Manage permissions on databases and tables - Data Management

This topic describes how to grant users the permissions on instances, databases, and tables and how to revoke the permissions from users.

Prerequisites

Security hosting is enabled for your instance. For more information, see the Enable security hosting section of the "Security hosting" topic.
The user to which you want to grant permissions is added to Database Management (DMS). For more information about how to add a user, see Manage users.

Usage notes

You can perform fine-grained permission management on the databases, tables, rows, and sensitive columns in an instance only after you enable security hosting for the instance. To manage permissions on the sensitive columns in an instance, you must enable the sensitive data protection feature for the instance.
Administrators and database administrators (DBAs) can grant permissions on resources to users that belong to the current DMS tenant and revoke the permissions.
Data owners can grant and revoke user permissions on databases and tables that they own.

Permission management methods

User role	Permission management method	Type of resource that can be managed
Administrator	By using the instance management feature	Permissions on instances, databases, tables, sensitive columns, and rows, and resource ownership
	By using the user management feature
	By using permission templates	Permissions on instances, databases, and tables
DBA	By using the instance management feature	Permissions on instances, databases, tables, sensitive columns, and rows, and resource ownership
DBA	By using permission templates	Permissions on instances, databases, and tables
Resource ownership	By using owned permissions	Permissions on instances, databases, tables, sensitive columns, and rows, and resource ownership
Each role in the current tenant	By using tickets	Permissions on instances, databases, tables, sensitive columns, and rows, programmable object, and resource ownership

Note

Resource ownership management includes the management of instance owners, database owners, and table owners.

Manage permissions by using the instance management feature

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > Data Assets > Instances.
Note
If you use the DMS console in normal mode, choose Data Assets > Instances in the top navigation bar.
On the Instance List tab, find the instance that you want to manage and choose More > Manage Permissions in the Actions column.
On the Instance Permission tab, grant or revoke permissions on the instance.
- Grant permissions on the instance
  Click Authorized Permissions on Instances. In the dialog box that appears, select one or more of the Performance View, Query, Export, and Change options and click OK.
- Revoke permissions on the instance
  - Revoke permissions from a single user: Find the user to manage and click Recycle Permission in the Actions column. In the dialog box that appears, select one or more permissions that you want to revoke and click OK.
  - Revoke permissions from multiple users: Select the users to manage and click Recycle Permission. In the dialog box that appears, select one or more permissions that you want to revoke and click OK.
- Extend the authorization period
  When the permissions that you grant to a user are about to expire, you can select the user and click Extend Authorization to allow the user to own the permissions for an extended period.
On the Database Permission tab, grant or revoke permissions on the databases in the instance.
- Grant permissions on databases
  Click Grant Permissions on Database. In the dialog box that appears, select one or more databases to manage, select one or more of the Query, Export, and Change options, and then click OK.
- Revoke permissions on databases
  - Revoke permissions from a single user: Find the user to manage and click Recycle Permission in the Actions column. In the dialog box that appears, select one or more permissions that you want to revoke and click OK.
  - Revoke permissions from multiple users: Select the users to manage and click Recycle Permission. In the dialog box that appears, select one or more permissions that you want to revoke and click OK.
- Extend the authorization period
  When the permissions that you grant to a user are about to expire, you can select the user and click Extend Authorization to allow the user to own the permissions for an extended period.
On the Database List tab, perform the following operations on one or more databases based on your business requirements: set the owner, change the owner, and grant or revoke permissions on databases, tables, columns, or rows.
Note
To manage permissions on a database, you can also choose More > Permission Management in the Actions column of the database.

Manage permissions by using the user management feature

Grant or revoke permissions

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > O&M > Users.
Note
If you use the DMS console in normal mode, choose O&M > Users in the top navigation bar.
Grant permissions to a user.
Note
Administrators can grant permissions on the databases, tables, rows, and sensitive columns in an instance only if security hosting is enabled for the instance.
Select the user to manage. Click Authorize User in the upper part of the page. Then, grant permissions on one or more instances, databases, tables, rows, or sensitive columns based on your business requirements. Alternatively, add the user to a permission template to perform authorization.
Note
You can also click Authorize in the Actions column of a user to manage permissions for the user.
Revoke permissions from a user.
1. Find the user to manage and choose More > Permission Details in the Actions column.
2. Select the resource involved and click Release Permission.
3. Select the permissions to revoke, such as Export and Change, and click OK.
  The following example demonstrates how to revoke permissions on a database from a user.
Extend the authorization period.
When the permissions that you grant to a user are about to expire, you can click Extend Authorization to allow the user to own the permissions for an extended period.

