Manage permissions - Data Management - Alibaba Cloud Documentation Center

Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, rows, and sensitive columns. This topic shows you how to manage permissions by using different roles.

Permission management methods for different roles

Regular users:
DMS users except those for whom access control is enabled can submit a ticket to apply for the operation permissions or data permissions on a specific resource. For more information, see the Apply for permissions by submitting a ticket section of this topic.
DMS administrators and database administrators (DBAs):
- DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases. For more information, see the Manage permissions as a DMS administrator or DBA section of this topic.
- DMS administrators and DBAs can enable access control for database instances and databases. For more information, see Enable metadata access control.
DMS administrators:
- DMS administrators can use the user management feature to grant resource permissions to or revoke resource permissions from a specific user. The resource can be a database instance, database, table, row, or sensitive column. For more information, see the Manage permissions as a DMS administrator section of this topic.
- DMS administrators can enable access control for a user. For more information, see Enable access control for a user.

Note

For more information about how to view the role of a user, see View owned system roles.
DMS records all permission change operations except metadata access control in operation logs. For example, if you have applied for, granted, released, or revoked permissions, you can view these permission change records in DMS operation logs. To view operation logs, choose Security and Specifications > Operation Audit in the top navigation bar. Then, click the Operation Logs tab.

Apply for permissions by submitting a ticket

DMS users except those for whom access control is enabled can submit a ticket to apply for the permissions on a specific resource.

Note For more information about how to add a DMS user, see Manage users.

Log on to the DMS console V5.0.
In the top navigation bar, click Security and Specifications. In the left-side navigation pane, click Permission.

Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose Permission > Database-Permission.
On the Access applyTickets page, click Access apply and select a permission category from the drop-down list.

On the Access applyTickets page, set the parameters as required.


Parameter	Supported permission category	Description
Select the databases, tables, or columns on which you want to apply for permissions	Database-Permission and Table-Permission Sensitive Column-Permission and Row-Permission Programmable Object Database-OWNER and Table-OWNER	Enter a database name in the search box to search for a database. Fuzzy search by using a percent sign (`%`) is supported. Example: `dms%test`. Click Search or press the Enter key. In the search results, select the database on which you want to apply for the permissions. Click the icon to add the selected database to the Selected Databases/Tables/Columns section on the right. Note The database instance to which the selected database belongs must be managed in Security Collaboration mode.
Select the instance to apply	Instances-Login Instances-Performance Instances-OWNER	Enter the endpoint or name of a database instance in the search box to search for a database instance. Click Search or press the Enter key. In the search results, select the database instance on which you want to apply for the permissions. Click the icon to add the selected database instance to the Confirm selected instance section on the right. Note Before you apply for the logon permissions on a database instance, make sure that the database instance is managed in Flexible Management or Stable Change mode. Before you apply for the permissions to view the performance of a database instance or apply to be the owner of a database instance, make sure that the database instance is managed in Security Collaboration mode.
Permission	Instances-Login Database-Permission and Table-Permission Sensitive Column-Permission and Row-Permission Programmable Object Instances-Performance	The following permission types are supported: logon, query, export, change, and performance viewing. For more information, see the Permission types section of this topic.
Data Masking Method	Sensitive Column-Permission	Select a data masking method. Valid values: Semi-sensitization If a data masking algorithm is configured for a column, the values of the column are displayed after they are processed by the data masking algorithm. If no data masking algorithm is configured for a column, the values of the column are encrypted. Plain Text: The values of the columns are displayed in plaintext.
Duration	Instances-Login Database-Permission and Table-Permission Sensitive Column-Permission and Row-Permission Programmable Object Instances-Performance	Specify the validity period of the permissions for which you want to apply.
Reason	All permission categories	Specify the reason why you want to apply for the permissions.

Click Submit.
After the ticket is approved, the system automatically grants you the applied permissions.
Optional:View and release operation permissions.
1. In the top navigation bar, choose Security and Specifications > Permission Center > Permissions.
2. On the Ordinary Permissions tab, select a permission category from the first drop-down list on the left.
  In the permission list, you can view the permissions that you have.
  Note
  
  The permissions on a database instance include the permissions to log on to the database instance and permissions to view the performance of the database instance.
  
