All Products
Search

This Product

    Data Management:User management

    Document Center

    Data Management:User management

    Last Updated:Mar 28, 2026

    Manage who can access Data Management (DMS) and what they can do. As an administrator, you can add users manually or sync RAM users, assign system roles, grant database permissions, and control the user lifecycle — including disabling, deleting, and re-enabling accounts.

    Prerequisites

    Before you begin, ensure that you have:

    Usage notes

    • DMS ensures each tenant always has at least one Administrator account.

    • Any DMS-managed user can hold the Administrator role, regardless of whether they log in with an Alibaba Cloud account or as a RAM user.

    • When you activate DMS, your Alibaba Cloud account is automatically granted the Administrator role.

    • RAM users with the AdministratorAccess permission are automatically assigned the DMS Administrator role on first login. For details, see Manage RAM user configurations.

    • Multiple Alibaba Cloud accounts can be added to a single tenant. Users who have joined the tenant can view tenant information.

    When an Alibaba Cloud account logs in to DMS for the first time, the system automatically creates a tenant for that account.

    Log in to the DMS console

    Log in to the DMS console using one of the following methods:

    Add a user

    DMS provides two methods for adding users: manually entering an account UID, or syncing RAM users from the current Alibaba Cloud account.

    Method 1: Add a user manually

    1. Log in to the DMS console V5.0.

    2. In the top navigation bar, choose O&M > Users.

      In simple mode, hover over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    3. On the User Management page, choose Add > Add Account.

    4. In the Add User dialog box, configure the following:

      FieldDescription
      Alibaba Cloud accountEnter the user's Alibaba Cloud account UID. To find a UID, hover over the 头像 icon in the upper-right corner of any Alibaba Cloud console page.
      RoleSelect one or more system roles: Regular User, DBA, Administrator, Security Administrator, or Structure Read-only.

    5. Click Confirm.

    Method 2: Sync RAM users

    Only the current Alibaba Cloud account and RAM users with the ListUser permission can perform this operation.
    Users added with this method are assigned the Regular User role by default. To change the role, see Edit user information.

    1. Log in to the DMS console V5.0.

    2. In the top navigation bar, choose O&M > Users.

      In simple mode, hover over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    3. On the User Management page, choose Add > Sync RAM User.

    4. In the Sync RAM User dialog box, search by display name or UID.

    5. Select the target RAM user and click Add Selected Users.

    If a RAM user appears grayed out and cannot be selected, they lack the AliyunDMSLoginConsoleAccess permission. Grant this permission in RAM before syncing.

    Edit a user

    Edit user information

    1. Log in to the DMS console V5.0.

    2. In the top navigation bar, choose O&M > Users.

      In simple mode, hover over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    3. On the User Management page, select the target user.

    4. Click Edit User at the top of the page, or click Edit in the Actions column.

    5. In the Modify User dialog box, update the fields as needed:

      To update your mobile phone number or email address, click your profile picture instead. For details, see Configure personal information and notification methods.
      CategoryFieldDescription
      Basic informationDisplay nameThe name shown on the User Management page.
      RoleAssign one or more system roles: Regular User, DBA, Administrator, Security Administrator, or Structure Read-only.
      Query count limitMaximum result sets the user can query per day. When reached, further queries are blocked. Enter an integer and select a predefined or custom validity period.
      Maximum query row countMaximum rows the user can query per day. When reached, further queries are blocked. Enter an integer and select a predefined or custom validity period.
      NotificationsDingTalk robotEnter the webhook URL of the DingTalk robot.
      WebhookEnter a custom webhook URL to integrate with your O&M or message notification system.
      Signature methodSelect NONE (default, no signature) or HMAC_SHA1 (Hashed Message Authentication Code using Secure Hash Algorithm).
      Signature keyEnter the signature key. Displayed only when Signature method is set to HMAC_SHA1.
      Notification methodSelect one or more: text message, DingTalk, mailbox, DingTalk robot, or webhook.

    6. Click Confirm Changes.

    Grant permissions to a user

    Grant a user access to specific instances, databases, tables, rows, sensitive columns, or permission templates.

    The steps below use Grant Instance as an example. Other supported grant types include Grant Permission Template, Grant Database, Grant Table, Grant Row, and Grant Sensitive Column. For the full permissions model, see Permission management.

    1. Log in to the DMS console V5.0.

    2. In the top navigation bar, choose O&M > Users.

      In simple mode, hover over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    3. Select the target user, then choose Grant User > Grant Instance at the top of the page. Alternatively, in the Actions column for the target user, choose Authorize > Authorize Instance.

    4. In the Authorize Instance dialog box, configure the following:

      FieldRequiredDescription
      Authorized instancesYesSelect one or more database instances to grant access to.
      Permission typeYesInstances in non-Security Collaboration mode support Instance Logon. Instances in Security Collaboration mode support View Performance.
      Expiration timeYesSelect when the permission expires.

