System roles of DMS - Data Management - Alibaba Cloud Documentation Center

Data Management (DMS) provides system roles that allow you to manage permissions, simplify permission granting, and enhance data security and compliance. This topic describes the system roles of DMS. The system roles are regular user, database administrator (DBA), DMS administrator, security administrator, and schema read-only user.

Features of system roles

Manage permissions
Each user or user group can access and perform operations only on the resources on which they have permissions.
Simplify permission granting
Administrators can use the user management feature to grant multiple permissions to a user who assumes a system role at a time. You do not need to grant permissions one by one.
Enhance data security and compliance
System roles help reduce the risk of data leaks or accidental operations caused by excessive permissions. This enhances the overall security.

System roles

Role	Applicable scope	Permission	Description
Regular user	Regular users can be the research and development (R&D) staff, testers, operations staff, and data analysts of enterprises. Note By default, a Resource Access Management (RAM) user that is added to the DMS tenant to which an Alibaba Cloud account belongs assumes the regular user role.	Regular users in DMS have the permissions to query and modify data and schemas within defined limits. This ensures secure and appropriate data handling.	Low permissions To execute SQL statements on the SQLConsole tab or use the features of the Database Development module, regular users must apply for the required permissions. Limited features Regular users cannot use features such as instance management, user management, task management, and configuration management.
DBA	DBAs in DMS can be the DBAs and O&M staff of enterprises.	DBAs are responsible for database management, including managing database instances, database development standards and processes, and task executions.	The permissions of DBAs are second only to those of DMS administrators. DBAs can manage databases but cannot manage system configurations.
DMS administrator	DMS administrators can be the administrators of enterprises. Note The DMS administrator role is automatically assigned to the Alibaba Cloud account that is used to create a DMS tenant. The DMS administrator role cannot be revoked. You can assign the administrator role to other users. For more information, see Manage users.	DMS administrators are the core administrators of DMS. DMS administrators have the permissions to manage all database instances within the current DMS tenant and are responsible for advanced O&M, including global system configuration, user management, and resource allocation.	DMS administrators have the highest permissions and can use all the features in DMS. For example, an administrator can perform change and export operations on databases.
Security administrator	Security administrators can be the internal auditors and security administrators of enterprises.	Security administrators can perform operations such as determining the sensitivity levels of fields and auditing user operations.	Security administrators can configure security settings and use the monitoring feature, but cannot perform operations on databases.
Schema read-only user	Schema read-only users can be the data analysts of enterprises.	Schema read-only users have the permissions to query the metadata of instances, databases, and tables. For example, the user can view the details of a table or export an entire database.	Schema read-only users have only the permissions to query the metadata of instances, databases, and tables.

Features that are supported by the system roles

For more information about the features that are supported by the system roles of DMS, see Permissions of system roles.