View the permissions owned by a user

Administrators can view the resources and permissions that a user owns, including permissions on instances, databases, tables, rows, and sensitive columns.

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > O&M > Users.
Note
If you use the DMS console in normal mode, choose O&M > Users in the top navigation bar.
Find the user to manage and choose More > Permission Details in the Actions column.
On the Ordinary Permissions tab, view the permissions owned by the user.
On the My Resources tab, view the resources owned by the user.

Manage permissions by using permission templates

Grant permissions to or revoke permissions from users

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permission Templates.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Permission Center > Permission Templates in the top navigation bar.
Click the name of an existing permission template or create a permission template to go to the template details page. For information about how to create a permission template, see Create a permission template.
Add resources to the permission template.
1. Click Add Resource in the upper-right corner. In the dialog box that appears, you can add one or more instances, databases, and tables to the template.
2. Enter the name of the instance to add in the search box, press Enter, select the required resources, and then select the required Permission options.
  Note
  Before you confirm the settings, you can add instances, databases, and tables on different tabs in the dialog box.
3. Click Confirm.
Add users to the permission template.
1. On the template details page, click Authorize.
2. Search for and select the users to add and select a validity period.
3. Click Confirm.

View the authorized users and revoke permissions from the users

On the template details page, click Authorization Records.
On the Authorized Users tab, view the users who are authorized by the template and click Revoke to revoke the granted permissions from the users.
Note
After you click Revoke, all permissions that were last granted by the template to the user are revoked.

Apply for permissions by using tickets

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permission Tickets.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Permission Center > Permission Tickets in the top navigation bar.
On the Access apply Tickets page, click Access apply and select a permission type from the drop-down list.

On the Access apply Tickets page, specify the permissions for which you want to apply on resources such as instances, databases, or tables.

Select resources.

Category

Supported permission type

Description

Security Hosting Disabled

Instances-Login

If security hosting is disabled for an instance, you can apply for only the permissions to log on to the instance.

Enter the endpoint or name of an instance in the search box and click Search.
In the search results, select the instance on which you want to apply for permissions.
Click the icon to add the selected instance to the Confirm selected instance section.

Security Hosting Enabled

Instances-OWNER
Database-OWNER
Table-OWNER
Instances-Permission
Instances-Performance
Database-Permission
Table-Permission
Programmable Object Permissions
Row-Permission
Sensitive Column-Permission

In this example, Database-Permission is selected.

Enter the name of a database in the search box and click Search. You can use the percent sign (%) as a placeholder to search for a database in fuzzy match mode. Example: dms%test.
In the search results, select the database on which you want to apply for permissions.
Click the icon to add the selected database to the Selected Databases/Tables/Columns section.

Select the permissions to apply for, configure the validity period of the permissions, and then enter the reason for the application by configuring the Permission, Duration, and Reason parameters. The supported permissions include the logon, query, export, and change permissions.

Click Submit. The ticket enters the Approval step.
Wait for the ticket to be approved. After the ticket is approved, the system automatically grants you the permissions for which you apply.
- For an instance that is managed in Security Collaboration mode, you can customize an approval process.
- For an instance that is not managed in Security Collaboration mode, if security hosting is disabled, you can apply for only the permissions to log on to the instance. The default reviewer is the DBA of the instance. If security hosting is enabled for the instance, the reviewer is the resource owner. If no resource owner is specified, the reviewer is the DBA of the instance.

Manage permissions by using owned permissions

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permissions.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Permission Center > Permissions in the top navigation bar.
On the My Resources tab, perform the following operations based on your business requirements.
- Grant permissions on a resource to other users.
  Find the required instance, database, or table, click Permission Management in the Actions column, and then grant permissions to other users.
- Modify the owner of an instance, a database, or a table.
  Select the resource to manage and click Transfer Ownership, Release Owner, or Add Owner.

Related API operations

ListDatabaseUserPermssions: queries the permissions of users on a database.
ListUserPermissions: queries the permissions of a user on databases and tables.
GrantUserPermission: grants permissions on an instance, a database, or a table to a user.
RevokeUserPermission: revokes the permissions on instances, databases, and tables from a user.