Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, columns, and rows. You can grant users the logon, query, export, and change permissions on a specific resource.
|Permission category||Permission type||Description||Supported control mode|
|Operation permissions (regular permissions)||Instance logon permissions||After you obtain the logon permissions on a database instance, you can use the corresponding
database account and password to log on to the database instance.
Note The database account and password are managed by relevant persons in your enterprise.
|Database permissions||After you obtain the permissions on a database, you can query, export, and change all data of the database, except the data in the sensitive columns and rows for which access control is enabled.||Security Collaboration|
|Table permissions||After you obtain the permissions on a table, you can query, export, and change all data of the table, except the data in the sensitive columns and rows for which access control is enabled.||Security Collaboration|
|Permissions on sensitive columns||After you obtain the permissions on a sensitive column, you can query, export, and
change the data of the column.
Note Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:
|Row permissions||After you obtain the permissions on a row, you can query, export, and change the data
of the row. For more information, see Configure row-level access control.
Note Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs.
|Permissions on programmable objects||Before you can query, export, or change a programmable object in a database instance that is managed in Security Collaboration mode, you must obtain the permissions on the programmable object. For more information, see Change programmable objects by using stored routines.||Security Collaboration|
|Permissions to view instance performance||Before you can view the performance of a database instance that is managed in Security Collaboration mode, you must obtain the permissions to view the performance of the database instance. For more information, see View the performance details of a database instance.||Security Collaboration|
|Data permissions (owner resources)||Instance owner||The owner of a resource can view the users to whom the permissions on the resource
are granted, and grant the resource permissions to and revoke the resource permissions
from users. The resource can be a database instance, database, or table. In addition,
the owner can query the data of the resource, except the data in the sensitive columns
and rows for which access control is enabled.
Note You can add or remove the owner of a database instance that is not managed in Security Collaboration mode only as a DMS administrator or DBA. To do so, perform the following operations: In the left-side instance list on the homepage of the DMS console, right-click the database instance whose owner you want to remove and choose.
|Database owner||Security Collaboration|
|Table owner||Security Collaboration|
|Metadata access control||Metadata access control||
Note If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database.
- Apply for permissions: provides methods for different roles to manage permissions in DMS.
- View owned permissions: shows how to view your operation permissions and data permissions.
DMS allows you to configure different permission approval processes for databases and tables in different scenarios. The following content describes the scenarios:
- Configure strict approval processes for the production data and the databases and tables involved in core business.
- Configure a simple approval process for the data involved in non-core business or the test environment. Alternatively, you can allow the data in non-core business or the test environment to be directly accessed without approval.
For more information, see Configure approval processes.