How does security hosting differ from Security Collaboration?
Both control modes provide password-free logon and fine-grained, full-lifecycle permission management. Security Collaboration adds table schema design, configurable security rules, custom ticket approval processes, three years of operation audit logs, and enforced SQL optimization.
| Feature | Security hosting | Security Collaboration |
|---|---|---|
| Password-free logon | Yes | Yes |
| Fine-grained and full-lifecycle permission management | Yes | Yes |
| Table schema design | No | Yes |
| Security rules (Fine-grained operation standards and R&D process management) | No | Yes |
| Custom ticket approval processes | No | Yes |
| SQL review and optimization | Reviews SQL and flags statements to optimize | Uses security rules to review SQL; provides optimization suggestions and forcefully stops execution if optimization is required |
| Operation audit | Logs from the previous day | Logs from the previous three years |
What changes after I enable security hosting?
Before enabling security hosting, users must log on with a database account and password. Permission management works at the account level — different accounts hold different permissions.
After enabling security hosting, users log on without a database account or password, and permissions can be managed at the instance, database, table, and row level. For more information, see Security hosting.
Who can use password-free logon, and who needs to apply?
DMS administrators, database administrators (DBAs), and instance owners can use password-free logon directly. All other users must apply for logon permissions, or have a DMS administrator, DBA, or instance owner grant those permissions.
For details, see Submit a ticket to apply for permissions and Manage permissions as a DMS administrator or DBA.
Do I need to grant logon permissions after enabling security hosting?
No. DMS administrators, DBAs, and instance owners can manage the instance directly. Regular users do not receive logon permissions automatically — they apply for query, export, or change permissions based on their business needs.
What permissions can users apply for?
Three permission types are available once security hosting is enabled:
Query: Run query statements in the SQL Console.
Export: Submit data export tickets. This does not grant the ability to export data without approval.
Change: Run change statements in the SQL Console and submit data change tickets and database and table synchronization tickets. DMS administrators can restrict which SQL statement types are allowed in the SQL Console.
Who approves permission requests?
Approvers depend on the control mode of the instance:
Stable Change or Flexible Management: Resource owners are the approvers. If no resource owner exists, the DBA approves.
Security Collaboration: Approvers are defined in security rules configured in advance.
For more information, see Customize approval processes.
How do I view permission operation records?
All permission operations — applying for, granting, and revoking permissions — are recorded in DMS operation logs. DMS administrators and DBAs can query these records using the operation audit feature. For more information, see Use the operation audit feature.
Can I set an expiration date for permissions?
Yes. Permissions expire automatically when the validity period ends. DMS administrators, DBAs, and instance owners can also revoke permissions from other users at any time.
How do I protect sensitive data using column-level permissions?
Enable the sensitive data protection feature for the database instance and configure permissions on sensitive columns. DMS automatically classifies sensitive data and restricts access to sensitive columns to users who hold the required permissions. For more information, see Overview.
Can I use SSO for fine-grained permission management?
Yes. Configure single sign-on (SSO) between your enterprise identity provider (IdP) and Alibaba Cloud, then add Resource Access Management (RAM) users as DMS users. For more information, see Use SSO to log on to DMS and Manage permissions.
Is security hosting free?
Yes. The security hosting feature is free of charge.