This topic describes how to manage users in Data Management (DMS). You can add users, remove users, modify users, and manage user permissions.

Prerequisites

You are a DMS administrator. For more information about how to view the role of a user, see View owned system roles.

Add a user

  1. Go to the DMS console V5.0.
  2. In the top navigation bar, click O&M. In the left-side navigation pane, click User.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > User.
  3. Add a user.
    Method 1: Manually add a user.
    1. On the Users page, click New in the upper-left corner.
    2. In the Add User dialog box, enter the Alibaba Cloud account ID of the user that you want to add.
      Note Move the pointer over the Profile picture icon in the upper-right corner and view your Alibaba Cloud account ID.
    3. Select one or more system roles for the user that you want to add. For more information, see System roles.
    4. Click Send verification code.
    5. Enter the verification code in the Verification Code field.
    6. Click Ok.
    Method 2: Add a RAM user that belongs to the current Alibaba Cloud account.
    Note Only the current Alibaba Cloud account or a RAM user that has the ListUser permission can add a RAM user by using this method.
    1. In the upper part of the Users page, click Synchronize RAM User.
    2. In the dialog box that appears, select the RAM users that you want to add and click Add Selected Users.
      Note By default, RAM users that are added to DMS in this way are assigned the regular user role. You can change their role as required. For more information, see Modify a user.

Modify a user

  1. Go to the DMS console V5.0.
  2. In the top navigation bar, click O&M. In the left-side navigation pane, click User.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > User.
  3. Modify a user.
    Modify the information about a user.
    1. Select the user whose information you want to modify and click Edit User in the upper part of the page.
    2. Modify the information about the user as required, such as the display name, mobile phone number that is bound to a DingTalk account, email address, role, notification method, maximum number of queries per day, and maximum number of rows to be queried per day.
      Note To query data after a system is published or track the status of a system, a user may query more rows than the upper limit for a day, or query data more times than the upper limit for a day. In this case, you can set the upper limit to a greater value for the user as required.
    3. Click Confirm Change.
    Grant permissions.
    1. Select the user to whom you want to grant permissions, click Authorize User in the upper part of the page, and then select Authorize instance.
      Note In this example, permissions on a database instance are granted to the user. You can also grant permissions on a database or table to the user. You can also find the user, move the pointer over Authorize in the Actions column, and then select an option to grant permissions to the user, such as permissions on a database, table, column, or row. For more information about permissions, see Permission management.
    2. Set the parameters that are described in the following table and click OK.
      Section Parameter Description
      Authorized instance N/A The one or more database instances on which permissions are granted to the user.
      Permission Configuration Permission The type of permission to be granted to the user. For database instances that are not managed in Security Collaboration mode, set this parameter to Instances-Login(Not Common only). For database instances that are managed in Security Collaboration mode, set this parameter to Performance view(Security Collaboration only).
      Expire Date The date on which the permission expires.
    Enable or disable a user.
    1. Select the user that you want to enable or disable, and choose Operation user > Enable User or Operation user > Disable User as required in the upper part of the page.
      Note
      • Enable a user:
        • After you enable a disabled user, the permissions that were granted to the user before the user was disabled automatically become valid again.
        • After you enable a removed user, all permissions and configurations of the user become invalid. You must configure the user and grant permissions to the user again.
      • Disable a user:
        • If you need to disable a user who manages a database instance as a DBA, you must first assign the DBA role to another user. For more information about how to change the DBA of a database instance, see Modify database instances.
        • After you disable a user, the user is still counted as a DMS user within your tenant account. The permissions of the user are also retained. However, the user cannot log on to the DMS console until the user is enabled again. After the user is enabled, the permissions of the user automatically become valid again.
    2. In the message that appears, click OK.

Remove a user

  1. Go to the DMS console V5.0.
  2. In the top navigation bar, click O&M. In the left-side navigation pane, click User.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > User.
  3. Find the user that you want to remove and choose More > Delete in the Actions column.
    Note
    • Before you remove a user, make sure that the user is not associated with data resources. For example, you cannot remove a user who manages a database instance as a DBA or an approver that is specified in security rules.
    • After you remove a user, the user is no longer counted as a DMS user within your tenant account. All data ownership configurations of the user are deleted, and all permissions of the user are revoked. However, the user information and relevant operation logs are retained and marked as Deleted.
  4. Click OK.

Enable access control for a user

After you enable metadata access control for a user, the following limits apply to the user:
  • The user can view information about and access only the databases on which the user has permissions. The user can go to the Accessible Assets tab to view the databases on which the user has permissions. For more information, see View owned permissions.
  • The user cannot view the database instances and databases on which the user has no permissions. These database instances and databases are not displayed in the left-side navigation pane. The user cannot find these database instances and databases by using the search box in the top navigation bar or by searching for the database in the Select the databases, tables, or columns on which you want to apply for permissions field on the Permission Application Ticket page. In addition, the user cannot apply for permissions on these database instances or databases.
  1. Go to the DMS console V5.0.
  2. In the top navigation bar, click O&M. In the left-side navigation pane, click User.
    Note If you are using the previous version of the DMS console, move the pointer over the More icon in the top navigation bar and choose System > User.
  3. Find the user to whom you want to grant permissions and choose More > Access control in the Actions column.
    Note To enable access control for multiple users at a time, select the users and click Access control in the upper part of the page.
  4. In the User access control dialog box, turn on Metadata access control and click OK.

Usage notes

  • You can manage DMS administrators as needed. Each tenant in DMS must have at least one DMS administrator.
    Note
    • You can assign the administrator role to all users in DMS, including Alibaba Cloud accounts and RAM users.
    • After you use your Alibaba Cloud account to activate DMS, the account is automatically assigned the DMS administrator role.
    • If a RAM user has the AdministratorAccess permission to manage all the resources of your Alibaba Cloud account, the RAM user is automatically assigned the DMS administrator role.
    • A tenant is a concept used in DMS. Each Alibaba Cloud account has a tenant that belongs to the account.
  • You can add multiple Alibaba Cloud accounts to a tenant.

FAQ

  • Q1: Can I assign the DMS administrator or DBA role to a RAM user?

    A: Yes. You can assign the DMS administrator or DBA role to a RAM user. After that, the RAM user can apply for permissions to perform operations as required.

  • Q2: What can I do if suspicious user activities are detected?

    A1: If you detect suspicious activities of a user and you want to retain the permissions of the user, you can disable the user. After that, the user cannot log on to the DMS console. Then, choose Security and Specifications > Operation Audit to audit the operations that were performed by the user. If the user did not violate rules, you can enable the user. All the configurations and permissions of the user become valid again. The user can continue to work.

    A2: If you do not want to retain the permissions of a user, remove the user. After you remove the user, the user cannot log on to the DMS console. All permissions of the user are revoked, and all data ownership configurations of the user are deleted.

  • Q3: How can I find a user within my DMS tenant account?

    A: You can search for a user by using a keyword of the display name, email address, or Alibaba Cloud account ID of the user. You can also filter users by status.