Resource access policies - Data Management - Alibaba Cloud Documentation Center

What policies can do

Policies support two types of permission management:

Manage permissions on data resources: Configure access permissions, such as query and change permissions, for data resources at different granularities, including database instances, databases, logical databases, and tables.
Manage permissions on DMS features: Configure the operation permissions on DMS features, including whether to allow DMS users to create and view resources when they use DMS features.

How policies differ from permission templates

	Policy	Permission template
Managed objects	Data resources and DMS features	Data resources only
Data resource granularity	Instances, physical databases, logical databases, and tables	Instances, databases, and tables
Grant subjects	DMS users and roles	DMS users only

How it works

DMS policies and the original permission management system are complementary. When both grant permissions to the same user, the permissions combine.

Example: User A receives query permission on dmstest_db via a policy, and change permission on dmstest_db via the permission management system. User A ends up with both query and change permissions on that database.

The diagram below shows how DMS authenticates data resource access:

Prerequisites

Before you begin, make sure you have:

Policy management permissions (DMS administrators have these by default)

If you don't have the required permissions, contact a DMS administrator to assign the DMS administrator role to your account. For more information, see the Modify a user section of the "Manage users" topic.

Create a policy

Step 1: Open the Policy page

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Security and Specifications > Permission Center > Policy.

In normal mode, choose Security and Specifications > Permission Center > Policy in the top navigation bar.
Click Create Policy.
In the Basic Information section, enter the Name and Remarks for the policy.

Step 2: Configure policy content

Configure one or more policy rules. Each rule targets either data resources or DMS features.

Click Add Policy at the bottom of the page to add multiple rules to the same policy.

For data resources

Set Effect to Yes (allow) or Refuse (deny).
On the Data tab of the Resource Type section, select the resource type: Instance, Database, or Logical Database.

The resource types shown in the console are the supported types.

In the Operation section, select the operations to control: Click the icon to move selected operations to the Selected Actions section.

Selection	Result
All Actions	Both Read and Write are selected
Specified Operations	Select Read, Write, or both

In the Resources section, select All Resources or Specified Resources. For specified resources, click Add Resource in the lower-right corner to add them.
(Optional) Add conditions to narrow when the policy applies. In the Condition section, click Add Condition and configure the Condition Key, Operator, and Condition Value. Examples:
- Filter by database type: Set Condition Key to Database Type, Operator to StringEqualsIgnoreCase, and Condition Value to MySQL. The policy applies only to MySQL databases.
- Filter by time: Set Condition Key to Time, Operator to DateGreaterThan, and Condition Value to 2024-09-19 05:00. The policy applies only after that date and time.

For DMS features

Set Effect to Yes (allow) or Refuse (deny).
On the Feature tab of the Resource Type section, select the DMS feature to control, such as Data Export Ticket, User Management, Role Management, or Sensitive Data Protection.
In the Operation section, select Specified Operations and choose Read, Write, or both. Click the icon to add them to Selected Actions.
In the Resources section, select All Resources or Specified Resources. For specified resources, click Add Resource in the lower-right corner.
(Optional) Add conditions. In the Condition section, click Add Condition and configure the Condition Key, Operator, and Condition Value. Example: Set Resource Type to Data Export Ticket, Condition Key to Instance Environment Type, Operator to StringEqualsIgnoreCase, and Condition Value to dev. The policy applies only to databases in the development environment.

Step 3: Save the policy

Click Confirm in the lower-left corner of the page.

Attach a policy to users or roles

On the Policy page, find the policy and click Authorize in the Operation column.
In the Authorize dialog box, select the Subject Type:
- Users: Select one or more DMS users.
- Role: Select a custom role. All DMS users who assume this role are governed by the policy.
Click OK.

Manage a policy

On the Policy page, you can modify or delete an existing policy, or create a similar policy based on an existing one.

Use permission diagnostics

Permission diagnostics lets you trace which permissions a DMS user had when accessing a data resource.

Permission diagnostics covers data resources only, not DMS features. On the Operation Logs tab, diagnostics are available for logs from the previous three months only.

From the Operation Logs tab

Move the pointer over the icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Operation Audit.

In normal mode, choose Security and disaster recovery (DBS) > Operation Audit in the top navigation bar.
On the Operation Logs tab, select SQL Console from the Feature drop-down list and click Search.
Find the log entry and click Permission Diagnosis in the Actions column to view the results.

From the SQL Console page

In the left-side navigation pane of the homepage, double-click the database to open the SQL Console page.
In the Access section, hover over a permission type and click Permission Diagnosis.
View the results in the Permission Diagnosis message.