Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, rows, and sensitive columns. This topic shows you how to manage permissions by using different roles.

Permission management methods for different roles

  • Regular users:

    DMS users except those for whom access control is enabled can submit a ticket to apply for the operation permissions or data permissions on a specific resource. For more information, see the Apply for permissions by submitting a ticket section of this topic.

  • DMS administrators and database administrators (DBAs):
  • DMS administrators:
    • DMS administrators can use the user management feature to grant resource permissions to or revoke resource permissions from a specific user. The resource can be a database instance, database, table, row, or sensitive column. For more information, see the Manage permissions as a DMS administrator section of this topic.
    • DMS administrators can enable access control for a user. For more information, see Enable access control for a user.
Note
  • For more information about how to view the role of a user, see View owned system roles.
  • DMS records all permission change operations except metadata access control in operation logs. For example, if you have applied for, granted, released, or revoked permissions, you can view these permission change records in DMS operation logs. To view operation logs, choose Security and Specifications > Operation Audit in the top navigation bar. Then, click the Operation Logs tab.

Apply for permissions by submitting a ticket

DMS users except those for whom access control is enabled can submit a ticket to apply for the permissions on a specific resource.
Note For more information about how to add a DMS user, see Manage users.
  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, click Permission.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose Permission > Database-Permission.
  3. On the Access applyTickets page, click Access apply and select a permission category from the drop-down list.
  4. On the Access applyTickets page, set the parameters as required.
    Parameter Supported permission category Description
    Select the databases, tables, or columns on which you want to apply for permissions
    • Database-Permission and Table-Permission
    • Sensitive Column-Permission and Row-Permission
    • Programmable Object
    • Database-OWNER and Table-OWNER
    • Enter a database name in the search box to search for a database. Fuzzy search by using a percent sign (%) is supported. Example: dms%test.
    • Click Search or press the Enter key.
    • In the search results, select the database on which you want to apply for the permissions.
    • Click the ADD icon to add the selected database to the Selected Databases/Tables/Columns section on the right.
    Note The database instance to which the selected database belongs must be managed in Security Collaboration mode.
    Select the instance to apply
    • Instances-Login
    • Instances-Performance
    • Instances-OWNER
    • Enter the endpoint or name of a database instance in the search box to search for a database instance.
    • Click Search or press the Enter key.
    • In the search results, select the database instance on which you want to apply for the permissions.
    • Click the ADD icon to add the selected database instance to the Confirm selected instance section on the right.
    Note
    • Before you apply for the logon permissions on a database instance, make sure that the database instance is managed in Flexible Management or Stable Change mode.
    • Before you apply for the permissions to view the performance of a database instance or apply to be the owner of a database instance, make sure that the database instance is managed in Security Collaboration mode.
    Permission
    • Instances-Login
    • Database-Permission and Table-Permission
    • Sensitive Column-Permission and Row-Permission
    • Programmable Object
    • Instances-Performance
    The following permission types are supported: logon, query, export, change, and performance viewing. For more information, see the Permission types section of this topic.
    Data Masking Method Sensitive Column-Permission Select a data masking method. Valid values:
    • Semi-sensitization
      • If a data masking algorithm is configured for a column, the values of the column are displayed after they are processed by the data masking algorithm.
      • If no data masking algorithm is configured for a column, the values of the column are encrypted.
    • Plain Text: The values of the columns are displayed in plaintext.
    Duration
    • Instances-Login
    • Database-Permission and Table-Permission
    • Sensitive Column-Permission and Row-Permission
    • Programmable Object
    • Instances-Performance
    Specify the validity period of the permissions for which you want to apply.
    Reason All permission categories Specify the reason why you want to apply for the permissions.
  5. Click Submit.
    After the ticket is approved, the system automatically grants you the applied permissions.
  6. Optional:View and release operation permissions.
    1. In the top navigation bar, choose Security and Specifications > Permission Center > Permissions.
    2. On the Ordinary Permissions tab, select a permission category from the first drop-down list on the left.
      In the permission list, you can view the permissions that you have.
      Note
      • The permissions on a database instance include the permissions to log on to the database instance and permissions to view the performance of the database instance.
      • You cannot query or release the permissions on a programmable object.
    3. Release the permissions that you no longer need.
      1. In the permission list, select the permissions that you want to release and click Release Permission.
      2. In the Permission Operation dialog box, select one or more types of permissions that you want to release and click OK.
  7. Optional:View and manage data permissions.
    The owner of a resource can view and manage the permissions on the resource, and evaluate whether the permissions are properly granted.
    1. In the top navigation bar, choose Security and Specifications > Permission Center > Permissions.
    2. Click the My Resources tab.
    3. Select Owner's instance, My Databases, or My Tables from the first drop-down list on the left.
      In the resource list, view the resources on which you have permissions.
    4. Manage data permissions.
      In the Actions column of a resource, you can perform the following operations on the resource: manage permissions, change owners, view tables, and configure logical databases.

