DMS provides fine-grained permission management for database instances, databases, tables, columns, and rows. You can grant logon, query, export, and change permissions per resource.
Permission categories and types
|
Permission category |
Permission type |
Description |
Requires security hosting |
|
Operation permissions (regular permissions) |
Permissions on database instances |
Logon permissions for a database instance. Available only when security hosting is disabled. After obtaining logon permissions, you can access the instance with the database account and password. Note
Database credentials are managed by relevant owners in your organization. |
No |
|
Permissions to view database instance performance. Database performance. |
Yes |
||
|
Permissions to query, export, and change instance data, excluding data in access-controlled sensitive columns and rows. |
|||
|
Permissions on databases |
Permissions to query, export, and change database data, excluding data in access-controlled sensitive columns and rows. |
||
|
Permissions on tables |
Permissions to query, export, and change table data, excluding data in access-controlled sensitive columns and rows. |
||
|
Permissions on sensitive columns |
Permissions to query, export, and change sensitive column data. Note
Before applying for sensitive column permissions:
|
||
|
Permissions on rows |
Permissions to query, export, and change row data. Row-level control. Note
Before applying for row permissions, you must have permissions on the database and table that contain the row. |
||
|
Permissions on programmable objects |
Permissions to query, export, and change programmable object data. When security hosting is enabled, you must obtain these permissions before accessing programmable objects. Programmable objects. |
||
|
Data permissions (resource owner permissions) |
Instance owner |
Owner permissions on a resource (instance, database, or table). Owners can view, grant, and revoke resource permissions, and query resource data, excluding data in access-controlled sensitive columns and rows. Note
When security hosting is disabled, only DMS administrators and DBAs can manage instance owners. In the DMS console, right-click a database instance in the left-side Database Instances section and choose . |
Yes |
|
Database owner |
|||
|
Table owner |
|||
|
Metadata access control |
Metadata access control |
Note
Having any data or operation permission on an instance or database counts as having permissions on that resource. |
Yes |
Permissions:
-
Query: the permission to run SQL queries in the SQL Console.
-
Change: the permission to run change statements in the SQL Console and submit data change and database and table synchronization tickets.
-
Export: the permission to submit data export tickets.
NoteNot required for exporting SQL result sets from the SQL Console.
Permission verification
When you perform operations on a database in DMS with an Alibaba Cloud account or as a RAM user, DMS verifies your permissions. DMS checks fine-grained permissions first, then RAM user permissions.
To prevent unauthorized users from searching for instances and databases, enable access control for the database instances. Only authorized users can then search for these resources. Enable metadata access control.
What to do next
You can perform the following operations:
-
Manage resource permissions by role. Manage permissions.
-
View your granted operation and data permissions. Manage permissions.
-
Configure permission approval processes for different scenarios:
-
Use strict approval for production data and core business databases.
-
Use simple approval or no-approval access for non-core business and test data.
-
-
Manage other database account permissions with the account management feature. Account permission management.
NoteAccount management is available only for MySQL, PostgreSQL, and MongoDB. For other engines, manage database accounts in the corresponding console.
FAQ
-
Q: Why do I still receive a "permission denied" error for a query after being granted logon permission for an instance in DMS?
A: In non-secure-hosting mode, users only need logon permission to perform operations. After switching to secure hosting mode, users must apply for specific permissions (query, export, change). Manage user permissions on the Manage access control permissions page.

