What are the differences between the security hosting feature and the Security Collaboration control mode?
Core feature | Security hosting | Security Collaboration |
Password-free logon | ✔️ | ✔️ |
Fine-grained and full-lifecycle management of permissions | ✔️ | ✔️ |
Table schema design | ❌ | ✔️ |
Security rules (Fine-grained operation standards and R&D process management) | ❌ | ✔️ |
Custom ticket approval processes | ❌ | ✔️ |
SQL review and optimization | The security hosting feature reviews the SQL statements and reminds you of SQL statements to be optimized. | Data Management (DMS) provides the SQL review and optimization feature in the security rule module. You can use this feature to review SQL statements and acquire optimization suggestions. If an SQL statement must be optimized, DMS forcefully stops the SQL execution. |
Operation audit | You can view the database operation logs that were generated in the previous day. | You can view the database operation logs that were generated in the previous three years. |
What are the differences before and after I enable security hosting for an instance?
Before you enable security hosting for a database instance, you must use a database account and password to log on to the database. If you want to manage permissions for databases, you must assign different permissions to different database accounts.
After you enable security hosting for a database instance, you can log on to the database without using a database account or password. You can also manage permissions on instances, databases, tables, and rows.
For more information, see Security hosting.
What do I do if I want to use only the password-free logon feature without the need of fine-grained permission management?
If you are a DMS administrator, a database administrator (DBA), or an instance owner, you can directly use the password-free logon feature. If you are not a DMS administrator, a DBA, or an instance owner, you must apply for the permissions to log on to an instance without database accounts or passwords. The permissions can also be granted by a DMS administrator, a DBA, or an instance owner. For more information, see the Submit a ticket to apply for permissions and Manage permissions as a DMS administrator or DBA sections of the "Manage permissions" topic.
Do I need to grant users the logon permissions on an instance after I enable security hosting for the instance?
No, you do not need to grant users the logon permissions on an instance after you enable security hosting for the instance. DMS administrators, DBAs, and instance owners can directly manage the instance. Regular users need to apply for permissions to query, export, and change data in a database based on their business requirements.
What permissions can I apply for after security hosting is enabled for a database instance?
You can apply for the query, export, and change permissions on an instance for which security hosting is enabled.
Query permissions: the permissions to execute query statements in the SQL Console.
Export permissions: the permissions to submit data export tickets instead of the permissions to export data without approval.
Change permissions: the permissions to execute change statements in the SQL Console, and the permissions to submit data change tickets and database and table synchronization tickets instead of the permissions to change data without approval. DMS administrators can set constraints on the types of SQL statements that can be executed in the SQL Console.
Who are the approvers of a ticket that I submit to apply for permissions?
If you submit a ticket to apply for permissions on a database instance managed in Stable Change or Flexible Management mode, resource owners are the approvers of the ticket. If no resource owner exists, the DBA of the database instance is the approver of the ticket. If you submit a ticket to apply for permissions on a database instance managed in Security Collaboration mode, you can specify the approvers of the ticket in security rules in advance. For more information, see Customize approval processes.
How do I view the operation records of permissions?
The operations, such as applying for, granting, and revoking permissions, are recorded in the operation logs of DMS. DMS administrators and DBAs can use the operation audit feature to query the operation records of permissions. For more information, see Use the operation audit feature.
Am I able to specify the validity period of permissions?
Yes, you can specify the validity period of permissions. After the validity period of permissions expires, the permissions are automatically revoked. If you are a DMS administrator, a DBA, or an instance owner, you can revoke resource permissions from other users.
How do I manage sensitive data by using permissions on sensitive columns?
If the sensitive data protection feature is enabled for a database instance, you can manage sensitive fields by using the sensitive data protection feature together with permissions on sensitive columns. DMS automatically classifies sensitive data and allows only users who have the required permissions to view sensitive fields. For more information, see Overview.
Am I able to implement fine-grained permission management by using single sign-on (SSO)?
Yes, you can implement fine-grained permission management by using SSO. Before that, you must perform the following operations: Configure SSO between the identity provider (IdP) of your enterprise and Alibaba Cloud, and then add Resource Access Management (RAM) users as DMS users. For more information, see Use SSO to log on to DMS and Manage permissions.
Am I charged for the security hosting feature?
The security hosting feature is free of charge.