    5. Click Confirm.

    Manage user status

    Disable vs. delete: choose the right action

    Before disabling or deleting a user, review the following differences:

    DisableDelete
    Can log in to DMSNoNo
    Permissions retainedYes — restored when re-enabledNo — all permissions are purged
    Data retainedYes — configurations preservedNo — data owner configurations are cleared
    Operation logsRetainedRetained (account shows Deleted tag)
    Occupies user quotaYesNo
    Re-enable behaviorRestores original permissions and dataTreated as a new user; must request permissions again
    Tip: If you suspect a user's activity but want to preserve their permission data for review, disable the user instead of deleting them. Use ActionTrail to audit their database operations, then re-enable the user if no issues are found.

    Disable a user

    Disabling a user blocks their DMS access without removing their permissions or data. Their original configuration is fully restored when you re-enable them.

    A disabled user still occupies a user quota.
    You cannot disable a user who is the DBA of a database instance. First change the instance's DBA to another user. For details, see Edit an instance.

    1. Log in to the DMS console V5.0.

    2. In the top navigation bar, choose O&M > Users.

      In simple mode, hover over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    3. Select the target user, then choose Operate User > Disable User at the top of the page.

    4. In the Confirm dialog box, click Confirm.

    Delete a user

    Deleting a user permanently purges all their permission data and data owner configurations from DMS. Their operation logs are retained, and a Deleted tag appears on their account.

    The user must not be bound to any resources, such as serving as the DBA of an instance or an approver in security rules.
    Deleted users do not occupy a user quota.
    Deleted users remain visible in the user list with a Deleted tag and cannot be fully purged from DMS.

    1. Log in to the DMS console V5.0.

    2. In the top navigation bar, choose O&M > Users.

      In simple mode, hover over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    3. Select the target user, then choose Operate User > Delete User at the top of the page.

    4. In the Confirm dialog box, click Confirm.

    Enable a user

    Re-enabling a disabled user fully restores their original permissions and data configurations.

    Re-enabling a deleted user also allows them to log in again, but they are treated as a new user — their previous permissions and configurations are cleared, and they must request permissions again.

    1. Log in to the DMS console V5.0.

    2. In the top navigation bar, choose O&M > Users.

      In simple mode, hover over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    3. Select the target user, then choose Operate User > Enable User at the top of the page.

    4. In the Confirm dialog box, click Confirm.

    Enable metadata access control

    By default, users can see all database instances in the DMS console navigation pane, even if they only have permissions on a subset. Enabling metadata access control restricts a user's visibility to only the instances and databases they are authorized to access.

    When metadata access control is enabled for a user:

    • The user can query and access only authorized databases. To view their current permissions, go to Security and Specifications > Permission Center > My Permissions.

    • The user cannot view other databases or instances, and cannot request permissions for resources outside their authorized scope.

    To enable metadata access control:

    1. Log in to the DMS console V5.0.

    2. In the top navigation bar, choose O&M > Users.

      In simple mode, hover over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    3. In the Actions column for the target user, choose More > Access Control. To enable for multiple users at once, select them and click Resource Access Management at the top of the page.

    4. In the User Access Control dialog box, enable Metadata Access Control and click Confirm.

    FAQ

    Can a RAM user be assigned the Administrator or DBA role?

    Yes. Role assignment in DMS is independent of account type — any user, whether an Alibaba Cloud account or a RAM user, can hold any system role.

    What should I do if I suspect a user's database activity?

    Disable the user to block their access immediately while preserving their permissions and data. Then use ActionTrail to review their operations. If no issues are found, re-enable the user to restore their access and configuration.

    If you no longer need to retain the user's permissions, delete the user instead. Deletion removes all their permissions, data owner configurations, and settings.

    How do I find a specific user account?

    In the top navigation bar, choose O&M > User Management. On the User Management page, search by keyword across account name, email address, display name, or Alibaba Cloud UID. You can also filter by account status.

    Why do deleted users still appear in the user list?

    DMS marks deleted users with a Deleted tag rather than removing them from the list. This is by design — deleted users cannot be fully purged from the system, but they do not occupy a user quota.

    When I try to disable a user, the system says they are the DBA of an instance. What should I do?

    Edit the database instance to reassign its DBA to another user first. Note that only users with the DBA system role in DMS can be set as a database instance's DBA. If the replacement user doesn't have the DBA role, go to User Management and edit their role before making the change. For details, see Edit an instance.

    How do I revoke a user's resource permissions?

    Go to O&M > User Management and find the target user. In the Actions column, choose More > Permission Details. Select the permissions to revoke, then click Revoke Permissions.

    A RAM user's display name in DMS was not updated after their name changed in RAM. How do I fix this?

    DMS syncs the display name from RAM only during the initial sync. Subsequent name changes in RAM are not automatically reflected in DMS. To update the display name, go to O&M > User Management, click Edit for the user, update the Display name in Basic information, and save.

    A regular user can see all databases even though they only have permissions on some. Why?

    The navigation pane in DMS displays databases at the instance level, showing all databases under each instance regardless of individual permissions. The user can only read from and write to the databases they are authorized to access. To restrict what the user can see to only their authorized resources, enable metadata access control for that user.

    What's next

    After managing users, you may also need to:

    API reference

    Manage DMS users programmatically using the following API operations: