Data Management (DMS) provides features for fine-grained management of data security in an all-around way. You can manage permissions on resources such as database instances, databases, tables, columns, and rows. You can grant users the logon, query, export, and change permissions on a specific resource.
Permission categories and types
Permission category | Permission type | Description | Whether security hosting is enabled |
Permission category | Permission type | Description | Whether security hosting is enabled |
Operation permissions (regular permissions) | Permissions on database instances | The permissions to log on to a database instance. After you obtain the permissions to log on to a database instance, you can use the corresponding database account and password to log on to the database instance. The database account and password are managed by relevant owners in your enterprise. | No |
The permissions to view the performance of a database instance. If security hosting is enabled for a database instance, you must obtain the permissions to view the performance of the database instance before you can view performance details. For more information, see View the performance details of a database instance. | Yes | ||
The permissions to query, export, and change the data of a database instance, excluding the data in sensitive columns and rows for which access control is enabled. | |||
Permissions on databases | The permissions to query, export, and change the data of a database, excluding the data in sensitive columns and rows for which access control is enabled. | ||
Permissions on tables | The permissions to query, export, and change the data of a table, excluding the data in sensitive columns and rows for which access control is enabled. | ||
Permissions on sensitive columns | The permissions to query, export, and change the data of a sensitive column. Before you apply for the permissions on a sensitive column, make sure that the following requirements are met:
| ||
Permissions on rows | The permissions to query, export, and change the data of a row. For more information, see Configure row-level access control. Before you apply for the permissions on a row, make sure that you have the permissions on the database and table to which the row belongs. | ||
Permissions on programmable objects | The permissions to query, export, and change the data of a programmable object. If security hosting is enabled for a database instance, you must obtain the permissions on a programmable object before you can query, export, or change the data of the programmable object. For more information, see Change programmable objects by using stored routines. | ||
Data permissions (resource owner permissions) | Instance owner | The owner permissions on a resource. The owner of a resource can view the users to whom the permissions on the resource are granted, and grant the resource permissions to and revoke the resource permissions from users. The resource can be a database instance, database, or table. In addition, the owner can query the data of the resource, excluding the data in sensitive columns and rows for which access control is enabled. If security hosting is disabled for a database instance, only DMS administrators and database administrators (DBAs) can add or remove instance owners. To manage instance owners, perform the following operations: Log on to the DMS console. In the left-side Database Instances section, right-click the database instance that you want to manage and choose . In the dialog box that appears, add or remove instance owners. | Yes |
Database owner | |||
Table owner | |||
Metadata access control | Metadata access control |
If you are granted one type of the data permissions or operation permissions on a database instance or database, you have the permissions on the database instance or database. | Yes |
Permissions:
Query: the permission to execute SQL statements to query data in the SQL Console.
Change: the permission to execute change statements in the SQL Console, and the permission to submit data change tickets and database and table synchronization tickets.
Export: the permission to submit data export tickets.
The export permission is not required if you want to export an SQL result set in the SQL Console.
What to do next
After you learn the categories and types of resource permissions, you can perform the following operations:
Manage resource permissions by using different roles. For more information about permission management methods for different roles in DMS, see Manage permissions.
View the operation permissions and data permissions that you are granted. For more information, see the "View your permissions" section of the Manage permissions topic.
Configure different permission approval processes for databases and tables in different scenarios. The following content describes the scenarios:
Configure strict approval processes for the production data and the databases and tables involved in core business.
Configure simple approval processes for the data involved in non-core business or the test environment. Alternatively, you can allow the data involved in non-core business or the test environment to be directly accessed without approval.
For more information, see Configure approval processes.
Use the account management feature to manage other types of permissions for database accounts. For more information, see Account permission management.
DMS provides the account management feature only for MySQL, PostgreSQL, and MongoDB databases. For the databases of other engines, you can go to the corresponding console to manage database accounts.