All Products
Search
Document Center

Data Management:Manage permissions

Last Updated:Feb 22, 2024

Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, columns, rows, and metadata. This topic describes the permissions provided by DMS and shows you how to manage permissions.

Permission categories

Permission category

Permission type

Description

Supported control mode

Operation permissions (regular permissions)

Instance permissions

Instance logon permissions

After you obtain the logon permissions on a database instance, you can use the corresponding database account and password to log on to the database instance.

Note

The database account and password are managed by relevant persons in your enterprise.

  • Flexible Management

  • Stable Change

Permissions to view instance performance

Before you can view the performance of a database instance that is managed in Security Collaboration mode, you must obtain the permissions to view the performance of the database instance. For more information, see View the performance details of a database instance.

Security Collaboration

After you obtain the permissions on a database instance, you can query, export, and change all data of the database instance, except the data in the sensitive columns and rows for which access control is enabled.

Security Collaboration

Database permissions

After you obtain the permissions on a database, you can query, export, and change all data of the database, except the data in the sensitive columns and rows for which access control is enabled.

Security Collaboration

Table permissions

After you obtain the permissions on a table, you can query, export, and change all data of the table, except the data in the sensitive columns and rows for which access control is enabled.

Security Collaboration

Permissions on sensitive columns

After you obtain the permissions on a sensitive column, you can query, export, and change the data of the column.

Note

Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:

Security Collaboration

Row permissions

After you obtain the permissions on a row, you can query, export, and change the data of the row. For more information, see Configure row-level access control.

Note

Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs.

Security Collaboration

Permissions on programmable objects

Before you can query, export, or change a programmable object in a database instance that is managed in Security Collaboration mode, you must obtain the permissions on the programmable object. For more information, see Change programmable objects by using stored routines.

Security Collaboration

Data permissions (owner resources)

Instance owner

The owner of a resource can view the users to whom the permissions on the resource are granted, and grant the resource permissions to and revoke the resource permissions from users. The resource can be a database instance, database, or table. In addition, the owner can query the data of the resource, except the data in the sensitive columns and rows for which access control is enabled.

Note

You can add or remove the owner of a database instance that is not managed in Security Collaboration mode only as a DMS administrator or database administrator (DBA). To do so, perform the following operations: In the left-side instance list on the homepage of the DMS console, right-click the database instance whose owner you want to remove and choose Instance Owner > Set Owner.

  • Security Collaboration

  • Flexible Management

  • Stable Change

Database owner

Security Collaboration

Table owner

Security Collaboration

Metadata access control

Metadata access control

  • Instance access control: A database instance for which access control is enabled can be queried and accessed only by the users to whom the permissions on the database instance are granted. Other users cannot apply for the permissions on the database instance.

  • Database access control: A database for which access control is enabled can be queried and accessed only by the users to whom the permissions on the database are granted. Other users cannot apply for the permissions on the database.

  • User access control: A user for which access control is enabled can query and access only the database instances and databases on which the user has permissions. The user cannot apply for the permissions on other database instances or databases.

Note

If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database.

Security Collaboration

Permission management methods for different roles

  • Regular users:

    DMS users except those for whom access control is enabled can submit a ticket to apply for the operation permissions and data permissions on a specific resource. For more information, see the Apply for permissions by using a ticket section of this topic.

  • DMS administrators and database administrators (DBAs):

  • DMS administrators:

    • DMS administrators can use the user management feature to grant resource permissions to or revoke resource permissions from a specific user. The resource can be a database instance, database, table, row, or column. For more information, see Manage permissions as a DMS administrator.

    • DMS administrators can enable access control for a user. For more information, see Enable access control for a user.

Note
  • For more information about how to view the role of a user, see View system roles.

  • DMS records all permission change operations except those on metadata access control in operation logs. For example, if you have applied for, granted, released, or revoked permissions, you can view these permission change records in DMS operation logs. To view operation logs, choose Security and Specifications > Operation Audit in the top navigation bar. Then, click the Operation Logs tab.

Submit a ticket to apply for permissions

DMS users except those for whom access control is enabled can submit a ticket to apply for permissions on a specific resource.

  1. Log on to the DMS console V5.0.
  2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center > Permission Tickets.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permission Tickets.

  3. On the Access applyTickets page, click Access apply and select a permission category from the drop-down list.

  4. On the Access apply Tickets page, configure the query, export, and change permissions for resources, including databases and tables, based on your business requirements.

    Parameter

    Supported permission category

    Description

    Flexible Management and Stable Change

    Instances-Logon

    1. Enter the endpoint or name of a database instance in the search box and click Search.

    2. In the search results, select the database instance on which you want to apply for permissions.

    3. Click the image.png icon to add the selected instance to the Confirm Selected Instance section on the right side of the page.

    Security Collaboration

    • Database-Permission

    • Table-Permission

    • Sensitive Column-Permission

    • Database-OWNER

    • Table-OWNER

    • Programmable Object

    • Instances-Performance

    • Instances-OWNER

    • Row-Permission

    The following example shows how to apply for permissions on a database.

    1. Enter the database name in the search box and click Search. You can use the percent sign (%) as a placeholder to search for a database in fuzzy match mode. Example: dms%test.

    2. In the search results, select the database on which you want to apply for permissions.

    3. Click the image.png icon to add the selected instance to the Selected Databases/Tables/Columns section on the right side of the page.

  5. After you configure the parameters, click Submit.

    After the ticket is approved, the system automatically grants you the permissions that you applied for.

Related operations

View the permissions on resources

  1. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permissions.

  2. On the Ordinary Permissions tab, select a permission category from the first drop-down list on the left. In the permission list, you can view the permissions that you have.

    Note
    • The permissions on a database instance include the permission to log on to the database instance and the permission to view the performance of the database instance.

    • You cannot query or release permissions on a programmable object.

Release the permissions on resources

  1. In the permission list, select the permissions that you want to release and click Release Permission.

  2. In the Permission Operation dialog box, select one or more types of permissions that you want to release and click OK.

View your resources

Note

The owner of a resource can view and manage the permissions on the resource, and evaluate whether the permissions are properly granted.

  1. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permissions.

  2. Click the My Resources tab.

  3. Select Owner's instance, My Databases, or My Tables from the first drop-down list on the left.

  4. In the resource list, view the resources on which you have permissions.

Manage your resources

  1. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permissions.

  2. Click the My Resources tab.

  3. In the Actions column of a resource, you can perform the following operations on the resource: manage permissions, change owners, view tables, and configure logical databases.

References