Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, columns, rows, and metadata. This topic describes the permissions provided by DMS and shows you how to manage permissions.
Permission categories
| Permission category | Permission type | Description | Supported control mode |
| Operation permissions (regular permissions) | Instance logon permissions | After you obtain the logon permissions on a database instance, you can use the corresponding database account and password to log on to the database instance. Note The database account and password are managed by relevant persons in your enterprise. |
|
| Database permissions | After you obtain the permissions on a database, you can query, export, and change all data of the database, except the data in the sensitive columns and rows for which access control is enabled. | Security Collaboration | |
| Table permissions | After you obtain the permissions on a table, you can query, export, and change all data of the table, except the data in the sensitive columns and rows for which access control is enabled. | Security Collaboration | |
| Permissions on sensitive columns | After you obtain the permissions on a sensitive column, you can query, export, and change the data of the column. Note Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:
| Security Collaboration | |
| Row permissions | After you obtain the permissions on a row, you can query, export, and change the data of the row. For more information, see Configure row-level access control. Note Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs. | Security Collaboration | |
| Permissions on programmable objects | Before you can query, export, or change a programmable object in a database instance that is managed in Security Collaboration mode, you must obtain the permissions on the programmable object. For more information, see Change programmable objects by using stored routines. | Security Collaboration | |
| Permissions to view instance performance | Before you can view the performance of a database instance that is managed in Security Collaboration mode, you must obtain the permissions to view the performance of the database instance. For more information, see View the performance details of a database instance. | Security Collaboration | |
| Data permissions (owner resources) | Instance owner | The owner of a resource can view the users to whom the permissions on the resource are granted, and grant the resource permissions to and revoke the resource permissions from users. The resource can be a database instance, database, or table. In addition, the owner can query the data of the resource, except the data in the sensitive columns and rows for which access control is enabled. Note You can add or remove the owner of a database instance that is not managed in Security Collaboration mode only as a DMS administrator or DBA. To do so, perform the following operations: In the left-side instance list on the homepage of the DMS console, right-click the database instance whose owner you want to remove and choose . |
|
| Database owner | Security Collaboration | ||
| Table owner | Security Collaboration | ||
| Metadata access control | Metadata access control |
Note If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database. | Security Collaboration |
Permission management methods for different roles
Regular users:
DMS users except those for whom access control is enabled can submit a ticket to apply for the operation permissions and data permissions on a specific resource. For more information, see the Apply for permissions by using a ticket section of this topic.
DMS administrators and database administrators (DBAs):
DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases. For more information, see Manage permissions as a DMS administrator or DBA.
DMS administrators and DBAs can enable access control for database instances and databases. For more information, see Enable metadata access control.
DMS administrators:
DMS administrators can use the user management feature to grant resource permissions to or revoke resource permissions from a specific user. The resource can be a database instance, database, table, row, or sensitive column. For more information, see Manage permissions as a DMS administrator.
DMS administrators can enable access control for a user. For more information, see Enable access control for a user.
For more information about how to view the role of a user, see View system roles.
DMS records all permission change operations except metadata access control in operation logs. For example, if you have applied for, granted, released, or revoked permissions, you can view these permission change records in DMS operation logs. To view operation logs, choose in the top navigation bar. Then, click the Operation Logs tab.
Submit a ticket to apply for permissions
DMS users except those for whom access control is enabled can submit a ticket to apply for permissions on a specific resource.
- Log on to the DMS console V5.0.
In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center > Permission Tickets.
NoteIf you use the DMS console in simple mode, move the pointer over the
icon in the upper-left corner of the DMS console and choose . On the Access applyTickets page, click Access apply and select a permission category from the drop-down list.
On the Access apply Tickets page, configure the query, export, and change permissions for resources, including databases and tables, based on your business requirements.
Parameter
Supported permission category
Description
Flexible Management and Stable Change
Instances-Logon
Enter the endpoint or name of a database instance in the search box and click Search.
In the search results, select the database instance on which you want to apply for permissions.
Click the
icon to add the selected instance to the Selected Databases/Tables/Columns section on the right side of the page.
Security Collaboration
Database-Permission
Table-Permission
Sensitive Column-Permission
Database-OWNER
Table-OWNER
Programmable Object
Instances-Performance
Instances-OWNER
Row-Permission
The following example shows how to apply for permissions on a database.
Enter the database name in the search box and click Search. You can use the percent sign (
%) as a placeholder to search for a database in fuzzy match mode. Example:dms%test.In the search results, select the database on which you want to apply for permissions.
Click the
icon to add the selected instance to the Selected Databases/Tables/Columns section on the right side of the page.
After you configure the parameters, click Submit.
After the ticket is approved, the system automatically grants you the permissions that you applied for.
Related operations
In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.
NoteIf you use the DMS console in simple mode, move the pointer over the
icon in the upper-left corner of the DMS console and choose . On the Ordinary Permissions tab, select a permission category from the first drop-down list on the left. In the permission list, you can view the permissions that you have.
NoteThe permissions on a database instance include the permission to log on to the database instance and the permission to view the performance of the database instance.
You cannot query or release permissions on a programmable object.
The owner of a resource can view and manage the permissions on the resource, and evaluate whether the permissions are properly granted.
In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.
NoteIf you use the DMS console in simple mode, move the pointer over the
icon in the upper-left corner of the DMS console and choose . Click the My Resources tab.
Select Owner's instance, My Databases, or My Tables from the first drop-down list on the left.
In the resource list, view the resources on which you have permissions.
In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.
NoteIf you use the DMS console in simple mode, move the pointer over the
icon in the upper-left corner of the DMS console and choose . Click the My Resources tab.
In the Actions column of a resource, you can perform the following operations on the resource: manage permissions, change owners, view tables, and configure logical databases.