Manage the permissions on resources - Data Management - Alibaba Cloud Documentation Center

Data Management (DMS) provides features that can be used to manage data security in a comprehensive and fine-grained manner. You can manage the permissions on resources such as database instances, databases, tables, rows, and sensitive columns. This topic describes how to manage permissions by using different roles in DMS.

Usage notes

If security hosting is disabled for a database instance, you can apply for or grant only the permissions to log on to the database instance.
If security hosting is enabled for a database instance, you can manage the permissions on resources such as the database instance, databases, tables, rows, and sensitive columns. For more information about how to enable secure hosting, see Security hosting.

Permission management methods for different roles in DMS

Role	Permission management method
Regular user	In DMS, regular users except those for whom access control is enabled can submit a ticket to apply for the permissions on a resource. For more information, see the Submit a ticket to apply for permissions section of this topic.
DMS administrator and database administrator (DBA)	DMS administrators and DBAs can use the instance management feature to manage the permissions on database instances and databases. For more information, see the Manage permissions as a DMS administrator or DBA section of this topic. DMS administrators and DBAs can use the instance management feature to enable access control for database instances and databases. For more information, see Enable metadata access control. DMS administrators can use the user management feature to grant resource permissions to or revoke resource permissions from a user. The resource can be a database instance, database, table, row, or sensitive column. For more information, see the Manage permissions as a DMS administrator section of this topic. DMS administrators can use the user management feature to enable access control for a user. For more information, see the "Enable access control for a user" section of the Manage users topic. Note DBAs can manage permissions only by using the instance management feature. DMS administrators can manage permissions by using the preceding four methods.
Schema read-only	Users who assume the schema read-only role can query the metadata of all database instances, databases, and tables without the need to obtain the query, change, or export permissions on the database instances, databases, and tables.

Note

You can click the icon in the upper-right corner of the DMS console to view your roles in DMS.
DMS records all permission change operations except metadata access control in operation logs. For example, if you apply for, grant, release, or revoke permissions, you can view the permission change records in DMS operation logs. To view operation logs, choose Security and Specifications > Operation Audit in the top navigation bar of the DMS console. Then, click the Operation Logs tab.

Submit a ticket to apply for permissions

DMS users except those for whom access control is enabled can submit a ticket to apply for the permissions on a resource.

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permission Tickets.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Permission Center > Permission Tickets in the top navigation bar.
On the Access applyTickets page, click Access apply and select a permission type from the drop-down list.

On the Access apply Tickets page, configure the permissions for which you want to apply on resources such as database instances, databases, or tables.

Select resources.

Category

Supported permission type

Description

Secure Management-Disabled

Instances-Login

If security hosting is disabled for a database instance, you can apply for only the permissions to log on to the database instance.

Enter the endpoint or name of a database instance in the search box and click Search.
In the search results, select the database instance on which you want to apply for permissions.
Click the icon to add the selected database instance to the Confirm selected instance section.

Secure Management-Enabled

Instances-OWNER
Database-OWNER
Table-OWNER
Instances-Permission
Instances-Performance
Database-Permission
Table-Permission
Programmable Object
Row-Permission
Sensitive Column-Permission

In this example, Database-Permission is selected.

Enter the name of a database in the search box and click Search. You can use the percent sign (%) as a placeholder to search for a database in fuzzy match mode. Example: dms%test.
In the search results, select the database on which you want to apply for permissions.
Click the icon to add the selected database to the Selected Databases/Tables/Columns section.

Select permissions.
Select the permissions to be applied for from the logon, query, export, and change permissions, configure the validity period of the permissions, and then enter the reason for which you want to apply for the permissions.

Click Submit. The ticket enters the Approval step.
Approve the ticket. After the ticket is approved, the system automatically grants you the permissions for which you apply.
- For a database instance that is managed in Security Collaboration mode, you can customize an approval process.
- For a database instance that is not managed in Security Collaboration mode, if security hosting is disabled, you can apply for only the permissions to log on to the database instance. The default approver is the DBA of the database instance. If security hosting is enabled for the database instance, the approver is the resource owner. If no resource owner is specified, the approver is the DBA of the database instance.

