The security hosting feature of Data Management (DMS) can address issues in traditional database management solutions. For example, the database account and password may be leaked, managing multiple databases and accounts is complex, and unclear permission management may lead to unauthorized access to resources. After the security hosting feature is enabled for your instance, the instance enters the logon-free state and DMS provides the access control feature for fine-grained permission management. You can access authorized resources, such as instances and databases, without the need to enter the database account and password.
Background information
Traditional database management | Security hosting of DMS |
Managing multiple databases and accounts is difficult and authorization operations are complex. If the permissions are not revoked in time, data breach may occur. In addition, tracing personnel who operate on the database is difficult. | As a best practice of DMS in Alibaba Group, security hosting provides your enterprise with database permission management solutions and helps your enterprise manage permissions for databases across clouds. |
 |  |
Comparison before and after security hosting is enabled
Item | Before security hosting is enabled | After security hosting is enabled |
Database account and password | You must use a database account and password to log on to a database. The database account or password may be leaked. | You do not need to use a database account and password to log on to a database. |
Instance logon status | The logon status may become invalid, and the database is disconnected after 24 hours. Then, you need to log on to the database again. | You do not need to log on to the database and you have the query and change permissions on the instance. |
Multiple accounts and multiple databases | You must manage accounts separately for each database. | You can use Alibaba Cloud accounts or single sign-on (SSO) to access a database. |
Database permissions | You can manage only instance logon permissions. |
|
Instance logon permissions | You must separately apply for instance logon permissions. | You can use a database without the need to log on to the database. If you are a regular user, you can apply for the query, export, and change permissions on resources based on your business requirements. |
Billing
The security hosting feature is free of charge.
Usage notes
If your database instance is managed in Stable Change or Flexible Management mode, you need to manually enable security hosting. For more information, see the Enable security hosting section of this topic.
NoteIf your database instance is managed in Security Collaboration mode, security hosting is enabled by default.
To ensure that you can use the features provided by DMS to manage your database, we recommend that you specify a database account with higher permissions when you enable security hosting for a database instance in DMS.
If you enable security hosting for an instance, the database and connections to the database are not affected.
Flowchart
Enable security hosting
If you are a DMS administrator or database administrator (DBA), you can log on to the DMS console 5.0and then enable security hosting for the instance.
Enable security hosting for a database instance that is not registered with DMS
If you are a DMS administrator or DBA, you can enable security hosting when you register a database instance with DMS. For more information, see Register an Alibaba Cloud database instance and Register a database hosted on a third-party cloud service or a self-managed database.
Enable security hosting for a database instance that is registered with DMS
If you are a DMS administrator or DBA, you can log on to the DMS console. In the Database Instances section on the left side of the homepage, right-click the database instance that you want to manage and select Edit. In the dialog box that appears, enable security hosting. For more information, see Modify database instances.
Disable security hosting
If you want to remove an instance from the logon-free instance list, disable security hosting.
If you are a DMS administrator or DBA, you can log on to the DMS console. In the Database Instances section on the left side of the homepage, find the database instance that you want to manage and select Edit. In the dialog box that appears, set the Access mode parameter to Disable Security Hosting (Not Recommended).
After security hosting is disabled, the permission configurations of the instance become invalid, and you must use the database account and password when you log on to the database.
Related operations
Check whether security hosting is enabled for a database instance
Log on to the DMS console. In the Database Instances section on the left side of the homepage, find the database instance that you want to manage and move the pointer over the instance to check whether security hosting is enabled for the instance.
Grant permissions as a DMS administrator, DBA, or instance owner. For more information, see Manage permissions.
In the Database Instances section on the left side of the homepage, right-click the instance or database that you want to manage and select Manage Permissions. In the dialog box that appears, grant permissions on the instance, database, or other resources to the user.
NoteIf your enterprise has a large number of employees or databases, you can add resources such as database instances, databases, and tables that have the same business attributes to a permission template and authorize one or more users to manage the resources in the permission template. For more information, see Create a permission template.
Regular users can also apply for resource permissions. For more information, see the Submit a ticket to apply for permissions section of the "Manage permissions" topic.
View the resource permissions that you have. For more information, see View owned permissions.
View the resource permissions of other users as a DMS administrator, and view the users who have permissions on database instances and databases as a DMS administrator or DBA. For more information, see the Manage permissions as a DMS administrator section of the "Manage permissions" topic.
Track the details of permission change operations as a DMS administrator or DBA. For more information, see Use the operation audit feature.
FAQ
Q: How do I prevent unauthorized users from viewing instance information after security hosting is enabled?
A: Perform the following operations:
Disable RAM permission verification.
Choose . On the Configuration Management page, disable Whether to enable RAM permission verification. This way, RAM users cannot perform operations on instances in DMS by using existing RAM permissions.
Enable access control for the instance.
NoteYou can enable access control only for instances managed in Secure Collaboration mode.
Choose . On the Instances page, find the instance that you want to manage, choose in the Actions column, and then enable access control. After access control is enabled, only authorized users can search for the instance. For more information, see Access control.
Q: How do I prevent users from viewing unauthorized instance information after security hosting is enabled?
A: Perform the following operations:
Disable RAM permission verification.
Choose . On the Configuration Management page, disable Whether to enable RAM permission verification. This way, RAM users cannot perform operations on instances in DMS by using existing RAM permissions.
Enable access control for the user.
Choose . On the Users page, find the user that you want to manage, choose in the Actions column, and then enable access control. After access control is enabled, the user can only search for authorized instances or databases. For more information, see Access control.
For more information about the security hosting feature, see FAQ about security hosting.