Manage permissions as a DMS administrator or DBA

DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases.
  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Data Assets. In the left-side navigation pane, click Instances.
  3. Manage the permissions on a database instance.
    1. On the Instance List tab, find the database instance that you want to manage, move the pointer over More in the Actions column, and then select Management authority.
    2. View and revoke the permissions of a user, and grant a user the permissions on the database instance.
      • To view the permissions of a user, find the user and click View Details in the Actions column.
      • To revoke the permissions of a user, find the user and click Recycle Permission in the Actions column.
      • To grant a user the permissions to log on to the database instance or view the performance of the database instance, click Authorize User in the upper part.
  4. Manage database permissions.
    1. On the Database List tab, find the database that you want to manage, move the pointer over More in the Actions column, and then select Permission Management.
    2. View and revoke the permissions of a user, and grant a user the permissions on a database or table.
      • To view the permissions of a user, specify the permission category, find the user, and then click View Details in the Actions column.
      • To revoke the permissions of a user, specify the permission category, find the user, and then click Recycle Permission in the Actions column.
      • To grant a user the permissions on a database or table, click Grant Permissions on Database or Grant Permissions on Table in the upper part.

Manage permissions as a DMS administrator

DMS administrators can use the user management feature to grant permissions to or revoke permissions from a user. Specifically, DMS administrators can grant and revoke the following types of permissions: permissions to log on to a database instance, permissions to view the performance of a database instance, database permissions, table permissions, row permissions, and sensitive column permissions.
  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click O&M. In the left-side navigation pane, click User.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > User.
  3. Grant permissions to a user.
    1. Find the user to whom you want to grant permissions, move the pointer over Authorize in the Actions column, and then select a permission category from the drop-down list.
    2. In the dialog box that appears, set the parameters and click OK.
  4. Revokes the permissions of a user.
    1. Find the user whose permissions you want to revoke, move the pointer over More in the Actions column, and then select Permission Details.
    2. On the Ordinary Permissions tab of the User Permissions dialog box, select a permission category from the first drop-down list.
    3. Select the permissions that you want to revoke and click Release Permission.
    4. In the Permission Operation dialog box, select one or more types of permissions that you want to revoke and click OK.

Permission types

Permission type Description
Logon permissions After you obtain the logon permissions on a database instance that is managed in Flexible Management or Stable Change mode, you can use the corresponding database account or password to log on to the database instance.
Permissions to view performance After you obtain the permissions to view the performance of a database instance that is managed in Security Collaboration mode, you can view the performance of the database instance. For more information, see View the performance details of a database instance.
Query permissions After you obtain the query permissions on a database instance that is managed in Security Collaboration mode, you can execute SQL statements on the SQLConsole tab to query the data of the database instance.
Change permissions After you obtain the change permissions on a database instance that is managed in Security Collaboration mode,
  • you can execute SQL statements on the SQLConsole tab to change the data of the database instance. The statement execution is also affected by the configurations of DMS administrators.
  • In addition, you can submit tickets to change data or synchronize databases and tables in the database instance. However, you cannot change data without approval.
Export permissions After you obtain the export permissions on a database instance that is managed in Security Collaboration mode, you can submit tickets to export data from the database instance. However, you cannot export data without approval.