All Products
Search

This Product

    Data Management:Manage permissions

    Document Center

    Data Management:Manage permissions

    Last Updated:Aug 30, 2023

    Data Management (DMS) provides features that can be used to perform fine-grained management of data security in a centralized manner. You can manage permissions on resources such as database instances, databases, tables, rows, and sensitive columns. This topic describes how to manage permissions by using different roles.

    Usage notes

    You can manage permissions on resources, such as database instances, databases, tables, rows, and sensitive columns, only for instances that are managed in Security Collaboration mode. You can apply for or grant only the logon permissions for instances that are managed in Flexible Management or Stable Change mode. You can use the account management feature to manage other types of permissions for database accounts. For more information, see Account permission management.

    Note

    DMS provides the account management feature only for MySQL, PostgreSQL, and MongoDB databases. For the databases of other engines, you can go to the corresponding console to manage the database accounts.

    Permission management methods for different roles

    System role

    Permission management method

    Regular user

    In DMS, regular users except those for whom access control is enabled can submit a ticket to apply for the operation permissions or data permissions on a specific resource. For more information, see the Apply for permissions by using a ticket section of this topic.

    DMS administrator and database administrator (DBA)

    • DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases. For more information, see the Manage permissions as a DMS administrator or DBA section of this topic.

    • DMS administrators and DBAs can use the instance management feature to enable access control for database instances and databases. For more information, see Enable metadata access control.

    • DMS administrators and DBAs can use the user management feature to grant resource permissions to or revoke resource permissions from a specific user. The resource can be a database instance, database, table, row, or sensitive column. For more information, see the Manage permissions as a DMS administrator section of this topic.

    • DMS administrators and DBAs can use the user management feature to enable access control for a user. For more information, see the "Enable access control for a user" section of the Manage users topic.

    Note

    DBAs can only manage permissions by using the instance management feature. DMS administrators can manage permissions by using the four preceding methods.

    Schema read-only

    Users who assume the schema read-only role can query the metadata of all instances, databases, and tables, without the need to obtain the query, change, or export permissions on the instances, databases, and tables.

    Note

    • You can click the 2022-10-21_15-26-01.png icon in the upper-right corner of the console homepage to view your system roles.

    • DMS records all permission change operations except metadata access control in operation logs. For example, if you applied for, granted, released, or revoked permissions, you can view the permission change records in DMS operation logs. To view operation logs, choose Security and Specifications > Operation Audit in the top navigation bar. Then, click the Operation Logs tab.

    Permission types

    Permission type

    Description

    Logon permissions

    After you obtain the logon permission on a database instance that is managed in Flexible Management or Stable Change mode, you can use the corresponding database account or password to log on to the database instance.

    Performance viewing permissions

    After you obtain the permission to view the performance of a database instance that is managed in Security Collaboration mode, you can view the performance of the database instance. For more information, see View the performance details of a database instance.

    Query permissions

    After you obtain the query permission on a database instance that is managed in Security Collaboration mode, you can execute SQL statements on the SQLConsole tab to query the data of the database instance.

    Change permissions

    After you obtain the change permission on a database instance that is managed in Security Collaboration mode,

    • you can execute SQL statements on the SQLConsole tab to change the data of the database instance. The statement execution is also affected by the configurations of DMS administrators.

    • You can also submit tickets to change data or synchronize databases and tables on the database instance. However, you cannot change data without approval.

    Export permissions

    After you obtain the export permission on a database instance that is managed in Security Collaboration mode, you can submit tickets to export data from the database instance. However, you cannot export data without approval.

    Submit a ticket to apply for permissions

    DMS users except those for whom access control is enabled can submit a ticket to apply for permissions on a specific resource.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center > Permission Tickets.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permission Tickets.

    3. On the Access applyTickets page, click Access apply and select a permission category from the drop-down list.

    4. On the Access apply Tickets page, configure the query, export, and change permissions for resources, including databases and tables, based on your business requirements.

      Parameter

      Supported permission category

      Description

      Flexible Management and Stable Change

      Instances-Logon

      1. Enter the endpoint or name of a database instance in the search box and click Search.

      2. In the search results, select the database instance on which you want to apply for permissions.

      3. Click the image.png icon to add the selected instance to the Selected Databases/Tables/Columns section on the right side of the page.

