All Products
Search

This Product

    Data Management:Manage permissions

    Document Center

    Data Management:Manage permissions

    Last Updated:Mar 28, 2026

    Data Management (DMS) provides fine-grained permission control over database instances, databases, tables, rows, and sensitive columns. Permissions are role-based: your role in DMS determines which methods you can use to manage access.

    How security hosting affects permissions

    Security hosting controls the scope of permissions that can be managed on a database instance:

    • Disabled: only logon permissions to the instance can be applied for or granted.

    • Enabled: full permission management is available, covering the instance, databases, tables, rows, and sensitive columns.

    For instructions on enabling security hosting, see Security hosting.

    Permission management by role

    RoleAvailable methodsScope
    Regular userSubmit a ticket to apply for permissionsInstance, database, table, row, sensitive column
    Database administrator (DBA)Instance management feature, enable access control for database instances and databasesInstance and database permissions only
    DMS administratorInstance management, user management, access control for instances and usersInstance, database, table, row, sensitive column
    Schema read-onlyNo action requiredCan query metadata of all instances, databases, and tables without applying for query, change, or export permissions
    Click the person icon in the upper-right corner of the DMS console to view your roles. DMS records all permission changes — including apply, grant, release, and revoke operations — in operation logs, except metadata access control changes. To view operation logs, choose Security and Specifications > Operation Audit in the top navigation bar, then click the Operation Logs tab.

    Apply for permissions (regular users)

    Regular users can submit a ticket to apply for permissions on a resource. Users for whom access control is enabled cannot use this method.

    1. Log on to the DMS console V5.0.

    2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Permission Center > Permissions.

      Note

      If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Permission Center > Permissions in the top navigation bar.

    3. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Permission Center > Permissions.

      Note

      If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Permission Center > Permissions in the top navigation bar.

    4. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Permission Center > Permission Tickets.

      Note

      If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Permission Center > Permission Tickets in the top navigation bar.

    5. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Permission Center > Permission Tickets.

      In normal mode, choose Security and Specifications (DBS) > Permission Center > Permission Tickets in the top navigation bar.

    6. On the Access apply Tickets page, click Access apply and select a permission type from the drop-down list.

    7. Select the resources you want to apply for permissions on.

      Security hosting statusPermission types availableHow to select
      DisabledInstances-LoginSearch by endpoint or instance name, then click 5添加2 to add the instance to the Confirm selected instance section.
      EnabledInstances-OWNER, Database-OWNER, Table-OWNER, Instances-Permission, Instances-Performance, Database-Permission, Table-Permission, Programmable Object, Row-Permission, Sensitive Column-PermissionSearch for the resource (use % as a wildcard, for example, dms%test), select it in the results, then click 5添加2 to add it to the Selected Databases/Tables/Columns section.

    8. Select permissions (logon, query, export, or change), set a validity period, and enter the reason for your request.

      Tip: Set a validity period to limit access to the time you need it. This is useful when you need temporary access for a specific task.

    9. Click Submit. The ticket enters the approval step. After the ticket is approved, DMS automatically grants the permissions.

      How approval works:

      • Security Collaboration mode: the approval process can be customized.

      • Non-Security Collaboration mode, security hosting disabled: the default approver is the DBA of the instance.

      • Non-Security Collaboration mode, security hosting enabled: the approver is the resource owner. If no owner is specified, the DBA is the approver.

    View your permissions

    1. Log on to the DMS console V5.0.

    2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Permission Center > Permissions.

      In normal mode, choose Security and Specifications (DBS) > Permission Center > Permissions in the top navigation bar.

    3. View regular permissions on the Ordinary Permissions tab: select a permission type from the drop-down list to filter the list.

    4. View resource owner permissions on the My Resources tab: select Owner's instance, My Databases, or My Tables from the drop-down list.

    Permissions on a database instance include logon, view performance, query, export, and change. Permissions on programmable objects cannot be queried or released.

    Release your permissions

    After releasing permissions on a resource, you can no longer query, export, or change its data.

    1. Log on to the DMS console V5.0.

    2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and Specifications (DBS) > Permission Center > Permissions.

      In normal mode, choose Security and Specifications (DBS) > Permission Center > Permissions in the top navigation bar.

    3. To release regular permissions: on the Ordinary Permissions tab, select the permissions to release and click Release Permission.

    4. To release resource owner permissions: on the My Resources tab, select the owner permissions to release and click Release Owner.

    Manage permissions as a DMS administrator or DBA

    Manage permissions using the instance management feature

    DMS administrators and DBAs can manage permissions directly from the instance or database list.

    1. Log on to the DMS console V5.0.

    2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Data Assets > Instances.

      In normal mode, choose Data Assets > Instances in the top navigation bar.

    3. Manage instance-level permissions:

      1. On the Instance List tab, find the instance and choose More > Manage Permissions in the Actions column.

      2. In the dialog box, find the user and click an action button to view permissions, revoke permissions, or grant logon or performance-view permissions.

        • Security hosting disabled: only logon permissions can be granted.

        • Security hosting enabled: view performance, query, export, and change permissions can be granted.

    4. Manage database- and table-level permissions (requires security hosting enabled):

      1. On the Database List tab, find the database and choose More > Permission Management in the Actions column.

      2. In the dialog box, select a permission type, then find the user. Click an action button to view or revoke permissions, or click Grant Permissions on Database or Grant Permissions on Table to grant permissions.

    Manage permissions using permission templates

    For batch or reusable permission configurations, see Create a permission template.

    Manage permissions as a DMS administrator

    DMS administrators can use the user management feature to grant or revoke permissions on instances, databases, tables, rows, and sensitive columns for any user.

    1. Log on to the DMS console V5.0.

    2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O &M > Users.

      In normal mode, choose O &M > Users in the top navigation bar.

    3. Grant permissions to a user:

      1. Find the user, move the pointer over Authorize in the Actions column, and select a permission type.

      2. In the dialog box, configure the parameters and click OK.

    4. Revoke permissions from a user:

      1. Find the user, move the pointer over More in the Actions column, and select Permission Details.

      2. In the User Permissions dialog box, click the Ordinary Permissions tab and select a permission type.

      3. Select the resources to manage and click Release Permission.

      4. In the Permission Operation dialog box, select the permissions to revoke and click OK.

    FAQ

    A RAM user has logon permissions to an ApsaraDB RDS instance in DMS, but gets a "no permissions" error when trying to log on. What's wrong?

    The ApsaraDB RDS instance must be added to DMS using the Alibaba Cloud account (not the RAM user account). Once the instance is registered under the Alibaba Cloud account, the RAM user can log on to it through DMS. For details, see Register an Alibaba Cloud database instance.