All Products
Search

This Product

    Data Management:Row-level control

    Document Center

    Data Management:Row-level control

    Last Updated:Mar 30, 2026

    Row-level access control in Data Management (DMS) restricts which rows a user can query, export, or modify in a table — based on the value of a designated control field. A sales manager, for example, sees only rows for their assigned region; a chain store employee sees only their store's data.

    This feature is separate from field-level access control, which masks or restricts sensitive columns. Row-level access control operates on entire rows.

    Supported databases

    Row-level access control is available for relational databases connected to DMS, including ApsaraDB RDS for MySQL and PolarDB. It is not supported for:

    • NoSQL databases

    • Logical databases (physical databases only)

    • Database instances not managed in Security Collaboration mode

    Prerequisites

    Before you begin, make sure that:

    Key concepts

    Understand these objects before you configure row-level access control:

    Object Description
    Row-level control table A table on which row-level access control is configured.
    Control field The field whose values determine row access.
    Control value A specific value of the control field. Each control value maps to one or more rows.
    Row value A named set of one or more control values. Users apply for permissions on a row value.
    Control group A group of control tables that share the same control values, managed together.

    How it works

    When row-level access control is active on a table, a user can only access rows whose control field value matches a control value they are authorized for.

    The following example shows how control values map to users and accessible rows:

    User Authorized control values Accessible rows
    Alice Beijing, Shanghai Rows where region = 'Beijing' or region = 'Shanghai'
    Bob Guangzhou Rows where region = 'Guangzhou'
    Carol (all rows) All rows in the table

    After a control group is configured, users who have not applied for row-level permissions cannot view data in those tables on the SQLConsole tab.

    Limitations

    When a user has permissions on specific rows (not all rows), the following SQL restrictions apply:

    • The WHERE clause must filter on the control field using only the = or in operator.

    • Logical operators (OR, XOR, NOT) are not allowed in the WHERE clause.

    • The control field values in the query must be within the user's authorized control value list.

    Configure a control group

    A control group links one or more tables to the same control values. Only a DMS administrator, DBA, or security administrator can create a control group.

    1. Log on to the DMS console V5.0.

    2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Permission Center > Permission Tickets.

      Note

      If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Permission Center > Permission Tickets in the top navigation bar.

    3. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets.

      Note

      If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets in the top navigation bar.

    4. Open Sensitive Data Assets:

      • Enhanced mode: Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All functions > Security and Specifications > Sensitive Data > Sensitive Data Assets.

      • Normal mode: In the top navigation bar, choose Security and Specifications > Sensitive Data > Sensitive Data Assets.

    5. In the upper-right corner, click Global Sensitive Data to go to the Sensitive Data List page.

    6. Click the Row Control tab, then click Create Control Group.

    7. In the Create Control Group dialog box, enter a name in the Control Group field.

    8. Add one or more row-level control tables:

      1. Click Add Row Configuration.

      2. From the Enter a database name drop-down list, select the database. Enter keywords to search.

      3. Select the table and the control field.

      4. To add more tables that share the same control values, click Add Row Configuration again and repeat the steps.

    9. Click Add to save the control group.

    After a table is added to a control group, users without row-level permissions cannot view data in that table on the SQLConsole tab until their permissions are approved.

    Add row values to a control group

    Row values group one or more control values under a named set. Users apply for permissions on a row value, which grants access to all rows matching its control values.

    1. On the Row Control tab, find the control group and click Details in the Actions column.

    2. In the Control Value Details panel, click Add Row Value.

    3. In the Import Row Value dialog box, specify whether to append or overwrite:

      • Yes: appends the new control values to the existing row value.

      • No: replaces the existing control values with the new ones.

    4. Enter one or more control values in the Row Value Content field. Separate multiple values with commas. Example: Enter Beijing,Shanghai to create a row value that covers both cities. Users who apply for this row value can access all rows where region equals Beijing or Shanghai.

    Apply for row-level permissions

    Any DMS user can apply for row-level permissions through a permission ticket. An administrator must approve the application before access is granted.

    1. Log on to the DMS console V5.0.

    2. Open Permission Tickets:

      • Enhanced mode: Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permission Tickets.

      • Normal mode: In the top navigation bar, choose Security and Specifications > Permission Center > Permission Tickets.

    3. In the upper-right corner, choose Access apply > Row-Permission.

    4. Enter the database name. Use % as a wildcard for fuzzy search.

    5. Select the permission scope:

      • Single: grants access to a specific row value. A row value may contain multiple control values, so this option can grant access to multiple rows. A control value may map multiple rows in a table. A hyphen (-) in the Row Value column indicates all-rows permission.

      • All: grants access to all rows in the row-level control table.

    6. Click Search, then select the row-level permissions you want and click 添加.

    7. Select the permission types and validity period, then enter an application reason in the Reason field.

    8. Click Submit.

    After the application is approved, you can query, export, and modify data in the authorized rows. image.png

    Release row-level permissions

    • Regular users: go to the Permissions page to view and release your own permissions. For details, see View owned permissions.

    • Administrators: in the top navigation bar, click O &M. In the left-side navigation pane, click Users. Find the user, then in the Actions column choose More > Permission Details to view and revoke their permissions.

    What's next

    To protect sensitive columns in addition to rows, see Manage sensitive data.