  You cannot query or release the permissions on a programmable object.
3. Release the permissions that you no longer need.
  1. In the permission list, select the permissions that you want to release and click Release Permission.
  2. In the Permission Operation dialog box, select one or more types of permissions that you want to release and click OK.
Optional:View and manage data permissions.
The owner of a resource can view and manage the permissions on the resource, and evaluate whether the permissions are properly granted.
1. In the top navigation bar, choose Security and Specifications > Permission Center > Permissions.
2. Click the My Resources tab.
3. Select Owner's instance, My Databases, or My Tables from the first drop-down list on the left.
  In the resource list, view the resources on which you have permissions.
4. Manage data permissions.
  In the Actions column of a resource, you can perform the following operations on the resource: manage permissions, change owners, view tables, and configure logical databases.

Manage permissions as a DMS administrator or DBA

DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases.

Log on to the DMS console V5.0.
In the top navigation bar, click Data Assets. In the left-side navigation pane, click Instances.
Manage the permissions on a database instance.
1. On the Instance List tab, find the database instance that you want to manage, move the pointer over More in the Actions column, and then select Management authority.
2. View and revoke the permissions of a user, and grant a user the permissions on the database instance.
  - To view the permissions of a user, find the user and click View Details in the Actions column.
  - To revoke the permissions of a user, find the user and click Recycle Permission in the Actions column.
  - To grant a user the permissions to log on to the database instance or view the performance of the database instance, click Authorize User in the upper part.
Manage database permissions.
1. On the Database List tab, find the database that you want to manage, move the pointer over More in the Actions column, and then select Permission Management.
2. View and revoke the permissions of a user, and grant a user the permissions on a database or table.
  - To view the permissions of a user, specify the permission category, find the user, and then click View Details in the Actions column.
  - To revoke the permissions of a user, specify the permission category, find the user, and then click Recycle Permission in the Actions column.
  - To grant a user the permissions on a database or table, click Grant Permissions on Database or Grant Permissions on Table in the upper part.

Manage permissions as a DMS administrator

DMS administrators can use the user management feature to grant permissions to or revoke permissions from a user. Specifically, DMS administrators can grant and revoke the following types of permissions: permissions to log on to a database instance, permissions to view the performance of a database instance, database permissions, table permissions, row permissions, and sensitive column permissions.

Log on to the DMS console V5.0.
In the top navigation bar, click O&M. In the left-side navigation pane, click User.

Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > User.
Grant permissions to a user.
1. Find the user to whom you want to grant permissions, move the pointer over Authorize in the Actions column, and then select a permission category from the drop-down list.
2. In the dialog box that appears, set the parameters and click OK.
Revokes the permissions of a user.
1. Find the user whose permissions you want to revoke, move the pointer over More in the Actions column, and then select Permission Details.
2. On the Ordinary Permissions tab of the User Permissions dialog box, select a permission category from the first drop-down list.
3. Select the permissions that you want to revoke and click Release Permission.
4. In the Permission Operation dialog box, select one or more types of permissions that you want to revoke and click OK.

Permission types


Permission type	Description
Logon permissions	After you obtain the logon permissions on a database instance that is managed in Flexible Management or Stable Change mode, you can use the corresponding database account or password to log on to the database instance.
Permissions to view performance	After you obtain the permissions to view the performance of a database instance that is managed in Security Collaboration mode, you can view the performance of the database instance. For more information, see View the performance details of a database instance.
Query permissions	After you obtain the query permissions on a database instance that is managed in Security Collaboration mode, you can execute SQL statements on the SQLConsole tab to query the data of the database instance.
Change permissions	After you obtain the change permissions on a database instance that is managed in Security Collaboration mode, you can execute SQL statements on the SQLConsole tab to change the data of the database instance. The statement execution is also affected by the configurations of DMS administrators. In addition, you can submit tickets to change data or synchronize databases and tables in the database instance. However, you cannot change data without approval.
Export permissions	After you obtain the export permissions on a database instance that is managed in Security Collaboration mode, you can submit tickets to export data from the database instance. However, you cannot export data without approval.