Manage users - Data Management - Alibaba Cloud Documentation Center

This topic describes how to manage users in Data Management (DMS). You can add users, modify users, and manage user permissions.

Prerequisites

You are a DMS administrator. For more information about how to view the role of a user, see View system roles.

Usage notes

Make sure that a tenant has at least one valid administrator account.
You can assign the administrator role to all users in DMS, including Alibaba Cloud accounts and RAM users.
After you use your Alibaba Cloud account to activate DMS, the account is automatically assigned the DMS administrator role.
If a RAM user has the AdministratorAccess permission to manage all resources of your Alibaba Cloud account, the RAM user is also automatically assigned the DMS administrator role.
You can add multiple Alibaba Cloud accounts to a tenant. You can add users on the Users page. By default, the added users belong to the same tenant as your account. Users added to the tenant can view information about the current tenant. For more information, see View information about the current tenant.
Note If you log on to DMS for the first time by using an Alibaba Cloud account, the system automatically creates a tenant for the account. For more information about tenants, see Tenant information.

Log on to the DMS console

You can log on to the DMS console in one of the following ways:

Log on to the DMS console by using an Alibaba Cloud account. For more information, see Accounts used to log on to DMS.
Log on to the DMS console as a RAM user. For more information, see Accounts used to log on to DMS.
Implement user-based single sign-on (SSO) or role-based SSO to log on to the DMS console by using the identity provider (IdP) of your enterprise. SSO is also known as identity federation. For more information, see Use SSO to log on to DMS.

Add a user

Method 1: Manually add a user

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
On the Users page, click New.
In the Add User dialog box, enter the Alibaba Cloud account ID of the user that you want to add.
Note Move the pointer over the icon in the upper-right corner and view your Alibaba Cloud account ID.
Select one or more system roles for the user that you want to add. For more information, see System roles.
Click OK.

Method 2: Add a RAM user that belongs to the current Alibaba Cloud account

Note

Only the current Alibaba Cloud account or a RAM user that has the ListUser permission can add a RAM user by using this method.
By default, RAM users that are added to DMS in this way are assigned the regular user role. You can change the roles of users based on your business requirements. For more information, see Modify a user.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
In the upper part of the Users page, click Synchronize RAM User.
In the Synchronize RAM User dialog box, search for an account by display name or Alibaba Cloud account ID.
Select one or more RAM users and click Add Selected Users.

Modify a user

Modify the information about a user

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
On the Users page, select the user whose information you want to modify.
Click Edit User in the upper part of the page.
Note You can also click Change in the Actions column to modify the user information.

In the Edit User dialog box, modify the following information as required based on your business requirements.


Section	Parameter	Description
Basic info	Display Name	The display name on the Users page. The display name demonstrates the identity of the user.
	Role	The role of the user. DMS provides five system roles: regular user, database administrator (DBA), administrator, security administrator, and schema read-only user. For more information, see System roles.
	Mobile phone number	The mobile number to which notifications are sent. You can enter a mobile number from one of the following countries and regions: Chinese mainland: +86 UK: +44 Malaysia: +60 Indonesia: +62 Singapore: +65 India: +91 Note If you specify a DingTalk account to receive notifications, make sure that the mobile number is bound to the DingTalk account.
	The maximum number of queries	The maximum number of queries that can be performed by a user each day. If the total number of daily queries reaches the limit, the user cannot perform queries for the rest of the day. The value of the parameter must be an integer. You can select an existing quota in the system or set a new one. Note To query data after a system is published or track the status of a system, a user may query more rows than the upper limit for a day, or query data more times than the upper limit for a day. In this case, you can set the upper limit to a greater value for the user as required.
	Query the upper limit number of rows	The maximum number of rows that can be queried by a user each day. If the total number of rows returned in a day reaches the limit, the user cannot perform more queries for the rest of the day. The value of the parameter must be an integer. You can select an existing quota in the system or set a new one.
Notification	Email	The email address to which notifications are sent.
	DingTalk Chatbot	The webhook URL of the DingTalk chatbot. For more information, see Obtain the webhook URL of a DingTalk chatbot.
	webhook	The custom webhook URL that DMS can use to send notifications. You can customize a webhook URL based on an existing O&M system or message notification system. For more information, see Send notifications by using a custom webhook URL.
	Signature Method	The signature method. Valid values: NONE: No algorithm is used. This is the default value. HMAC_SHA1: The Hashed Message Authentication Code Secure Hash Algorithm 1 (HMAC_SHA1) is used.
	Signature Key	The key that is used. This parameter is displayed only if you set the Signature Method parameter to HMAC_SHA1.
	Notification method	The notification method. You can select one or more options among SMS, DingTalk, Email, DingTalk Chatbot, and webhook.

