Data Management (DMS) uses role-based access control (RBAC) to manage permissions. A role is a predefined collection of permissions that defines what a user can see and do within a DMS tenant. Assigning the right role to each team member limits accidental operations and data exposure without requiring you to configure permissions individually.
DMS provides five system roles: regular user, database administrator (DBA), DMS administrator, security administrator, and schema read-only user.
Permission levels
The five roles form a hierarchy. From highest to lowest:
DMS administrator — full access to all features and all database instances in the tenant
DBA — full database management access; no system configuration access
Security administrator — security configuration and monitoring access; no database operation access
Schema read-only user — metadata read access only; no data operation access
Regular user — minimal permissions by default; must request access to run queries or use development features
System roles
| Role | Who typically holds this role | Permissions | Key limits |
|---|---|---|---|
| Regular user | R&D engineers, testers, operations staff, data analysts | Query and modify data and schemas within approved limits | Must request access to run SQL on the SQL Console or use the Database Development module. Cannot use instance management, user management, task management, or configuration management. |
| DBA | Database administrators, operations and maintenance (O&M) staff | Manage database instances, database development standards, processes, and task executions | Cannot manage system configurations |
| DMS administrator | Enterprise administrators | Manage all database instances in the tenant; perform global system configuration, user management, and resource allocation; perform change and export operations on databases | None — highest permission level |
| Security administrator | Internal auditors, security administrators | Determine field sensitivity levels; audit user operations; configure security settings; use the monitoring feature | Cannot perform operations on databases |
| Schema read-only user | Data analysts | Query metadata of instances, databases, and tables (for example, view table details or export an entire database) | No data operation permissions |
Default role assignments
Two roles are assigned automatically:
Regular user: By default, a Resource Access Management (RAM) user that is added to the DMS tenant to which an Alibaba Cloud account belongs assumes the regular user role.
DMS administrator: The Alibaba Cloud account used to create a DMS tenant is automatically assigned the DMS administrator role. This assignment cannot be revoked.
To assign the DMS administrator role to additional users, see Manage users.
What's next
For a complete list of features available to each system role, see Permissions of system roles.