      Security Collaboration

      • Database-Permission

      • Table-Permission

      • Sensitive Column-Permission

      • Database-OWNER

      • Table-OWNER

      • Programmable Object

      • Instances-Performance

      • Instances-OWNER

      • Row-Permission

      The following example shows how to apply for permissions on a database.

      1. Enter the database name in the search box and click Search. You can use the percent sign (%) as a placeholder to search for a database in fuzzy match mode. Example: dms%test.

      2. In the search results, select the database on which you want to apply for permissions.

      3. Click the image.png icon to add the selected instance to the Selected Databases/Tables/Columns section on the right side of the page.

    5. After you configure the parameters, click Submit.

      After the ticket is approved, the system automatically grants you the permissions that you applied for.

    Related operations

    View the permissions on resources

    1. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permissions.

    2. On the Ordinary Permissions tab, select a permission category from the first drop-down list on the left. In the permission list, you can view the permissions that you have.

      Note

      • The permissions on a database instance include the permission to log on to the database instance and the permission to view the performance of the database instance.

      • You cannot query or release permissions on a programmable object.

    Release the permissions on resources

    1. In the permission list, select the permissions that you want to release and click Release Permission.

    2. In the Permission Operation dialog box, select one or more types of permissions that you want to release and click OK.

    View your resources

    Note

    The owner of a resource can view and manage the permissions on the resource, and evaluate whether the permissions are properly granted.

    1. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permissions.

    2. Click the My Resources tab.

    3. Select Owner's instance, My Databases, or My Tables from the first drop-down list on the left.

    4. In the resource list, view the resources on which you have permissions.

    Manage your resources

    1. In the top navigation bar, click Security and Specifications. In the left-side navigation pane, choose Permission Center Permissions.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Security and Specifications > Permission Center > Permissions.

    2. Click the My Resources tab.

    3. In the Actions column of a resource, you can perform the following operations on the resource: manage permissions, change owners, view tables, and configure logical databases.

    Manage permissions as a DMS administrator or DBA

    DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, choose Database Assets > Instances.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > Data Assets > Instances.

    3. Manage permissions on instances.

      1. Click the Instance List tab, and choose More > Management Authority in the Actions column of the instance that you want to manage.

      2. In the dialog box that appears, you can view and revoke permissions from a user, and grant a user the permissions to log on to the database instance or view instance performance in the Actions column.

    4. Manage permissions on databases.

      1. Click the Database List tab, and choose More > Permission Management in the Actions column of the database that you want to manage.

      2. In the dialog box that appears, select a Classification. You can view and revoke the permissions from a user in the Actions column. You can also click Grant Permissions on Database or Grant Permissions on Table to add permissions of a user on a database or table.

    Manage permissions as a DMS administrator

    DMS administrators can use the user management feature to grant permissions to or revoke permissions from a user. The types of permissions that can be added or revoked include the permissions on instance logon, performance viewing, databases, tables, rows, and sensitive columns.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. Grant permissions to a user.

      1. Click Authorize in the Actions column of the user account to which you want to grant permissions.

      2. In the dialog box that appears, configure the parameters and click OK.

    4. Revoke permissions from a user.

      1. In the Actions column of the user account from which you want to revoke permissions, choose More > Permission Details.

      2. In the User Permissions dialog box, click the Ordinary Permissions tab and select an instance permission.

      3. Select the instance that you want to manage and click Release permissions.

      4. In the Permission Operation dialog box, choose the permission type that you want to revoke or release and click OK.

    FAQ

    Q: A Resource Access Management (RAM) user has the permissions to log on to an ApsaraDB RDS instance in the DMS console. When I log on to the instance in the DMS console as the RAM user, a message is displayed that indicates that the RAM user does not have the permissions to log on to the instance. What do I do?

    A: Make sure that you add the ApsaraDB RDS instance to DMS by using your Alibaba Cloud account. Then, you can log on to the ApsaraDB RDS instance as the RAM user. For more information about how to add an instance, see Register an ApsaraDB instance.