Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, columns, and rows. You can grant users the logon, query, export, and change permissions on a specific resource.

Permission categories

Permission category Permission type Description Supported control mode
Operation permissions (regular permissions) Instance logon permissions After you obtain the logon permissions on a database instance, you can use the corresponding database account and password to log on to the database instance.
Note The database account and password are managed by relevant persons in your enterprise.
  • Flexible Management
  • Stable Change
Database permissions After you obtain the permissions on a database, you can query, export, and change all data of the database, except the data in the sensitive columns and rows for which access control is enabled. Security Collaboration
Table permissions After you obtain the permissions on a table, you can query, export, and change all data of the table, except the data in the sensitive columns and rows for which access control is enabled. Security Collaboration
Permissions on sensitive columns After you obtain the permissions on a sensitive column, you can query, export, and change the data of the column.
Note Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:
Security Collaboration
Row permissions After you obtain the permissions on a row, you can query, export, and change the data of the row. For more information, see Configure row-level access control.
Note Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs.
Security Collaboration
Permissions on programmable objects Before you can query, export, or change a programmable object in a database instance that is managed in Security Collaboration mode, you must obtain the permissions on the programmable object. For more information, see Change programmable objects by using stored routines. Security Collaboration
Permissions to view instance performance Before you can view the performance of a database instance that is managed in Security Collaboration mode, you must obtain the permissions to view the performance of the database instance. For more information, see View the performance details of a database instance. Security Collaboration
Data permissions (owner resources) Instance owner The owner of a resource can view the users to whom the permissions on the resource are granted, and grant the resource permissions to and revoke the resource permissions from users. The resource can be a database instance, database, or table. In addition, the owner can query the data of the resource, except the data in the sensitive columns and rows for which access control is enabled.
Note You can add or remove the owner of a database instance that is not managed in Security Collaboration mode only as a DMS administrator or DBA. To do so, perform the following operations: In the left-side instance list on the homepage of the DMS console, right-click the database instance whose owner you want to remove and choose Instance Owner > Set Owner.
  • Security Collaboration
  • Flexible Management
  • Stable Change
Database owner Security Collaboration
Table owner Security Collaboration
Metadata access control Metadata access control
  • Instance access control: A database instance for which access control is enabled can be queried and accessed only by the users to whom the permissions on the database instance are granted. Other users cannot apply for the permissions on the database instance.
  • Database access control: A database for which access control is enabled can be queried and accessed only by the users to whom the permissions on the database are granted. Other users cannot apply for the permissions on the database.
  • User access control: A user for which access control is enabled can query and access only the database instances and databases on which the user has permissions. The user cannot apply for the permissions on others database instances or databases.
Note If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database.
Security Collaboration

References

  • Apply for permissions: provides methods for different roles to manage permissions in DMS.
  • View owned permissions: shows how to view your operation permissions and data permissions.
  • DMS allows you to configure different permission approval processes for databases and tables in different scenarios. The following content describes the scenarios:

    • Configure strict approval processes for the production data and the databases and tables involved in core business.
    • Configure a simple approval process for the data involved in non-core business or the test environment. Alternatively, you can allow the data in non-core business or the test environment to be directly accessed without approval.

    For more information, see Configure approval processes.