Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, columns, rows, and metadata. This topic describes the permissions provided by DMS and shows you how to manage permissions.
Permission categories and types
Permission category | Permission type | Description | Whether security hosting is enabled |
Operation permissions (regular permissions) | Permissions on database instances | The permissions to log on to a database instance. After you obtain the permissions to log on to a database instance, you can use the corresponding database account and password to log on to the database instance. Note The database account and password are managed by relevant owners in your enterprise. | No |
The permissions to view the performance of a database instance. If security hosting is enabled for a database instance, you must obtain the permissions to view the performance of the database instance before you can view performance details. For more information, see View the performance details of a database instance. | Yes | ||
The permissions to query, export, and change the data of a database instance, excluding the data in sensitive columns and rows for which access control is enabled. | |||
Permissions on databases | The permissions to query, export, and change the data of a database, excluding the data in sensitive columns and rows for which access control is enabled. | ||
Permissions on tables | The permissions to query, export, and change the data of a table, excluding the data in sensitive columns and rows for which access control is enabled. | ||
Permissions on sensitive columns | The permissions to query, export, and change the data of a sensitive column. Note Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:
| ||
Permissions on rows | The permissions to query, export, and change the data of a row. For more information, see Configure row-level access control. Note Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs. | ||
Permissions on programmable objects | The permissions to query, export, and change the data of a programmable object. If security hosting is enabled for a database instance, you must obtain the permissions on a programmable object before you can query, export, or change the data of the programmable object. For more information, see Change programmable objects by using stored routines. | ||
Data permissions (resource owner permissions) | Instance owner | The owner permissions on a resource. The owner of a resource can view the users to whom the permissions on the resource are granted, and grant the resource permissions to and revoke the resource permissions from users. The resource can be a database instance, database, or table. In addition, the owner can query the data of the resource, excluding the data in sensitive columns and rows for which access control is enabled. Note If security hosting is disabled for a database instance, only DMS administrators and database administrators (DBAs) can add or remove instance owners. To manage instance owners, perform the following operations: Log on to the DMS console. In the left-side Database Instances section, right-click the database instance that you want to manage and choose . In the dialog box that appears, add or remove instance owners. | Yes |
Database owner | |||
Table owner | |||
Metadata access control | Metadata access control |
Note If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database. | Yes |
Permission description:
Query: the permissions to execute query statements in the SQL Console.
Change permissions: the permissions to execute change statements in the SQL Console, and the permissions to submit data change tickets and database and table synchronization tickets instead of the permissions to change data without approval. DMS administrators can configure constraints on the types of SQL statements that can be executed in the SQL Console.
Export permissions: the permissions to submit data export tickets instead of the permissions to export data without approval.
Permission management methods for different roles
Regular users:
DMS users except those for whom access control is enabled can submit a ticket to apply for the operation permissions and data permissions on a specific resource. For more information, see the Apply for permissions by using a ticket section of this topic.
DMS administrators and database administrators (DBAs):
DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases. For more information, see Manage permissions as a DMS administrator or DBA.
DMS administrators and DBAs can enable access control for database instances and databases. For more information, see Enable metadata access control.
DMS administrators:
DMS administrators can use the user management feature to grant resource permissions to or revoke resource permissions from a specific user. The resource can be a database instance, database, table, row, or column. For more information, see Manage permissions as a DMS administrator.
DMS administrators can enable access control for a user. For more information, see Enable access control for a user.
For more information about how to view the role of a user, see View system roles.
DMS records all permission change operations except those on metadata access control in operation logs. For example, if you have applied for, granted, released, or revoked permissions, you can view these permission change records in DMS operation logs. To view operation logs, choose in the top navigation bar. Then, click the Operation Logs tab.
Submit a ticket to apply for permissions
DMS users except those for whom access control is enabled can submit a ticket to apply for the permissions on a resource.
- Log on to the DMS console V5.0.
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
On the Access applyTickets page, click Access apply and select a permission type from the drop-down list.
On the Access apply Tickets page, configure the permissions for which you want to apply on resources such as database instances, databases, or tables.
Select resources.
Category
Supported permission type
Description
Secure Management-Disabled
Instances-Login
If security hosting is disabled for a database instance, you can apply for only the permissions to log on to the database instance.
Enter the endpoint or name of a database instance in the search box and click Search.
In the search results, select the database instance on which you want to apply for permissions.
Click the
icon to add the selected database instance to the Confirm selected instance section.
Secure Management-Enabled
Instances-OWNER
Database-OWNER
Table-OWNER
Instances-Permission
Instances-Performance
Database-Permission
Table-Permission
Programmable Object
Row-Permission
Sensitive Column-Permission
In this example, Database-Permission is selected.
Enter the name of a database in the search box and click Search. You can use the percent sign (
%) as a placeholder to search for a database in fuzzy match mode. Example:dms%test.In the search results, select the database on which you want to apply for permissions.
Click the
icon to add the selected database to the Selected Databases/Tables/Columns section.
Select permissions.
Select the permissions to be applied for from the logon, query, export, and change permissions, configure the validity period of the permissions, and then enter the reason for which you want to apply for the permissions.
Click Submit. The ticket enters the Approval step.
Approve the ticket. After the ticket is approved, the system automatically grants you the permissions for which you apply.
For a database instance that is managed in Security Collaboration mode, you can customize an approval process.
For a database instance that is not managed in Security Collaboration mode, if security hosting is disabled, you can apply for only the permissions to log on to the database instance. The default approver is the DBA of the database instance. If security hosting is enabled for the database instance, the approver is the resource owner. If no resource owner is specified, the approver is the DBA of the database instance.