All Products
Search
Document Center

Data Management:Manage permissions

Last Updated:Mar 14, 2024

Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, columns, rows, and metadata. This topic describes the permissions provided by DMS and shows you how to manage permissions.

Permission categories and types

Permission category

Permission type

Description

Whether security hosting is enabled

Operation permissions (regular permissions)

Permissions on database instances

The permissions to log on to a database instance.

After you obtain the permissions to log on to a database instance, you can use the corresponding database account and password to log on to the database instance.

Note

The database account and password are managed by relevant owners in your enterprise.

No

The permissions to view the performance of a database instance.

If security hosting is enabled for a database instance, you must obtain the permissions to view the performance of the database instance before you can view performance details. For more information, see View the performance details of a database instance.

Yes

The permissions to query, export, and change the data of a database instance, excluding the data in sensitive columns and rows for which access control is enabled.

Permissions on databases

The permissions to query, export, and change the data of a database, excluding the data in sensitive columns and rows for which access control is enabled.

Permissions on tables

The permissions to query, export, and change the data of a table, excluding the data in sensitive columns and rows for which access control is enabled.

Permissions on sensitive columns

The permissions to query, export, and change the data of a sensitive column.

Note

Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:

Permissions on rows

The permissions to query, export, and change the data of a row. For more information, see Configure row-level access control.

Note

Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs.

Permissions on programmable objects

The permissions to query, export, and change the data of a programmable object. If security hosting is enabled for a database instance, you must obtain the permissions on a programmable object before you can query, export, or change the data of the programmable object. For more information, see Change programmable objects by using stored routines.

Data permissions (resource owner permissions)

Instance owner

The owner permissions on a resource. The owner of a resource can view the users to whom the permissions on the resource are granted, and grant the resource permissions to and revoke the resource permissions from users. The resource can be a database instance, database, or table. In addition, the owner can query the data of the resource, excluding the data in sensitive columns and rows for which access control is enabled.

Note

If security hosting is disabled for a database instance, only DMS administrators and database administrators (DBAs) can add or remove instance owners. To manage instance owners, perform the following operations: Log on to the DMS console. In the left-side Database Instances section, right-click the database instance that you want to manage and choose Instance Owner > Set Owner. In the dialog box that appears, add or remove instance owners.

Yes

Database owner

Table owner

Metadata access control

Metadata access control

  • Instance access control: A database instance for which access control is enabled can be queried and accessed only by the users to whom the permissions on the database instance are granted. Unauthorized users cannot apply for the permissions on the database instance.

  • Database access control: A database for which access control is enabled can be queried and accessed only by the users to whom the permissions on the database are granted. Unauthorized users cannot apply for the permissions on the database.

  • User access control: A user for which access control is enabled can query and access only the database instances and databases on which the user has permissions. The user cannot apply for the permissions on other database instances or databases.

Note

If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database.

Yes

Permission description:

  • Query permissions: the permissions to execute query statements in the SQL Console.

  • Change permissions: the permissions to execute change statements in the SQL Console, and the permissions to submit data change tickets and database and table synchronization tickets instead of the permissions to change data without approval. DMS administrators can configure constraints on the types of SQL statements that can be executed in the SQL Console.

  • Export permissions: the permissions to submit data export tickets instead of the permissions to export data without approval.

Permission management methods for different roles

  • Regular users:

    DMS users except those for whom access control is enabled can submit a ticket to apply for the operation permissions and data permissions on a specific resource. For more information, see the Apply for permissions by using a ticket section of this topic.

  • DMS administrators and database administrators (DBAs):

  • DMS administrators:

    • DMS administrators can use the user management feature to grant resource permissions to or revoke resource permissions from a specific user. The resource can be a database instance, database, table, row, or column. For more information, see Manage permissions as a DMS administrator.

    • DMS administrators can enable access control for a user. For more information, see Enable access control for a user.

Note
  • For more information about how to view the role of a user, see View system roles.

  • DMS records all permission change operations except those on metadata access control in operation logs. For example, if you have applied for, granted, released, or revoked permissions, you can view these permission change records in DMS operation logs. To view operation logs, choose Security and Specifications > Operation Audit in the top navigation bar. Then, click the Operation Logs tab.

Submit a ticket to apply for permissions

DMS users except those for whom access control is enabled can submit a ticket to apply for the permissions on a resource.

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center > Permission Tickets.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permission Tickets.

  3. On the Access applyTickets page, click Access apply and select a permission type from the drop-down list.

  4. On the Access apply Tickets page, configure the permissions for which you want to apply on resources such as database instances, databases, or tables.

    1. Select resources.

      Category

      Supported permission type

      Description

      Secure Management-Disabled

      Instances-Login

      If security hosting is disabled for a database instance, you can apply for only the permissions to log on to the database instance.

      1. Enter the endpoint or name of a database instance in the search box and click Search.

      2. In the search results, select the database instance on which you want to apply for permissions.

      3. Click the 5添加2 icon to add the selected database instance to the Confirm selected instance section.

      Secure Management-Enabled

      • Instances-OWNER

      • Database-OWNER

      • Table-OWNER

      • Instances-Permission

      • Instances-Performance

      • Database-Permission

      • Table-Permission

      • Programmable Object

      • Row-Permission

      • Sensitive Column-Permission

      In this example, Database-Permission is selected.

      1. Enter the name of a database in the search box and click Search. You can use the percent sign (%) as a placeholder to search for a database in fuzzy match mode. Example: dms%test.

      2. In the search results, select the database on which you want to apply for permissions.

      3. Click the 5添加2 icon to add the selected database to the Selected Databases/Tables/Columns section.

    2. Select permissions.

      Select the permissions to be applied for from the logon, query, export, and change permissions, configure the validity period of the permissions, and then enter the reason for which you want to apply for the permissions.

  5. Click Submit. The ticket enters the Approval step.

  6. Approve the ticket. After the ticket is approved, the system automatically grants you the permissions for which you apply.

    • For a database instance that is managed in Security Collaboration mode, you can customize an approval process.

    • For a database instance that is not managed in Security Collaboration mode, if security hosting is disabled, you can apply for only the permissions to log on to the database instance. The default approver is the DBA of the database instance. If security hosting is enabled for the database instance, the approver is the resource owner. If no resource owner is specified, the approver is the DBA of the database instance.

References