DMS supports two authentication paths: direct login with an Alibaba Cloud account or RAM user, and single sign-on (SSO) through your enterprise identity provider (IdP). This topic explains both options and how to configure RAM user settings in DMS.
Log on methods
| Method | Recommended for | Details |
|---|---|---|
| Alibaba Cloud account or RAM user | Teams already using Alibaba Cloud Identity and Access Management (IAM) | Log on directly with your Alibaba Cloud primary account or any RAM user under that account. |
| Single sign-on (SSO) | Enterprises with a central IdP | Implement user-based SSO or role-based SSO to log on to the Alibaba Cloud Management Console from the identity provider (IdP) of your enterprise. For setup instructions, see Use SSO to log on to DMS. |
RAM user behavior after removal
If a RAM user is removed from Resource Access Management (RAM), the user account remains visible in DMS but can no longer be used to log on to Alibaba Cloud or the DMS console.
Before removing or disabling a user in DMS, check whether that user holds a role such as data owner, database administrator (DBA), or approver on an approval node. If so, reassign the role to another user first. For more information, see Manage users.
Configure RAM user settings
Prerequisites
Before you begin, make sure that you have:
A DMS administrator or DBA role
Steps
Log on to the DMS console V5.0.
In the top navigation bar, click O&M. In the left-side navigation pane, click Configuration Management.
If you use DMS in simple mode, hover over the
icon in the upper-left corner and choose All functions > O&M > Configuration Management.Configure the following settings as needed.
RAM permission verification
This setting controls whether DMS automatically initializes roles and permissions for RAM users when they first log on.
| Setting | Behavior |
|---|---|
| Yes (default) | A RAM user with the AdministratorAccess policy is initialized as a DMS administrator. A RAM user with the ReadOnlyAccess policy for RDS and MongoDB can query databases in Security Collaboration mode (no permission record created) and log on to databases in Flexible Management mode or Stable Change mode (permission record created; access is granted for 180 days). |
| No | No role or permission is initialized for RAM users in DMS. |
RAM users automatically join the tenant
This setting controls whether newly created RAM users are automatically added to your DMS tenant when they log on.
| Setting | Behavior |
|---|---|
| Yes (default) | After you create a RAM user under your Alibaba Cloud account, the RAM user is automatically added to your DMS tenant when they log on to the DMS console. |
| No | RAM users are not added automatically. Manually add each RAM user to the DMS tenant. For instructions, see Add a user. |
What's next
Manage users — assign and update user roles in DMS
Use SSO to log on to DMS — configure enterprise SSO for centralized authentication