All Products
Search
Document Center

:Overview

Last Updated:Mar 06, 2024

Data Management (DMS) provides features that can be used to manage data security in a comprehensive and fine-grained manner. You can manage the permissions on resources such as database instances, databases, tables, columns, and rows. You can grant users the logon, query, export, and change permissions on a specific resource.

Permission categories and types

Permission category

Permission type

Description

Whether security hosting is enabled

Operation permissions (regular permissions)

Permissions on database instances

The permissions to log on to a database instance.

After you obtain the permissions to log on to a database instance, you can use the corresponding database account and password to log on to the database instance.

Note

The database account and password are managed by relevant owners in your enterprise.

No

The permissions to view the performance of a database instance.

If security hosting is enabled for a database instance, you must obtain the permissions to view the performance of the database instance before you can view performance details. For more information, see View the performance details of a database instance.

Yes

The permissions to query, export, and change the data of a database instance, excluding the data in sensitive columns and rows for which access control is enabled.

Permissions on databases

The permissions to query, export, and change the data of a database, excluding the data in sensitive columns and rows for which access control is enabled.

Permissions on tables

The permissions to query, export, and change the data of a table, excluding the data in sensitive columns and rows for which access control is enabled.

Permissions on sensitive columns

The permissions to query, export, and change the data of a sensitive column.

Note

Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:

Permissions on rows

The permissions to query, export, and change the data of a row. For more information, see Configure row-level access control.

Note

Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs.

Permissions on programmable objects

The permissions to query, export, and change the data of a programmable object. If security hosting is enabled for a database instance, you must obtain the permissions on a programmable object before you can query, export, or change the data of the programmable object. For more information, see Change programmable objects by using stored routines.

Data permissions (resource owner permissions)

Instance owner

The owner permissions on a resource. The owner of a resource can view the users to whom the permissions on the resource are granted, and grant the resource permissions to and revoke the resource permissions from users. The resource can be a database instance, database, or table. In addition, the owner can query the data of the resource, excluding the data in sensitive columns and rows for which access control is enabled.

Note

If security hosting is disabled for a database instance, only DMS administrators and database administrators (DBAs) can add or remove instance owners. To manage instance owners, perform the following operations: Log on to the DMS console. In the left-side Database Instances section, right-click the database instance that you want to manage and choose Instance Owner > Set Owner. In the dialog box that appears, add or remove instance owners.

Yes

Database owner

Table owner

Metadata access control

Metadata access control

  • Instance access control: A database instance for which access control is enabled can be queried and accessed only by the users to whom the permissions on the database instance are granted. Unauthorized users cannot apply for the permissions on the database instance.

  • Database access control: A database for which access control is enabled can be queried and accessed only by the users to whom the permissions on the database are granted. Unauthorized users cannot apply for the permissions on the database.

  • User access control: A user for which access control is enabled can query and access only the database instances and databases on which the user has permissions. The user cannot apply for the permissions on other database instances or databases.

Note

If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database.

Yes

Permission description:

  • Query permissions: the permissions to execute query statements in the SQL Console.

  • Change permissions: the permissions to execute change statements in the SQL Console, and the permissions to submit data change tickets and database and table synchronization tickets instead of the permissions to change data without approval. DMS administrators can configure constraints on the types of SQL statements that can be executed in the SQL Console.

  • Export permissions: the permissions to submit data export tickets instead of the permissions to export data without approval.

What to do next

After you learn the categories and types of resource permissions, you can perform the following operations:

  • Manage resource permissions by using different roles. For more information, see Manage permissions.

  • View the operation permissions and data permissions that you are granted. For more information, see the "View your permissions" section of the Manage permissions topic.

  • Configure different permission approval processes for databases and tables in different scenarios. The following content describes the scenarios:

    • Configure strict approval processes for the production data and the databases and tables involved in core business.

    • Configure simple approval processes for the data involved in non-core business or the test environment. Alternatively, you can allow the data involved in non-core business or the test environment to be directly accessed without approval.

    For more information, see Configure approval processes.

  • Use the account management feature to manage other types of permissions for database accounts. For more information, see Account permission management.

    Note

    DMS provides the account management feature only for MySQL, PostgreSQL, and MongoDB databases. For the databases of other engines, you can go to the corresponding console to manage database accounts.