Restrict Data Access with Row-Level Permissions - Data Management

Row-level access control in Data Management (DMS) restricts which data rows specific users can query, based on one or more values of a designated control field. This is useful for scenarios where different employees should only see data relevant to their responsibilities—for example, a sales team member who should only view records for their own region or accounts.

Use cases

Regional data separation: Limit employees to querying only the rows where the region field matches their assigned territory.
Multi-table control: Apply the same control value across multiple tables in a database using a single control group.

Who does what

Row-level access control involves two roles with distinct responsibilities:

Role	Responsibility
Database administrator (DBA), DMS administrator, or security administrator	Configure row-level access control: create a control group, add row configurations, and set control values
All users (including DBAs and DMS administrators)	Apply for row permissions on specific rows before querying controlled data

Prerequisites

Before you begin, ensure that you have:

A database instance managed in Security Collaboration mode. For details, see Control modes
The role of database administrator (DBA), DMS administrator, or security administrator. To check your role, see View system roles
A relational database: ApsaraDB RDS for MySQL, ApsaraDB RDS for PostgreSQL, or PolarDB for MySQL

Note

Only physical databases are supported.

Limitations

A table can be added to a control group only once.
Only one control field can be specified per table.
After a control group is deleted, all associated row-level control configurations become inactive.

Configure row-level access control

The following example uses a production database named poc_prod.

Step 1: Create a control group and add row configurations

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets.

Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets in the top navigation bar.
Go to Sensitive Data Assets:
- Icon mode: Move the pointer over the icon in the upper-left corner, then choose All Features > Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets.
- Normal mode: In the top navigation bar, choose Security and disaster recovery (DBS) > Sensitive Data > Sensitive Data Assets.
In the upper-right corner, click Global Sensitive Data to open the Row Control tab.
Note
Alternatively, click Sensitive Data List on the Enabled tab in the Instance List section.
On the Row Control tab, click Create Control Group and enter a name for the control group.
Click Add Row Configuration, then configure the following:
1. From the Database drop-down list, select the database. Enter a keyword to search if needed.
2. Select the table and the control field to apply row-level access control.
3. Click Add.

Step 2: Add control values

To the right of the control group, click Details.
Click Add Row Value and set the following parameters:
Parameter Description
Append ? Yes: New values are added to existing values. No: New values replace existing values.
Row Value Content The values to control. Separate multiple values with commas (,).
Click Import. A confirmation message appears at the top of the page when the row values are imported successfully.

Parameter	Description
Append ?	Yes: New values are added to existing values. No: New values replace existing values.
Row Value Content	The values to control. Separate multiple values with commas (,).

Apply for row permissions

All users—including DMS administrators and DBAs—must submit a permission ticket and receive approval before querying controlled rows.

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Permission Center > Permission Tickets.

Note
If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Permission Center > Permission Tickets in the top navigation bar.
Go to Permission Tickets:
- Icon mode: Move the pointer over the icon in the upper-left corner, then choose All Features > Security and disaster recovery (DBS) > Permission Center > Permission Tickets.
- Normal mode: In the top navigation bar, choose Security and disaster recovery (DBS) > Permission Center > Permission Tickets.
On the Access applyTickets page, choose Access apply > Row Permission.
Select the target row and click Add. The row appears in the Selected Databases/Tables/Columns section.
In the Select Permission section, select Query and specify the Duration and Reason.
Click Submit and wait for approval. After approval, query the controlled rows in the SQL Console. To check the status of your ticket, go to the My Tickets section on the Workbench tab.

More operations

Operation	Steps
Delete a control group	On the Row Control tab, find the control group and delete it. All row-level control configurations in the group become inactive.
Edit a control group	On the Row Control tab, modify the control group name or the configured control fields.

FAQ

My query in the SQL Console fails even though my row permission was approved. What should I do?

Perform the following steps to troubleshoot:

Make sure you have query permissions on the destination database and table. For more information, see Apply for row permissions.
Use SQL statements with WHERE conditions on the SQL Console tab to query the controlled data rows.

For example, if the control field is buyer_name and your approved values are name1, name2, and name3, and you have query permission on the dms_test table:

To query a single value, use = or IN:

SELECT * FROM dms_test WHERE buyer_name = 'name1';

To query multiple values, use IN:

SELECT * FROM dms_test WHERE buyer_name IN ('name1', 'name2', 'name3');

What's next

Configure row-level access control — advanced configuration options