The Data Management (DMS) policy feature allows you to manage the permissions on DMS features and data resources managed in DMS in a fine-grained manner. You can define policies to precisely configure the permissions, such as the query and change permissions, on data resources at different granularities, such as database instances and databases. You can also configure the operation permissions on DMS features.
Features
Manage the permissions on data resources
You can use policies and the original permission management system to configure access permissions, such as the query and change permissions, for data resources at different granularities, such as database instances, databases, logical databases, and tables.
Manage the permissions on DMS features
You can use policies to configure the operation permissions on DMS features, including whether to allow DMS users to create and view resources when they use DMS features.
Usage notes
This feature is rolled out in canary release mode.
Differences between policies and permission templates
Item | Policy | Permission template |
Managed objects | Data resources and DMS features | Data resources |
Scope of data resources whose permissions can be managed | Data resources such as database instances, physical databases, logical databases, and tables | Only database instances, databases, and tables |
Scope of objects to whom permissions can be granted | DMS users and roles | DMS users |
Authentication
DMS policies and the original permission management system are complementary to each other.
For example, User A is granted the query permissions on the dmstest_db database by using a policy and the change permissions on the dmstest_db database by using the permission management system. In this case, User A has the query and change permissions on the dmstest_db database.
Authentication process of data resources
Prerequisites
You have the permissions to manage policies. If you do not have the required permissions, contact a DMS administrator to assign the DMS administrator role to your account. For more information, see the Modify a user section of the "Manage users" topic.
By default, DMS administrators have the permissions to manage policies.
Step 1: Create a policy
- Log on to the DMS console V5.0.
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
On the Policy page, click Create Policy. On the Create Policy page, configure the Name and Remarks parameters in the Basic Information section.
Configure the content of the policy.
NoteAfter you configure a policy, you can click Add Policy in the lower part of the page to configure multiple policies for data resources and DMS features.
Data resources
Configure the Effect parameter.
If you select Yes as Effect, the DMS users to whom permissions are granted can access and use the data resources and relevant features defined in the policy. If you select Refuse as Effect, the DMS users to whom permissions are granted are prohibited from accessing and using the data resources and relevant features defined in the policy.
On the Data tab of the section, select a type of data resource that you want to manage, such as Instance, Database, or Logical Database.
NoteThe types of supported data resources displayed in the console prevail.
In the Operation section, select one or more types of operations, including Read and Write.
If you select All Actions, both the Read and Write operations are selected. If you select Specified Operations, you can select one or both of the Read and Write operations based on your business requirements. Click the
icon to add the types of operations that you select to the Selected Actions section. In the Resources section, select the resources that you want to manage, such as All Resources or Specified Resources.
If you select Specified Resources, click Add Resource in the lower-right corner of the section to add resources.
Optional. Configure the conditions of the policy.
In the Condition section, click Add Condition. In the Add Condition dialog box, configure the Condition Key, Operator, and Condition Value parameters.
NoteYou can configure the conditions based on the types of resources and operations that you select.
Examples:
Select Database Type as Condition Key.
If you set the Operator parameter to StringEqualsIgnoreCase and the Condition Value parameter to MySQL, the policy takes effect for MySQL databases.
Select Time as Condition Key.
If you set the Operator parameter to DateGreaterThan and the Condition Value parameter to 2024-09-19 05:00, the policy takes effect after 2024-09-19 05:00.
DMS features
Configure the Effect parameter.
If you select Yes as Effect, the DMS users to whom permissions are granted can access and use the data resources and relevant features defined in the policy. If you select Refuse as Effect, the DMS users to whom permissions are granted are prohibited from accessing and using the data resources and relevant features defined in the policy.
On the Feature tab of the section, select a DMS feature that you want to manage, such as Data Export Ticket, User Management, Role Management, or Sensitive Data Protection.
In the Operation section, select one or more types of operations.
If you select Specified Operations, you can select one or both of the Read and Write operations based on your business requirements. Click the
icon to add the types of operations that you select to the Selected Actions section. In the Resources section, select the resources that you want to manage, such as All Resources or Specified Resources.
If you select Specified Resources, click Add Resource in the lower-right corner of the section to add resources.
Optional. Configure the conditions of the policy.
In the Condition section, click Add Condition. In the Add Condition dialog box, configure the Condition Key, Operator, and Condition Value parameters.
NoteYou can configure the conditions based on the types of resources and operations that you select.
For example, you select Data Export Ticket as Resource Type and Instance Environment Type as Condition Key.
If you set the Operator parameter to StringEqualsIgnoreCase and the Condition Value parameter to dev, the policy takes effect for databases in the development environment.
In the lower-left corner of the page, click Confirm.
Step 2: Attach the policy to DMS users or roles
On the Policy page, find the policy that you create and click Authorize in the Operation column.
In the Authorize dialog box, select Users or Role as Subject Type and select one or more DMS users or roles.
A role refers to a custom role. After you attach a policy to a role, DMS users who assume this role are restricted by the policy.
Click OK.
Manage a policy
On the Policy page, you can modify or delete a policy, or create a similar policy.
Use the permission diagnostics feature
DMS allows you to view only the permission diagnostics results of data resources.
On the Operation Logs tab, you can perform permission diagnostics on operation logs only within the previous three months.
DMS allows you to use the permission diagnostics feature to trace the permissions on the data resources that are accessed by DMS users. You can use the permission diagnostics feature in one of the following ways:
On the Operation Logs tab
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
On the Operation Logs tab, select SQL Console from the Feature drop-down list and click Search.
Find the operation log that you want to view and click Permission Diagnosis in the Actions column to view the permission diagnostics results.
On the SQL Console page
In the left-side navigation pane of the homepage, double-click the database that you want to manage to go to the SQL Console page.
In the Access section, move the pointer over a permission type and click Permission Diagnosis.
In the Permission Diagnosis message, view the permission diagnostics results.