Manage DMS users - Data Management - Alibaba Cloud Documentation Center

This topic describes the user management features of Data Management (DMS), including how to add and edit users, and manage user permissions.

Prerequisites

You have the system role of administrator.

Notes

The application ensures that each tenant has at least one account with the Administrator role.
Any user managed by DMS can be assigned the Administrator role, regardless of the account type used to log on to DMS, such as an Alibaba Cloud account or a RAM user.
When you activate the DMS service, your Alibaba Cloud account is granted the Administrator role.
If a RAM user uses DMS for the first time and has the AdministratorAccess permission, the user is automatically initialized with the DMS Administrator role. For more information, see Manage RAM user configurations.
You can add multiple Alibaba Cloud accounts to a tenant on the user management page. The system automatically adds the users to your tenant. Users who have joined the tenant can view tenant information.
Note
When an Alibaba Cloud account logs on to DMS for the first time, the system automatically creates a tenant for that account.

Log On to the DMS Console

You can log on to the DMS console in one of the following ways:

Log on to the DMS console as an Alibaba Cloud account.
Log on to the DMS console as a RAM user.
You can configure user-based single sign-on (SSO) or role-based SSO to log on to the DMS console using your enterprise's identity authentication system.

Add a user

Method 1: Manually add a user

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.
Go to the User Management page and choose Add > Add Account.
In the Add User dialog box, enter the user's Alibaba Cloud Account UID and select a system Role (you can select more than one role).
Note
To view the UID of your Alibaba Cloud account, move the mouse pointer over the icon in the upper-right corner of the page.
Click Confirm.

Method 2: Add RAM users of the current Alibaba Cloud account

Note

Only the current Alibaba Cloud account and RAM users who are granted the ListUser permission can perform this operation.
By default, users added with this method are assigned the Regular User system role. To modify the system role, see Modify a user.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.
On the User Management page, select Add > Sync RAM User.
In the Sync RAM User dialog box, search for an Alibaba Cloud account by display name or UID.
Select the target RAM user and click Add Selected Users.

Edit a user

Edit user information

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.
On the User Management page, select the target user.
Click Edit User at the top of the page.
Note
You can also click Edit in the Actions column to modify the user's information.

The Modify User dialog box lets you modify the following information:

Note

You can change your mobile phone number and mailbox by clicking your profile picture. For more information, see Configure personal information and notification methods.

Category	Configuration	Description
Basic Information	Display Name	The name displayed on the User Management page. It helps you identify the user.
	Role	DMS provides five system roles: Regular User, DBA, Administrator, Security Administrator, and Structure Read-only.
	Query Count Limit	The maximum number of result sets a user can query per day. If the limit is reached, the user cannot perform more queries. The value must be an integer. You can select a predefined validity period or specify a custom one. Note If a user exceeds the daily query count or row limit due to publishing, tracking, or other reasons, you can find the user and increase the limit.
	Maximum Query Row Count	The maximum number of rows a user can query per day. If the limit is reached, the user cannot perform more queries. The value must be an integer. You can select a predefined validity period or specify a custom one.
	DingTalk Robot	Enter the webhook URL of the DingTalk robot.
	Webhook	Enter a custom webhook URL. You can integrate it with your existing O&M system or message notification system.
	Signature Method	Two methods are supported: NONE and HMAC_SHA1. NONE (Default): No signature is used. HMAC_SHA1: Uses the HMAC_SHA1 encryption algorithm (Hashed Message Authentication Code, Secure Hash Algorithm).
	Signature Key	Enter the signature key. This configuration is displayed only when you set Signature Method to HMAC_SHA1.
	Notification Method	Five methods are supported: text message, DingTalk, mailbox, DingTalk Robot, and webhook. You can select multiple methods.

Click Confirm Changes.

Authorized user

Note

This topic uses the Grant Instance operation as an example. Other supported operations include Grant Permission Template, Grant Database, Grant Table, Grant Row, and Grant Sensitive Column. For more information about permissions, see Permission Management.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.
Select the target user and choose Grant User > Grant Instance at the top of the page.
Note
In the Actions column for the target user, you can also select Authorize > Authorize Instance.

In the Authorize Instance dialog box, configure the following parameters:

Category	Configuration	Required	Description
Authorized Instances	N/A	Yes	Select one or more database instances to which you want to grant permissions.
Permission Settings	Permission Type	Yes	Instances in non-Security Collaboration mode support Instance Logon. Instances in Security Collaboration mode support View Performance.
Permission Settings	Expiration Time	Yes	Select the expiration date for the permission.

Disable a user

After a user is disabled, they cannot log on to DMS. However, their existing permissions and configuration data are not revoked or released. After you enable the user, their original permissions and data can be used again.

