Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, rows, and sensitive columns. This topic shows you how to manage permissions by using different roles.
Permission management methods for different roles
- Regular users:
DMS users except those for whom access control is enabled can submit a ticket to apply for the operation permissions or data permissions on a specific resource. For more information, see the Apply for permissions by submitting a ticket section of this topic.
- DMS administrators and database administrators (DBAs):
- DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases. For more information, see the Manage permissions as a DMS administrator or DBA section of this topic.
- DMS administrators and DBAs can enable access control for database instances and databases. For more information, see Enable metadata access control.
- DMS administrators:
- DMS administrators can use the user management feature to grant resource permissions to or revoke resource permissions from a specific user. The resource can be a database instance, database, table, row, or sensitive column. For more information, see the Manage permissions as a DMS administrator section of this topic.
- DMS administrators can enable access control for a user. For more information, see Enable access control for a user.
- For more information about how to view the role of a user, see View owned system roles.
- DMS records all permission change operations except metadata access control in operation logs. For example, if you have applied for, granted, released, or revoked permissions, you can view these permission change records in DMS operation logs. To view operation logs, choose Operation Logs tab. in the top navigation bar. Then, click the
Apply for permissions by submitting a ticket
Manage permissions as a DMS administrator or DBA
DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases.- Log on to the DMS console V5.0.
- In the top navigation bar, click Instances. . In the left-side navigation pane, click
- Manage the permissions on a database instance.
- Manage database permissions.
Manage permissions as a DMS administrator
DMS administrators can use the user management feature to grant permissions to or revoke permissions from a user. Specifically, DMS administrators can grant and revoke the following types of permissions: permissions to log on to a database instance, permissions to view the performance of a database instance, database permissions, table permissions, row permissions, and sensitive column permissions.Permission types
Permission type | Description |
---|---|
Logon permissions | After you obtain the logon permissions on a database instance that is managed in Flexible Management or Stable Change mode, you can use the corresponding database account or password to log on to the database instance. |
Permissions to view performance | After you obtain the permissions to view the performance of a database instance that is managed in Security Collaboration mode, you can view the performance of the database instance. For more information, see View the performance details of a database instance. |
Query permissions | After you obtain the query permissions on a database instance that is managed in Security Collaboration mode, you can execute SQL statements on the SQLConsole tab to query the data of the database instance. |
Change permissions | After you obtain the change permissions on a database instance that is managed in
Security Collaboration mode,
|
Export permissions | After you obtain the export permissions on a database instance that is managed in Security Collaboration mode, you can submit tickets to export data from the database instance. However, you cannot export data without approval. |