The custom role feature in Data Management (DMS) lets you control which database resources and operations each user can access. Create a custom role, attach a policy that defines its permissions, and then assign the role to one or more users.
The custom role feature is in canary release.
Key concepts
| Term | Definition |
|---|---|
| Role | A named entity that groups permissions. Assign a role to users instead of granting permissions individually. |
| Policy | A set of rules that defines which operations are allowed on which resources. Attach a policy to a role. |
| User | A DMS account that can be assigned one or more roles. |
| System role | A built-in role provided by DMS. Its policies cannot be modified. |
| Custom role | A role you create and configure. Its policies can be adjusted. |
How it works
The workflow has three steps:
Create a custom role — define the role name and description.
Attach a policy to the role — specify which operations the role can perform on which resources (for example, query and modify ApsaraDB for Redis instances).
Assign the role to users — users gain the permissions granted by the role and are restricted by the attached policy.
A user can hold multiple system roles and custom roles at the same time.
Prerequisites
Before you begin, make sure you have the role management permission. By default, DMS administrators have this permission. If you don't have it, ask a DMS administrator to assign the DMS administrator role to your account. For more information, see the Modify a user section of the "Manage users" topic.
Create a custom role
Log on to the DMS console V5.0.
Move the pointer over the
icon in the upper-left corner and choose All functions > O &M > Role Management.In normal mode, choose O &M > Role Management in the top navigation bar.
On the Custom Role tab, click Add Custom Role.
In the Add Custom Role dialog box, enter a Role name and Role Description, then click Confirm.
Attach a policy to a custom role
Before attaching a policy, decide what the role should be able to do — for example, "Query and modify ApsaraDB for Redis instances." A clear scope helps you select the right policy and avoid over-permissioning.
On the Custom Role tab, find the role and click Details in the Actions column.
On the Policy tab, click Add Permission Policy.
In the Authorize dialog box, select System Policy or Custom Policy for the Select Permission parameter.
Select the policy and click OK.
Alternatively, choose Security and Specifications (DBS) > Permission Center > Policy in the top navigation bar. Find the policy and click Authorize in the Actions column.
Assign a custom role to users
After a custom role is assigned to a user, the user gains the permissions defined by the role's attached policies.
On the Custom Role tab, find the role and click Details in the Actions column.
Click the Associated User tab, then click Add User.
In the Add User dialog box, select one or more users for the Member parameter.
Click OK.
Alternatively, choose O &M > Users in the top navigation bar and edit a user's basic information to assign the custom role.
View policies and users for a role
On the Custom Role tab, find the role and click Details in the Actions column.
On the Policy tab, view the policies attached to the role.
On the Associated User tab, view the users assigned to the role.
FAQ
What is the difference between custom roles and system roles?
System roles are provided by DMS and their policies cannot be changed. Custom roles are created by you, and their policies can be adjusted. A user can be assigned multiple system roles and custom roles simultaneously.