All Products
Search

This Product

    Data Management:Manage users

    Document Center

    Data Management:Manage users

    Last Updated:Jan 25, 2024

    This topic describes how to manage users in Data Management (DMS). You can add users, modify users, and manage user permissions.

    Prerequisites

    You are a DMS administrator. For more information about how to view the role of a user, see View system roles.

    Usage notes

    • Make sure that a tenant has at least one valid administrator account.

    • You can assign the administrator role to all users in DMS, including Alibaba Cloud accounts and Resource Access Management (RAM) users.

    • After you use your Alibaba Cloud account to activate DMS, the account is automatically assigned the DMS administrator role.

    • If a RAM user has the AdministratorAccess permission to manage all resources of your Alibaba Cloud account and is used to log on to DMS for the first time, the RAM user is also automatically assigned the DMS administrator role. For more information, see the Manage the configurations of RAM users section of the "Accounts used to log on to DMS" topic.

    • You can add multiple Alibaba Cloud accounts to a tenant. You can add users on the Users page. By default, the added users belong to the same tenant as your account. Users added to the tenant can view information about the current tenant. For more information, see the View information about the current tenant section of the "Manage DMS tenants" topic.

      Note

      If you log on to DMS for the first time by using an Alibaba Cloud account, the system automatically creates a tenant for the account. For more information about tenants, see the Background information section of the "Manage DMS tenants" topic.

    Log on to the DMS console

    You can log on to the DMS console in one of the following ways:

    • Log on to the DMS console by using an Alibaba Cloud account. For more information, see Accounts used to log on to DMS.

    • Log on to the DMS console as a RAM user. For more information, see Accounts used to log on to DMS.

    • Implement user-based single sign-on (SSO) or role-based SSO to log on to the DMS console by using the identity provider (IdP) of your enterprise. SSO is also known as identity federation. For more information, see Use SSO to log on to DMS.

    Add a user

    Method 1: Manually add a user

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. On the Users page, click New.

    4. In the Add User dialog box, enter the Alibaba Cloud account ID of the user that you want to add.

      Note

      Move the pointer over the 头像 icon in the upper-right corner of the console and view your Alibaba Cloud account ID.

    5. Select one or more system roles for the user that you want to add. For more information, see System roles.

    6. Click OK.

    Method 2: Add a RAM user that belongs to the current Alibaba Cloud account

    Note

    • Only the current Alibaba Cloud account or a RAM user that has the ListUser permission can add a RAM user by using this method.

    • By default, RAM users that are added to DMS in this way are assigned the regular user role. You can change the roles of users based on your business requirements. For more information, see the Modify a user section of this topic.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. In the upper part of the Users page, click Synchronize RAM User.

    4. In the Synchronize RAM User dialog box, search for an account by display name or Alibaba Cloud account ID.

    5. Select one or more RAM users and click Add Selected Users.

    Modify a user

    Modify the information about a user

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. On the Users page, select the user whose information you want to modify.

    4. Click Edit User in the upper part of the page.

      Note

      You can also click Change in the Actions column to modify the user information.

    5. In the Edit User dialog box, modify the following information.

      Note

      You can change your mobile phone number and email address at the tenant profile picture. For more information, see Configure personal information and notification methods.

      Section

      Parameter

      Description

      Basic info

      Display Name

      The display name on the Users page. The display name demonstrates the identity of the user.

      Role

      The role of the user. DMS provides five system roles: regular user, database administrator (DBA), administrator, security administrator, and schema read-only user. For more information, see System roles.

      The maximum number of queries

      The maximum number of queries that can be performed by the user within a specific period of time. The value of the parameter must be an integer. You can select a time period from the right-side drop-down list, or select Others in the drop-down list and specify a custom time period.

      Note

      To query data after a system is published or track the status of a system, a user may query more rows than the upper limit for a day, or query data more times than the upper limit for a day. In this case, you can set the upper limits to greater values for the user as required.

      Query the upper limit number of rows

      The maximum number of rows that can be queried by the user within a specific period of time. The value of the parameter must be an integer. You can select a time period from the right-side drop-down list, or select Others in the drop-down list and specify a custom time period.

      DingTalk Chatbot

      The webhook URL of the DingTalk chatbot. For more information, see Obtain the webhook URL of a DingTalk chatbot.

      webhook

      The custom webhook URL that DMS uses to send notifications. You can integrate the webhook URL to your O&M system or message notification system. For more information, see Send notifications by using a custom webhook URL.

      Signature Method

      The signature method. Valid values:

      • NONE: No algorithm is used. This is the default value.

      • HMAC_SHA1: The Hashed Message Authentication Code Secure Hash Algorithm 1 (HMAC_SHA1) is used.

      Signature Key

      The key that is used. This parameter is displayed only if you set the Signature Method parameter to HMAC_SHA1.

      Notification method

      The notification method. You can select one or more options among SMS, DingTalk, Email, DingTalk Chatbot, and webhook.

    6. Click Confirm Change.

    Grant permissions to users

    Note

    The following example shows how to grant permissions on instances to users. You can also grant users permissions on permission templates, databases, tables, rows, and sensitive columns. For more information about permissions, see Overview.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. On the Users page, select the user to whom you want to grant permissions and select Authorize instance from the Authorize User drop-down list in the upper part of the page.

