Data Management (DMS) provides fine-grained access control over database instances, databases, tables, columns, rows, and metadata. This topic explains the DMS permission model and shows how to apply for permissions using a ticket.
Permission categories
DMS organizes permissions into three categories:
| Category | What it controls |
|---|---|
| Operation permissions | Actions users can perform on resources — logon, query, export, and change |
| Data permissions (resource owner permissions) | Ownership of a resource, including the ability to grant and revoke access |
| Metadata access control | Visibility of resources — whether unauthorized users can see or apply for access |
Operation permissions
Operation permissions govern what a user can do with a resource. The following types are available:
| Permission type | Description | Security hosting required |
|---|---|---|
| Permissions on database instances — logon | Log on to a database instance using the account and password managed by your enterprise. | No |
| Permissions on database instances — performance | View performance details of a database instance. For more information, see View the performance details of a database instance. | Yes |
| Permissions on database instances — data | Query, export, and change data in a database instance, excluding sensitive columns and rows with access control enabled. | — |
| Permissions on databases | Query, export, and change data in a database, excluding sensitive columns and rows with access control enabled. | — |
| Permissions on tables | Query, export, and change data in a table, excluding sensitive columns and rows with access control enabled. | — |
| Permissions on sensitive columns | Query, export, and change data in a sensitive column. Before applying, make sure the sensitive data protection feature is enabled and that you have permissions on the parent database and table. | — |
| Permissions on rows | Query, export, and change data in a row. For configuration details, see Configure row-level access control. Before applying, make sure you have permissions on the parent database and table. | — |
| Permissions on programmable objects | Query, export, and change data in a programmable object. For more information, see Change programmable objects by using stored routines. | Yes |
What query, export, and change mean in DMS:
-
Query: execute query statements in the SQL Console.
-
Change: execute change statements in the SQL Console and submit data change tickets and database and table synchronization tickets. This does not mean changing data without approval. DMS administrators can restrict the types of statements allowed in the SQL Console.
-
Export: submit data export tickets. This does not mean exporting data without approval.
Data permissions (resource owner permissions)
Data permissions grant ownership of a resource. An owner can view which users have access, grant permissions to users, revoke permissions from users, and query resource data (excluding sensitive columns and rows with access control enabled).
Three owner roles exist: instance owner, database owner, and table owner.
If security hosting is disabled for a database instance, only DMS administrators and database administrators (DBAs) can add or remove instance owners. To manage instance owners, right-click the database instance in the left-side Database Instances section of the DMS console, and choose Instance Owner > Set Owner.
Metadata access control
Metadata access control restricts the visibility of resources:
-
Instance access control: only authorized users can query or access the database instance. Unauthorized users cannot apply for access.
-
Database access control: only authorized users can query or access the database. Unauthorized users cannot apply for access.
-
User access control: the user can only query or access resources they already have permissions on. The user cannot apply for permissions on other database instances or databases.
Having any type of operation permission or data permission on a database instance or database counts as having permissions on that resource.
Who can manage permissions
The following table shows what each role can do:
| Action | Regular users | DBAs | DMS administrators |
|---|---|---|---|
| Apply for permissions using a ticket | Yes | ||
| Manage permissions via instance management | Yes | Yes | |
| Enable metadata access control for instances and databases | Yes | Yes | |
| Grant or revoke permissions on any resource via user management | Yes | ||
| Enable access control for a user | Yes |
For more information about each role's management path:
-
DBAs and DMS administrators: Manage permissions as a DMS administrator or DBA
-
DMS administrators (user management): Manage permissions as a DMS administrator
-
Enable metadata access control: Enable metadata access control
-
Enable access control for a user: Enable access control for a user
To check your role, see View system roles.
DMS records all permission change operations in operation logs, except changes to metadata access control. Recorded operations include applying for, granting, releasing, and revoking permissions. To view operation logs, choose Security and disaster recovery (DBS) > Operation Audit in the top navigation bar, then click the Operation Logs tab.
Apply for permissions using a ticket
DMS users except those for whom access control is enabled can submit a ticket to apply for permissions on a resource.
Submit a permission ticket
-
Log on to the DMS console V5.0.
-
Move the pointer over the
icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Permission Center > Permission Tickets.If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Permission Center > Permission Tickets in the top navigation bar.
-
On the Access applyTickets page, click Access apply and select a permission type from the drop-down list.
-
On the Access apply Tickets page, select the resource and configure permissions:
-
Select a resource based on the security hosting status of the database instance:
Category Supported permission types How to select Secure Management-Disabled Instances-Login Enter the endpoint or name of the database instance in the search box and click Search. Select the instance from the results, then click the 
icon to add it to the Confirm selected instance section.Secure Management-Enabled Instances-OWNER, Database-OWNER, Table-OWNER, Instances-Permission, Instances-Performance, Database-Permission, Table-Permission, Programmable Object, Row-Permission, Sensitive Column-Permission Enter the database name in the search box and click Search. Use %as a wildcard for fuzzy match (for example,dms%test). Select the database from the results, then click the icon to add it to the Selected Databases/Tables/Columns section. -
Select permissions. Choose from logon, query, export, and change permissions, set the validity period, and enter the reason for the request.
-
-
Click Submit. The ticket enters the approval step.
-
After the ticket is approved, the system automatically grants the requested permissions.
Approval workflow
The approver depends on how the database instance is managed:
-
Security Collaboration mode: the approval process is customizable.
-
Not in Security Collaboration mode:
-
If security hosting is disabled: you can apply for logon permissions only. The default approver is the DBA of the database instance.
-
If security hosting is enabled: the approver is the resource owner. If no resource owner is set, the approver is the DBA of the database instance.
-