View your permissions

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permissions.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Permission Center > Permissions in the top navigation bar.
View regular permissions.
On the Ordinary Permissions tab, select a permission type from the first drop-down list. In the permission list, view the regular permissions that you have.
View resource owner permissions.
On the My Resources tab, select Owner's instance, My Databases, or My Tables from the first drop-down list. In the resource list, view the resources on which you have owner permissions.
Note
- The permissions on a database instance include the permissions to log on to the database instance, view the performance of the database instance, and query, export, and change the data of the database instance.
- You cannot query or release the permissions on a programmable object.

Release the permissions on resources

After you release the permissions on a resource such as a database instance, database, table, sensitive column, or row, you can no longer query, export, or change the data of the resource.

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > Security and Specifications > Permission Center > Permissions.
Note
If you use the DMS console in normal mode, choose Security and Specifications > Permission Center > Permissions in the top navigation bar.
Release regular permissions.
On the Ordinary Permissions tab, select the regular permissions that you want to release and click Release Permission.
Release resource owner permissions.
On the My Resources tab, select the resource owner permissions that you want to release and click Release Owner.

Manage permissions as a DMS administrator or DBA

Manage permissions by using the instance management feature

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > Data Assets > Instances.
Note
If you use the DMS console in normal mode, choose Data Assets > Instances in the top navigation bar.
Manage the permissions on database instances.
1. Click the Instance List tab. Find the database instance that you want to manage and choose More > Manage Permissions in the Actions column.
2. In the dialog box that appears, find the user that you want to manage and click a button in the Actions column to manage permissions. You can view the permissions of the user, revoke permissions from the user, or grant the user the permissions to log on to the database instance or view the performance of the database instance.
  - If security hosting is disabled for a database instance, you can grant a user only the permissions to log on to the database instance.
  - If security hosting is enabled for a database instance, you can grant a user the permissions to view the performance of the database instance and query, export, and change the data of the database instance.
Manage the permissions on databases and tables.
If security hosting is enabled for a database instance, DMS administrators and DBAs can grant a user the permissions on a database or table. If security hosting is disabled for a database instance, no permissions on a database or table can be granted.
1. Click the Database List tab. Find the database that you want to manage and choose More > Permission Management in the Actions column.
2. In the dialog box that appears, select a permission type. Find the user that you want to manage and click a button in the Actions column to manage permissions. You can view the permissions of the user and revoke permissions from the user. You can also click Grant Permissions on Database or Grant Permissions on Table to grant the permissions on the database or tables to a user.

Manage permissions by using permission templates

For more information, see Create a permission template.

Manage permissions as a DMS administrator

DMS administrators can use the user management feature to grant permissions to or revoke permissions from a user. The permissions that can be granted or revoked include the permissions on database instances, databases, tables, rows, and sensitive columns.

Log on to the DMS console V5.0.
Move the pointer over the icon in the upper-left corner and choose All functions > O&M > Users.
Note
If you use the DMS console in normal mode, choose O&M > Users in the top navigation bar.
Grant permissions to a user.
1. Find the user that you want to manage, move the pointer over Authorize in the Actions column, and then select a permission type
2. In the dialog box that appears, configure the parameters and click OK.
Revoke permissions from a user.
1. Find the user that you want to manage, move the pointer over More in the Actions column, and then select Permission Details.
2. In the User Permissions dialog box, click the Ordinary Permissions tab and select a permission type.
3. Select the resources that you want to manage and click Release Permission.
4. In the Permission Operation dialog box, select the permissions that you want to revoke or release and click OK.

FAQ

Q: A Resource Access Management (RAM) user has the permissions to log on to an ApsaraDB RDS instance in the DMS console. When I log on to the instance in the DMS console as the RAM user, a message appears to indicate that the RAM user does not have the permissions to log on to the instance. What do I do?

A: Make sure that you add the ApsaraDB RDS instance to DMS by using your Alibaba Cloud account. Then, you can log on to the ApsaraDB RDS instance in the DMS console as the RAM user. For more information, see Register an Alibaba Cloud database instance.