All Products
Search

This Product

    Data Management:DMS custom policy reference

    Document Center

    Data Management:DMS custom policy reference

    Last Updated:Mar 28, 2026

    System policies grant broad, predefined access that cannot be scoped to individual resources. To restrict a RAM user to specific databases or instances, create a custom policy to enforce least privilege. This page covers the key concepts of custom policies and provides examples for common DMS access-control scenarios.

    What is a custom policy?

    Resource Access Management (RAM) policies fall into two types: system policies (created and maintained by Alibaba Cloud) and custom policies (created and maintained by you). System policies typically grant broad administrative or read-only access. Custom policies let you define exactly which resources a principal can access, enabling fine-grained permission control.

    Key behaviors before you create a custom policy:

    • After you create a custom policy, attach it to a RAM user, RAM user group, or RAM role to grant the specified permissions to that principal.

    • To delete a custom policy that is attached to a principal, detach it first, then delete it.

    • Custom policies support version control. Manage policy versions through the RAM version management mechanism.

    Scenarios and examples

    The following examples show how to control which ApsaraDB RDS instances a RAM user can log on to from DMS.

    Grant access to a specific ApsaraDB RDS instance

    To restrict a RAM user to one RDS instance, create a custom policy with the following content and attach it to the RAM user. For instructions, see Create custom policies and Grant permissions to a RAM user.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dms:LoginDatabase"],
      "Resource": ["acs:rds:*:*:dbinstance/[$RDS_ID]"]
    }
  ]
}

    Replace [$RDS_ID] with the ID of the ApsaraDB RDS instance.

    Grant access to all ApsaraDB RDS instances in your account

    To let a RAM user log on to any RDS instance from DMS, use one of the following options:

    • Option 1: Grant the AliyunRDSFullAccess permission to the RAM user in the RAM console.

    • Option 2: Create a custom policy with the following content and attach it to the RAM user.

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["dms:LoginDatabase"],
      "Resource": ["acs:rds:*:*:*"]
    }
  ]
}

    FAQ

    Q: If the same user logs on to DMS using different access configurations for single sign-on (SSO), are the data asset permissions automatically synchronized?

    A: No, they are not. Data asset permissions in DMS are independent of RAM permission configurations. After a user logs on with a different SSO access configuration, you must grant the permissions again. To set a data owner, you must also update the settings. Note that you can set a maximum of three DMS users as data owners.

    References