Database management - Data Management - Alibaba Cloud Documentation Center

As a best practice of Data Management (DMS) in Alibaba Group, security hosting provides your enterprise with a collection of database permission management solutions and helps your enterprise manage permissions for databases across clouds.

Background information

In traditional database management solutions, you must use a database account and password to log on to a database before you can perform operations on the database. This causes issues such as the risk of database account and password leaks, complex management of multiple accounts and multiple databases, and inefficient resource permission management.

To resolve the issues caused by traditional solutions, DMS provides the security hosting feature.

Introduction Video

Comparison before and after security hosting is enabled

Item	Before security hosting is enabled	After security hosting is enabled
Database account and password	You must use a database account and password to log on to a database. The database account or password may be leaked.	You do not need to use a database account and password to log on to a database.
Instance logon status	After you log on to a database, the logon session has a validity period. A logon session is valid for at most 24 hours.	If you have permissions on a database, you can use the database without the need to log on to the database.
Multiple accounts and multiple databases	You must manage accounts separately for each database.	You can use Alibaba Cloud accounts or single sign-on (SSO) to access a database.
Database permissions	You can manage only instance logon permissions.	DMS allows you to manage permissions at the database instance, database, table, row, and column levels. You can also manage the lifecycle of resource permissions and specify an expiration time for permissions to automatically revoke permissions.
Instance logon permissions	You must separately apply for instance logon permissions.	You can use a database without the need to log on to the database. If you are a regular user, you can apply for the query, export, and change permissions on resources based on your business requirements.

Billing

The security hosting feature is free of charge.

Usage notes

If your database instance is managed in Stable Change or Flexible Management mode, you need to manually enable security hosting. For more information, see the Enable security hosting section of this topic.
Note
If your database instance is managed in Security Collaboration mode, security hosting is enabled by default.
To ensure that you can use the features provided by DMS to manage your database, we recommend that you specify a database account with higher permissions when you enable security hosting for a database instance in DMS.

Flowchart

Check whether security hosting is enabled for a database instance

Log on to the DMS console. In the Database Instances section on the left side of the homepage, find the database instance that you want to manage and move the pointer over the instance to check whether security hosting is enabled for the database instance.

Enable security hosting

Enable security hosting for a database instance that is not registered with DMS
If you are a DMS administrator or database administrator (DBA), you can enable security hosting when you register a database instance with DMS. For more information, see Register an Alibaba Cloud database instance and Register a database hosted on a third-party cloud service or a self-managed database.
Enable security hosting for a database instance that is registered with DMS
If you are a DMS administrator or DBA, you can enable security hosting when you modify a database instance in DMS. For more information, see Modify database instances.

Disable secure hosting

If you are a DMS administrator or DBA, you can disable security hosting when you modify a database instance in DMS.

Important

After you disable secure hosting for a database instance, the permission configurations of the database instance become invalid.

What to do next

After security hosting is enabled for a database instance, you may need to perform the following operations:

Obtain permissions.
- Apply for permissions as a regular user.
  - Submit a ticket to apply for permissions: When you query, export, or change data in a database, DMS checks whether you have the required permissions. If you have the required permissions, you can directly perform the operation. If you do not have the required permissions, you must submit a ticket to apply for permissions. For more information, see the Submit a ticket to apply for permissions section of the "Manage permissions" topic.
- Grant permissions as a DMS administrator, DBA, or instance owner. For more information, see Manage permissions.
  Note
  If your enterprise has a large number of employees or databases, you can add resources such as database instances, databases, and tables that have the same business attributes to a permission template and authorize one or more users to manage the resources in the permission template. For more information, see Create a permission template.
View the resource permissions that you have. For more information, see View owned permissions.
View the resource permissions of other users as a DMS administrator, and view the users who have permissions on database instances and databases as a DMS administrator or DBA. For more information, see the Manage permissions as a DMS administrator section of the "Manage permissions" topic.
Track the details of permission change operations as a DMS administrator or DBA. For more information, see Use the operation audit feature.

FAQ

For more information about the security hosting feature, see FAQ about security hosting.