresses in the whitelist. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see DMS administrator.
      • Security administrator: Security administrators have permissions to query all databases and tables. They can use the Intelligent Operation, Data Protection, and Data Plans features, and manage permissions, schemas, sensitive data, and operations logs. They must submit tickets to apply for permissions before they can submit tickets of other types. For more information, see Security administrator.
    4. Enter the verification code in the Verification Code field.
      Note If you are adding another Alibaba Cloud account as a DMS user, a verification code is required.
    5. Click OK.

Edit a user

  1. Log on to the DMS console.
  2. In the top navigation bar, move the pointer over the More icon and choose System > User.
  3. Edit a user.
    Modify the information about a user.
    1. Select the user that you want to edit and click Edit User in the upper part of the tab.
    2. Modify the information about the user as required, such as the display name, mobile phone number that is bound to a DingTalk account, email address, role, notification method, maximum number of queries per day, and maximum number of rows to be queried per day.
      Note To query data after a system is published or track the status of a system, a user may query more rows than the upper limit for a day, or query data more times than the upper limit for a day. In this case, you can set the upper limit to a greater value for the user as required.
    3. Click Confirm Change.
    Grant permissions.
    1. Select the user to whom you want to grant permissions, click Authorize user in the upper part of the tab, and then select Authorize instance.
      Note In this example, permissions on a database instance are granted to the user. You can also grant permissions on a database or table to the user. You can also find the user, move the pointer over Authorize in the Actions column, and then select an option to grant permissions to the user, such as permissions on a database, table, column, or row. For more information about permissions, see Permission management.
    2. Set the parameters that are described in the following table and click OK.
      Section Parameter Description
      Authorized instance N/A The one or more database instances on which permissions are granted to the user.
      Permission Configuration Permission The type of permission to be granted to the user. For instances that are not managed in Security Collaboration mode, set this parameter to Instance-Login(Not Common only). For instances that are managed in Security Collaboration mode, set this parameter to Performance view(Security Collaboration only).
      Expire Date The date on which the permission expires.
    Enable or disable a user.
    1. Select the user that you want to enable or disable, and choose Operation user > Enable User or Operation user > Disable User as required in the upper part of the tab.
      Note
      • Enable a user:
        • After you enable a disabled user, the permissions that were granted to the user before the user was disabled automatically become valid again.
        • After you enable a removed user, all permissions and configurations of the user become invalid. You must configure the user and grant permissions to the user again.
      • Disable a user:
        • If you need to disable a user who manages a database instance as a DBA, you must first assign the DBA role to another user. For more information about how to change the DBA of a database instance, see Modify an instance.
        • After you disable a user, the user is still counted as a DMS user within your tenant account. The permissions of the user are also retained. However, the user cannot log on to the DMS console until the user is enabled again. After the user is enabled, the permissions of the user automatically become valid again.
    2. In the message that appears, click OK.

Enable access control for a user

After you enable metadata access control for a user, the following limits apply to the user:
  • The user can view information about and access only the databases on which the user has permissions. The user can go to the Permissions tab to view the databases on which the user has permissions. For more information, see View owned permissions.
  • The user cannot view the instances and databases on which the user has no permissions. These instances and databases are not displayed in the left-side navigation pane, and cannot be found by using the search box at the top of the left-side navigation pane. In addition, the user cannot apply for permissions on these instances or databases.
  1. Log on to the DMS console.
  2. In the top navigation bar, move the pointer over the More icon and choose System > User.
  3. Find the user for whom you want to enable access control, move the pointer over More in the Actions column, and then select Access control.
    Access control
    Note To enable access control for multiple users at a time, select the users and click Access control in the upper part of the tab.
  4. In the User access control dialog box, turn on Metadata access control and click OK.
    Turn on Metadata access control

Remove a user

  1. Log on to the DMS console.
  2. In the top navigation bar, move the pointer over the More icon and choose System > User.
  3. Find the user that you want to remove, move the pointer over More in the Actions column, and then select Delete.
    Note
    • Before you remove a user, make sure that the user is not associated with data resources. For example, if you need to remove a user who manages a database instance as a DBA or an approver that is specified in security rules, you must first assign the role to another user.
    • After you remove a user, the user is no longer counted as a DMS user within your tenant account. All data ownership configurations of the user are deleted, and all permissions of the user are revoked. However, the user information and relevant operations logs are retained and marked as Deleted.
  4. In the message that appears, click OK.

FAQ

  • Q1: Can I assign the DMS administrator or DBA role to a RAM user?

    A: Yes. You can assign the DMS administrator or DBA role to a RAM user. After that, the RAM user can apply for permissions to perform operations as required.

  • Q2: What can I do if suspicious user activities are detected?

    A1: If you detect suspicious activities of a user and you want to retain the permissions of the user, you can disable the user. After that, the user cannot log on to the DMS console. Then, choose System > Operation audit to audit the operations that were performed by the user. If the user did not violate rules, you can enable the user. All the configurations and permissions of the user become valid again. The user can continue to work.

    A2: If you do not want to retain the permissions of a user, remove the user. After you remove the user, the user cannot log on to the DMS console. All permissions of the user are revoked, and all data ownership configurations of the user are deleted.

  • Q3: How can I find a user within my DMS tenant account?

    A: You can search for a user by using a keyword of the display name, email address, or Alibaba Cloud account ID of the user. You can also filter users by status.