Data Management (DMS) provides four types of resource roles: DBA, instance owner, database owner, and table owner. Each role grants a specific set of permissions scoped to a resource level — instance, database, or table.
DMS defines four resource roles:
| Role | Scope |
|---|---|
| DBA | Instance |
| Instance owner | Instance |
| Database owner | Database |
| Table owner | Table |
To apply for a resource role or manage existing assignments, see Permission management.
Role details
DBA
Each database instance has exactly one DBA. DBAs and DMS administrators can manage who holds the DBA role.
Permissions:
View user permissions on every database in the instance.
Grant or revoke permissions on databases and tables in the instance.
Query all data in the instance databases, except sensitive fields, without applying for permissions.
Submit tickets to perform operations on data and schemas in the instance without applying for permissions.
Automatically assigned to DBA nodes in approval processes.
Instance owner
Each database instance can have up to three owners. Default ownership depends on how the instance was added to DMS:
| Instance type | Default owner |
|---|---|
| ApsaraDB instance | The Alibaba Cloud account used to create the ApsaraDB instance |
| Non-ApsaraDB instance | The Alibaba Cloud account or RAM user that added the instance to DMS |
DMS administrators or current instance owners can transfer ownership to another account.
Permissions:
Grant or revoke permissions on the database instance.
Query all data in the instance databases, except sensitive fields, without applying for permissions.
Submit tickets to perform operations on data and schemas in the instance without applying for permissions.
Database owner
Each database can have up to three owners. When a database's data dictionary is synchronized for the first time, the DBA of the parent instance automatically becomes an owner of that database. DBAs, DMS administrators, and current database owners can add or remove owners, or transfer ownership to another user. Any DMS user can submit a ticket to apply to be a database owner.
Permissions:
Grant or revoke permissions on the database and its tables.
Query all data in the database, except sensitive fields, without applying for permissions.
Submit tickets to perform operations on data and schemas in the database without applying for permissions.
Automatically assigned to owner nodes in approval processes.
Table owner
Each table can have up to three owners. By default, the owners of a table are the owners of the database the table belongs to. DBAs, DMS administrators, and current table owners can add or remove owners, or transfer ownership to another user. Any DMS user can submit a ticket to apply to be a table owner.
Permissions:
Grant or revoke permissions on the table.
Query all data in the table, except sensitive fields.
Permission summary
| Permission | DBA | Instance owner | Database owner | Table owner |
|---|---|---|---|---|
| Grant or revoke instance permissions | Yes | Yes | — | — |
| Grant or revoke database permissions | Yes | — | Yes | — |
| Grant or revoke table permissions | Yes | — | Yes | Yes |
| Query instance data (excluding sensitive fields) | Yes | Yes | — | — |
| Query database data (excluding sensitive fields) | — | — | Yes | — |
| Query table data (excluding sensitive fields) | — | — | — | Yes |
| Submit tickets for instance data and schema operations | Yes | Yes | — | — |
| Submit tickets for database data and schema operations | — | — | Yes | — |
| Auto-assigned to approval process nodes | DBA node | — | Owner node | — |