All Products
Search
Document Center

User management

Last Updated: May 09, 2020
  • DMS Enterprise administrators can grant enterprise staff the permission to manage data in the DMS Enterprise console.

Precautions

  • Only DMS Enterprise administrators can manage users. Other roles cannot access this feature.
    • If you use an Alibaba Cloud account to activate DMS Enterprise, the Alibaba Cloud account is set to be the default DMS Enterprise administrator.
    • If you activate DMS Enterprise as a RAM user, the Alibaba Cloud account of the RAM user is set to be the default DMS Enterprise administrator.
  • You can set DMS Enterprise administrators as required. DMS Enterprise requires that each enterprise has at least one active DMS Enterprise administrator account.
  • You can set any RAM-activated Alibaba Cloud account, RAM user account, or RAM-deactivated Alibaba Cloud account to be the DMS Enterprise administrator.

Manually register a user

Procedure

  1. Enter the UID of an Alibaba Cloud account accurately.

    The account owner provides the Alibaba Cloud UID.

  2. Select a role.

    • Common user

      Common users can only log on to the DMS Enterprise console and are required to apply for permissions to perform other operations.

    • DBA
      • DBAs have permissions to manage instances, tasks, security rules, and configurations.
      • DBAs have permissions to query all databases and tables.
      • DBAs can submit tickets to apply for corresponding permissions so that they can submit tickets of other types.
    • DMS Enterprise administrator
      • DMS Enterprise administrators have permissions to manage instances, tasks, security rules, configurations, users, operation logs, and IP addresses in the DMS whitelist.
      • DMS Enterprise administrators have permissions to query all databases and tables.
      • DMS Enterprise administrators can submit tickets to apply for corresponding permissions so that they can submit tickets of other types.
  3. If you need to disable an account for some reasons, you can click Disable for the target account.

    After you disable an account, the user cannot log on to the DMS Enterprise console by using this account. DMS Enterprise does not revoke permissions or delete configurations under this account so that the user can reuse these resources when the account is enabled. A disabled account is still considered as an active enterprise account in DMS Enterprise.

  4. If you need to delete an account from the enterprise user list and revoke all permissions granted to this account for some reasons, for example, the user resigns, you can click Delete for the target account.

    • Make sure that the account you want to delete does not play the role of data owner. For example, if an account is set to be the DBA for an instance or the approver in instance security rules, you need to specify another account to replace the original account and assume such responsibilities. After that, you can delete the original account.
    • After an account is deleted, the account is no longer a data owner and all permissions for the account are revoked. DMS Enterprise reserves the account information and operation logs, but marks the account with “Deleted”. A deleted account is not considered as an active enterprise account in DMS Enterprise.
  5. You can click Enable for a disabled or deleted account to resume the account in DMS Enterprise.

    • After a disabled account is enabled, the account can be used to log on to the DMS Enterprise console and all permissions granted to the account are valid.
    • After a deleted account is enabled, the account can be used to log on to the DMS Enterprise console, but all permissions granted to the account are invalid. You need to grant permissions to this account again.
  6. You can disable, delete, or enable multiple accounts at a time.

  7. You can set fields in the following table for an existing account.

    Field Setting method Description
    Display Name Manually enter the value as required. This name is displayed in DMS Enterprise so that the account can be distinguished from others and can be modified as required.
    Email DMS automatically sets this field by synchronizing the Alibaba Cloud account information. This value cannot be changed.
    Role Enter a space and select a role from the drop-down list that appears. You can select one or more roles for an account, and can modify them later.
    Maximum Number of Queries for Current Day Set the value as required. Default value: 2000. This value can be changed.
    Maximum Number of Rows Queried for Current Day Set the value as required. Default value: 10000. This value can be changed.

Add RAM user accounts under an Alibaba Cloud account to DMS Enterprise

Procedure

  • Operating accounts
    • Alibaba Cloud accounts
    • Authorized RAM user accounts
  • Procedure
    1. Click Synchronize RAM User Account for the target Alibaba Cloud account that has RAM users.
      • You can only add RAM user accounts under the same Alibaba Cloud account to DMS Enterprise at a time by using the Alibaba Cloud account or as one of the authorized RAM users.
      • DMS Enterprise does not respond when you click Synchronize RAM User Account for an Alibaba Cloud account that has no RAM user.
    2. In the dialog box that appears, select all or some RAM user accounts to be added to DMS Enterprise.

      By default, all RAM users added to DMS Enterprise in this way are normal users. You can change the role as described in the preceding table.

Grant permissions to a RAM user

  • Log on to the RAM console by using the Alibaba Cloud account and create an authorization policy.

  • The following code shows a detailed authorization policy:

  1. {
  2. "Statement": [
  3. {
  4. "Action": [
  5. "ram:ListUsers"
  6. ],
  7. "Effect": "Allow",
  8. "Resource": "*"
  9. }
  10. ],
  11. "Version": "1"
  12. }

FAQ

  • Q: Can a RAM user be configured as the DMS Enterprise administrator or the DBA to manage data?

    • A: A RAM user can take the role of the DMS Enterprise administrator or the DBA. The relevant permissions take effect only in DMS Enterprise. After being added to DMS Enterprise, a RAM user can manage data by applying for corresponding permissions.
  • Q: What can I do if I find an account being questionable?

    • A: If you want to reserve configurations and permissions for the account, you can disable it. The account cannot be used to log on to the DMS Enterprise console. Then, you can choose System Management > Operation Logs to audit the operations performed by the account. If the account did not violate rules, you can enable the account. Configurations and permissions for the account are still valid.
    • If you do not want to reserve configurations and permissions for the account, you can delete it. The account cannot be used to log on to the DMS Enterprise console. Permissions and configurations such as data ownership under the account are cleared.
  • Q: What can I do if an account runs more SQL statement lines than the upper limit for a day, or queries data for more times than the upper limit for a day?

    • A: Find the target account and increase the corresponding upper limit as required.
  • Q: How can I quickly find an account in DMS Enterprise?

    • A: DMS Enterprise allows you to search the account display name, email, and Alibaba Cloud UID by keywords. In addition, you can filter accounts by status.