      Note

      You can also choose Authorize > Authorize instance in the Actions column to grant permissions to the user.

    4. In the Authorize Instance dialog box, configure the parameters that are described in the following table.

      Section

      Parameter

      Required

      Description

      Authorized instance

      N/A

      Yes

      Select one or more database instances on which permissions you want to grant to the user.

      Permission Configuration

      Permission

      Yes

      The type of permission to be granted to the user. For database instances that are not managed in Security Collaboration mode, set this parameter to Instances-Login. For database instances that are managed in Security Collaboration mode, set this parameter to Performance view.

      Expire Date

      Yes

      The date on which the permission expires.

    Disable a user

    After you disable a user, the permissions and configuration data of the user are not revoked or released. However, the user cannot log on to DMS. After the user is enabled, the permissions and configuration data automatically become valid again.

    Note

    • The disabled user still counts towards the maximum number of users allowed in your tenant account.

    • If you need to disable a user who manages a database instance as a DBA, you must first assign the DBA role to another user. For more information about how to change the DBA of a database instance, see Modify database instances.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. On the Users page, select the user that you want to disable and select Disable User from the User drop-down list in the upper part of the page.

    4. In the message that appears, click OK.

    Remove a user

    After you remove a user, the user cannot log on to DMS. All data owner configurations and permissions are cleared from DMS.

    Note

    • Before you remove a user, make sure that the user is not associated with data resources. For example, you cannot remove a user who manages a database instance as a DBA or an approver that is specified in security rules.

    • After you remove a user, all data of the user is cleared. However, the user information and relevant operation logs are retained and marked as Deleted in account information.

    • The removed user no longer counts towards the maximum number of users allowed in your tenant account.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. On the Users page,select the user that you want to remove and choose Delete User from the User drop-down list in the upper part of the page.

    4. In the message that appears, click OK.

    Enable a user

    After you enable a disabled user, the permissions and configuration data of the user become valid, and the user can log on to DMS. However, after you enable a removed user, all permissions and configurations of the user are still invalid. In this case, you must configure the user and grant permissions to the user again. For more information, see Permission application.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. On the Users page, select the user that you want to enable and select Enable User from the User drop-down list in the upper part of the page.

    4. In the message that appears, click OK.

    Enable access control for a user

    After you enable metadata access control for a user, the following limits apply to the user:

    • The user can only view information about and access the databases on which the user has permissions in DMS. In the top navigation bar of the console, choose Security and Specifications > Permission Center > Permissions to view the databases on which the user has permissions. For more information, see View owned permissions.

    • The user cannot view the database instances or databases on which the user has no permissions, or apply for permissions on these database instances or databases.

    1. Log on to the DMS console V5.0.

    2. In the top navigation bar, click O&M. In the left-side navigation pane, click Users.

      Note

      If you use the DMS console in simple mode, move the pointer over the 2022-10-21_15-25-22.png icon in the upper-left corner of the DMS console and choose All functions > O&M > Users.

    3. On the Users page, find the user for whom you want to enable access control and choose More > Access control in the Actions column.

      Note

      To enable access control for multiple users at a time, select the users and click Access control in the upper part of the page.

    4. In the User access control dialog box, turn on Metadata access control and click OK.

    References

    FAQ

    • Q: Can I assign the DMS administrator or DBA role to a RAM user?

      A: Yes. The role assignment is independent of the account type.

    • Q: What do I do if suspicious operations on a database are detected?

      A:

      • If you want to retain the permissions of the user, you can disable the user. This way, the user cannot log on to the DMS console. Then, use the operation audit feature of DMS to view the operations that were performed by the user. If the user did not violate rules, you can enable the user. All the permissions and configurations of the user become valid again.

      • If you do not want to retain the permissions of the user, you can remove the user. This way, the user cannot log on to the DMS console, and all permissions and data owner configurations of the user are cleared.

    • Q: How do I search for a user when I use a DMS administrator account?

      A: In the top navigation bar of the console, choose O&M > Users. On the Users page, search for a user by email address, display name, or Alibaba Cloud account ID, and filter users by status.

    • Q: Can a disabled user log on to the DMS console?

      No, a disabled user cannot log on to the DMS console.

    • Q: When I disable a user, the system prompts that the user is the DBA of an instance and cannot be disabled. What do I do?

      A: You can change the DBA of the instance.

      Note

      Only a user that is assigned the DBA role in DMS can be specified as the DBA of an instance. If the user that you want to specify as the DBA of an instance is not assigned the DBA role in DMS, you must assign the DBA role to the user on the Users page.

    • Q: Why is a user that I removed from DMS still displayed on the Users page?

      A: The user that you removed from DMS is marked as Deleted but cannot be totally cleared.

    • Q: How do I release the existing permissions of a user on resources such as instances and databases?

      A: Go to the Users page as an administrator or DBA. Find the user that you want to manage and choose More > Permission Details in the Actions column. Then, in the User Permissions dialog box, select the permissions that you want to release and click Release Permission.