Data Management (DMS) provides features that can be used to manage data security in a comprehensive and fine-grained manner. You can manage the permissions on resources such as database instances, databases, tables, columns, and rows. You can grant users the logon, query, export, and change permissions on a specific resource.
Permission categories and types
Permission category | Permission type | Description | Whether security hosting is enabled |
Operation permissions (regular permissions) | Permissions on database instances | The permissions to log on to a database instance. After you obtain the permissions to log on to a database instance, you can use the corresponding database account and password to log on to the database instance. Note The database account and password are managed by relevant owners in your enterprise. | No |
The permissions to view the performance of a database instance. If security hosting is enabled for a database instance, you must obtain the permissions to view the performance of the database instance before you can view performance details. For more information, see View the performance details of a database instance. | Yes | ||
The permissions to query, export, and change the data of a database instance, excluding the data in sensitive columns and rows for which access control is enabled. | |||
Permissions on databases | The permissions to query, export, and change the data of a database, excluding the data in sensitive columns and rows for which access control is enabled. | ||
Permissions on tables | The permissions to query, export, and change the data of a table, excluding the data in sensitive columns and rows for which access control is enabled. | ||
Permissions on sensitive columns | The permissions to query, export, and change the data of a sensitive column. Note Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:
| ||
Permissions on rows | The permissions to query, export, and change the data of a row. For more information, see Configure row-level access control. Note Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs. | ||
Permissions on programmable objects | The permissions to query, export, and change the data of a programmable object. If security hosting is enabled for a database instance, you must obtain the permissions on a programmable object before you can query, export, or change the data of the programmable object. For more information, see Change programmable objects by using stored routines. | ||
Data permissions (resource owner permissions) | Instance owner | The owner permissions on a resource. The owner of a resource can view the users to whom the permissions on the resource are granted, and grant the resource permissions to and revoke the resource permissions from users. The resource can be a database instance, database, or table. In addition, the owner can query the data of the resource, excluding the data in sensitive columns and rows for which access control is enabled. Note If security hosting is disabled for a database instance, only DMS administrators and database administrators (DBAs) can add or remove instance owners. To manage instance owners, perform the following operations: Log on to the DMS console. In the left-side Database Instances section, right-click the database instance that you want to manage and choose . In the dialog box that appears, add or remove instance owners. | Yes |
Database owner | |||
Table owner | |||
Metadata access control | Metadata access control |
Note If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database. | Yes |
Permission description:
Query: the permissions to execute query statements in the SQL Console.
Change permissions: the permissions to execute change statements in the SQL Console, and the permissions to submit data change tickets and database and table synchronization tickets instead of the permissions to change data without approval. DMS administrators can configure constraints on the types of SQL statements that can be executed in the SQL Console.
Export permissions: the permissions to submit data export tickets instead of the permissions to export data without approval.
What to do next
After you learn the categories and types of resource permissions, you can perform the following operations:
Manage resource permissions by using different roles. For more information, see Manage permissions.
View the operation permissions and data permissions that you are granted. For more information, see the "View your permissions" section of the Manage permissions topic.
Configure different permission approval processes for databases and tables in different scenarios. The following content describes the scenarios:
Configure strict approval processes for the production data and the databases and tables involved in core business.
Configure simple approval processes for the data involved in non-core business or the test environment. Alternatively, you can allow the data involved in non-core business or the test environment to be directly accessed without approval.
For more information, see Configure approval processes.
Use the account management feature to manage other types of permissions for database accounts. For more information, see Account permission management.
NoteDMS provides the account management feature only for MySQL, PostgreSQL, and MongoDB databases. For the databases of other engines, you can go to the corresponding console to manage database accounts.