Click Confirm Change.

Grant permissions to users

Note The following example shows how to grant permissions on instances to users. You can also grant users permissions on permission templates, databases, tables, rows, and sensitive columns. For more information about permissions, see Overview.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Select the user to whom you want to grant permissions. Choose Authorize user > Authorize instance in the upper part of the page.
Note You can also choose Authorize > Authorize instance in the Actions column to grant permissions to the user.

In the Authorize instance dialog box, configure the parameters that are described in the following table.


Section	Parameter	Required	Description
Authorized instance	None	Yes	Select one or more database instances on which permissions are granted to the user.
Permission Configuration	Permission	Yes	The type of permission to be granted to the user. For database instances that are not managed in Security Collaboration mode, set this parameter to Instances-Login (Not Common only). For database instances that are managed in Security Collaboration mode, set this parameter to Performance view (Security Collaboration only).
Permission Configuration	Expiration Date	Yes	The date on which the permission expires.

Disable a user

After you disable a user, the permissions and configuration data of the user are not recycled or released. However, the user cannot log on to DMS. After the user is enabled, the permissions and configuration data automatically become valid again.

Note

The disabled user is still counted as a DMS user within your tenant account.
If you need to disable a user who manages a database instance as a DBA, you must first assign the DBA role to another user. For more information about how to change the DBA of a database instance, see Modify database instances.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Select the user that you want to disable and choose Operation user > Disable User in the upper part of the page.
In the message that appears, click OK.

Remove a user

After you remove a user, the user cannot log on to DMS. All data owner configurations and permission data are cleared from DMS.

Note

Before you remove a user, make sure that the user is not associated with data resources. For example, you cannot remove a user who manages a database instance as a DBA or an approver that is specified in security rules.
After you remove a user, all data of the user is cleared. However, the user information and relevant operation logs are retained and marked as Deleted in account information.
The removed user is no longer counted as a DMS user within your tenant account.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Select the user that you want to remove and choose Operations user > Delete User in the upper part of the page.
In the message that appears, click OK.

Enable a user

After you enable a disabled user, the configurations and permissions that were granted to the user before the user was disabled automatically become valid. The enabled user can log on to DMS. After you enable a removed user, all permissions and configurations of the user become invalid. You must configure the user and grant permissions to the user again.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Select the user you want to enable and choose Operations user > Enable User in the upper part of the page.
In the message that appears, click OK.

Enable access control for a user

After you enable metadata access control for a user, the following limits apply to the user:

The user can only view information about and access only the databases on which the user has permissions in DMS. In the top navigation bar of the console, choose Security and specifications > Permission Center > Permissions to view the databases on which the user has permissions. For more information, see View owned permissions.
The user cannot view the database instances and databases on which the user has no permissions or apply for permissions on these database instances or databases.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Find the user for whom you want to enable access control and choose More > Access control in the Actions column.
Note To enable access control for multiple users at a time, select the users and click Access control in the upper part of the page.
In the User access control dialog box, turn on Metadata access control and click OK.

FAQ

Q: Can I assign the administrator or DBA role in DMS to a RAM user?
A: Yes. The role assignment is independent of the account type.
Q: What do I do if suspicious operations on a database are detected?
A:
- If you want to retain the permissions of the user, you can disable the user. After that, the user cannot log on to the DMS console. Then, use the operation audit feature of DMS to view the operations that were performed by the user. If the user did not violate rules, you can enable the user. All the permissions and configurations of the user become valid again.
- If you do not want to retain the permissions of the user, you can remove the user. Then, the user cannot log on to the DMS console. All permissions and data owner configurations of the user are cleared.
Q: How do I find a user with a DMS administrator account?
A: In the top navigation bar of the console, choose O&M > Users. On the Users page, search for a user by using keywords, email address, display name, or Alibaba Cloud account ID and filter users by status.