Note

A disabled user still occupies a user quota.
You cannot disable a user who is the DBA of a database instance. You must change the DBA of the database instance to another user before you can disable the user. For more information about how to change the DBA of a database instance, see Edit an instance.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.
Select the target user and choose Operate User > Disable User at the top of the page.
In the Confirm dialog box, click Confirm.

Delete a user

After a user is deleted, they cannot log on to DMS. All their data owner configurations and permission data are purged from DMS.

Note

The user to be deleted cannot be bound to any resource information, such as the DBA in system instance management or approvers in security rules.
When a user is deleted, their data is cleared, but their records and operation logs are not purged. A Deleted tag is displayed on the user's Account Information.
A deleted user does not occupy a user quota.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.
Select the target user and choose Operate User > Delete User at the top of the page.
In the Confirm dialog box, click Confirm.

Enable a user

You can enable a user to restore the original permissions and data configurations of a disabled user. You can also enable a deleted user to allow them to log on to DMS again. However, a user who is enabled from a deleted state is treated as a new user. Their original permissions and data configurations are cleared, and they must request permissions again.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.
Select the target user and choose Operate User > Enable User at the top of the page.
In the Confirm dialog box, click Confirm.

Enable user access control

If you enable the metadata access control feature for a user, the following restrictions apply:

The user can query and access only the authorized databases in DMS. In the top navigation bar of the console, the user can choose Security and Specifications > Permission Center > My Permissions to query their granted permissions.
The user cannot view other databases in the instance or other instances. The user also cannot request permissions for other instances or databases.

Log on to the DMS console V5.0.
In the top navigation bar, choose O&M > Users.
Note
If you use the DMS console in simple mode, move the pointer over the icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.
In the Actions column for the target user, select More > Access Control.
Note
You can also enable the switch for multiple users in a batch by selecting them and clicking the Resource Access Management button at the top of the page.
In the User Access Control dialog box, enable Metadata Access Control and click Confirm.

References

After you manage users, you may also need to perform the following operations:
- Add the user to the approval flow for a specific type of ticket.
- Grant permissions to the user to manage database instances or revoke the permissions.
You can also use API operations to manage users in DMS.

FAQ

Q: Can a RAM user be assigned the administrator or DBA role in DMS?
A: Yes, they can. Role configuration is independent of the account type.
Q: What do I do if I suspect a user's database operations?
A: You can investigate in one of the following two ways:
- If you want to retain the user's permissions, you can disable the user. After the user is disabled, they cannot log on to the DMS service. Then, you can use the ActionTrail feature of DMS to view all direct operations that are performed by the user on the database. If the investigation finds no issues, you can enable the user again. After the user is enabled, their original permissions and configurations are restored, and they can resume work quickly.
- If you do not need to retain the user's permissions, you can delete the user. After the user is deleted, they cannot log on to the DMS service, and all permissions, data owner configurations, and other settings for the account are purged.
Q: As an administrator, how can I quickly find other accounts?
A: In the top menu bar of the console, choose Operations Management > User Management. On the User Management page, search for the target account by keyword. You can search within the account, mailbox, display name, and Alibaba Cloud UID dimensions. You can also quickly filter by account status.
Q: Can a user log on to DMS after being disabled?
A: No, you cannot.
Q: When I try to disable a user, the system prompts that the user is the DBA of an instance and cannot be disabled. What should I do?
A: You can edit the instance to change its DBA.
Note
Only a user with the DBA system role in DMS can be set as the DBA of an instance. If the user you want to set as the DBA does not have the DBA role, go to the User Management page to edit the user's role.
Q: Why are users that I delete in DMS not completely removed from the user list?
A: Currently, deleted users are only marked as deleted in the list. They cannot be completely purged from DMS.
Q: How do I revoke a user's existing resource permissions, such as instance and database permissions, in User Management?
A: Administrators or DBAs can go to User Manager to find the target user. In the Actions column, select More > Permission Details. Select the resource permissions to revoke, and then click Revoke Permissions.
Q: After a RAM user's name is updated, the display name for the RAM user in DMS User Management is not updated. What should I do?
A: The display name of a RAM user is synchronized from RAM to DMS only when the RAM user is synchronized for the first time. Subsequent changes to the display name in RAM are not automatically synchronized to DMS. To update the display name in DMS, go to Operations Management > User Management, click the Edit button, modify the Display Name in the Basic Information section, and then save your changes.
Q: A regular user with permissions on only some databases logs on to DMS and sees all databases. Why does this happen?
A: This behavior is expected. The databases in the navigation pane on the left side of the DMS console are displayed at the instance level, which shows all databases under the instance. A regular user can read from and write to only the databases for which they have permissions. If you want to restrict the user to see only the instances and databases for which they have permissions, you must configure metadata access control.
Q: Why are some accounts grayed out and cannot be selected when I synchronize RAM users?
A: This is because these RAM users lack the AliyunDMSLoginConsoleAccess permission. You must grant this permission to them before you can select and synchronize them.