All Products
Search
Document Center

Data Management:Integrate DMS into an enterprise development platform

Last Updated:Dec 25, 2024

This topic describes how to integrate Data Management (DMS) into the development platform of an enterprise or organization

Integration process

  1. Make identity authentication.

    Use a Resource Access Management (RAM) user to log on to DMS. Before you use DMS, make sure that a RAM account is created.

  2. Initialize DMS.

  3. Integrate DMS into an enterprise development platform.

  4. Register an instance.

    You can use DMS to manage an instance only after you register the instance in DMS.

Step 1: Make identity authentication

Alibaba Cloud identity authentication

If an enterprise or organization has created a complete RAM account system in Alibaba Cloud, you can skip the identity authentication step.

For more information about how to create a RAM user, see Create a RAM user.

Self-managed identity system

If an enterprise or organization has a self-managed identity authentication system that is not integrated with Alibaba Cloud, we recommend that you use Identity as a Service (IDaaS) to integrate the self-managed system with the Alibaba Cloud RAM account system.

If you use IDaaS to integrate with the Alibaba Cloud RAM account system, the enterprise acts as an identity provider (IdP), as shown in the following figure.

image
  1. Create an IDaaS EIAM instance.

    Log on to the Alibaba Cloud IDaaS console to create an instance. For more information, see 1. Create an instance for free.

  2. Bind an idP to IDaaS.

    You can use an idP that is bound to IDaaS to log on to an IDaaS application. For example, you can use DingTalk to log on to Alibaba Cloud SSO. You can also synchronize accounts in the original account system to IDaaS. For more information, see IdPs.

  3. Create an IDaaS account.

    You can perform manual operations or call the CreateUser API to create an IDaaS account. For more information, see Create an account and CreateUser.

    Note

    If you have synchronized your internal enterprise account to IDaaS by performing Step 2, you can skip this step.

  4. Create an application.

    Applications are important in IDaaS. This section describes how to create an Alibaba Cloud User or Role SSO application.

    • Create an Alibaba Cloud User SSO application

      For more information, see 3. Create an Application.

      Note

      If you have user-based SSO enabled, you must save the existing metadata document in advance to avoid the failed rollback after the existing data is overwritten. In addition, after a new metadata file is associated, the SSO settings of the RAM user become invalid.

      After you create an application, you can use the account synchronization feature to synchronize the IDaaS account to RAM. This eliminates the need to manually create an application. For more information, see Synchronize accounts.

    • Create an Alibaba Cloud Role SSO application

      If you use role-based SSO, you do not need to create multiple RAM users. Other users can use RAM roles to log on to Alibaba Cloud.

  5. Log on to the application by using IDaaS.

    For more information, see 4. Log on by using SSO.

    After an administrator configures user-based SSO, Employee Alice can log on to the Alibaba Cloud Management Console. The following figure shows the procedure. For more information, see Overview of user-based SSO.

Step 2: Initialize DMS

After the administrator completes the integration with the Alibaba Cloud identity authentication system, enterprise users can use Alibaba Cloud accounts, such as Alibaba Cloud accounts, RAM users, and RAM roles, to log on to Data Management (DMS). When a user logs on to DMS for the first time, DMS sets the user as a DMS administrator. Other logon users are initialized as regular users.

System roles of users in DMS

DMS provides five system roles, including regular user, security administrator, database administrator (DBA), DMS administrator, and schema read-only user.

The system permissions vary based on the role type. You can assign appropriate system roles to users based on the groups to which each role type applies and features that are supported by each role type. For more information, see System roles

User registering

The following section describes how to add employees in an enterprise to DMS:

Automatic registering

  • If you use an Alibaba Cloud account to log on to and initialize DMS, the system automatically synchronizes all RAM users within the account to DMS.

  • If you use an Alibaba Cloud RAM user to log on to and initialize DMS, the system cannot automatically synchronize other accounts to DMS. To use the automatic synchronization feature, you must manually add your Alibaba Cloud account to DMS. Then, the system automatically adds all RAM users within the account to DMS.

Note

The execution of a synchronization operation depend on the settings of global configuration items in DMS. By default, the configuration items are enabled. For more information, see Configuration management.

Manual registering

  1. Log on to the DMS console V5.0.
  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    Note

    If you use the DMS console in normal mode, choose O&M > Users in the top navigation bar.

  3. Add users to DMS.

    • Manually add any user

      Click New, enter the Alibaba Cloud account UID of the user to be added in the Alibaba Cloud Account field, specify the Role for the user, and then click OK.

    • Manually add RAM users within the current Alibaba Cloud account

      Click Synchronize RAM User, select the users that you want to synchronize, and then click Add Selected Users. After you add the selected users, you can specify system roles for the users. For more information about operations related to system roles, see the Modify the information about a user section of the "Manage users" topic.

Step 3: Integrate DMS into an enterprise development platform

After you complete the integration with the Alibaba Cloud identity authentication system, you can use your enterprise IdP to log on to DMS. To integrate DMS into your enterprise development platform, you can use one of the following methods:

Page-based Integration

  1. Build a link to the DMS page.

    When you build a link, you can specify the jumping to a specific feature page. The link that you want to build is in the following format:

    https://dms.aliyun.com/new#to={MENU_NAME}

    For example, the link to the data change page is https://dms.aliyun.com/new#to=DC_COMMON.

    MENU_NAME is the key value corresponding to a feature. The following list describes the MENU_NAME value of each feature:

    • Common data change: DC_COMMON

    • Data import: DC_BIG_FILE

    • Lock-free change: DC_CHUNK

    • Object programming: DC_PROC

    • Historical data cleansing: DC_CRON_CLEAR

    • Test data construction: menus_order_data_generate

    • Export of SQL result sets: DATA_EXPORT

    • Database export: DB_EXPORT

    • Permissions: menus_order_my_auth

    In addition to the above descriptions, the following special links are available:

    • Link to the ticket details page: https://dms.aliyun.com/?pid={ORDER_ID}. ORDER_ID indicates the ticket number, which can be obtained by calling a relevant API or logging on to the DMS console.

    • Link to the SQL Console page: https://dms.aliyun.com/websql/index?dbId={DB_ID}&logic={IS_LOGIC}&dbType={DB_TYPE}&instanceId={INSTANCE_ID}. Parameters:

      • DB_ID: the database ID. The ID must be an integer.

      • IS_LOGIC: specifies whether the database is a logical database. The valid values are true and false.

      • DB_TYPE: the database type. You can call the GetPhysicalDatabase API to query the database ID and database type.

      • INSTANCE_ID: the instance ID. You can call the GetPhysicalDatabase API to query the database information and instance ID.

  2. Build a logon-free link to a DMS feature page and embed the link in an internal system.

    Replace the logon-free URL to the DMS console https://dms.aliyun.com with the logon-free link. For more information, see Logon-free access to the DMS console.

API-based integration

Alibaba Cloud identity authentication system and self-managed identity system authentication can be integrated by calling relevant APIs.

You can write code or call DMS APIs to perform operations, such as registering users or resources. For information about the APIs supported by DMS, see List of operations by function.

Step 4: Register an instance

Control modes

You must configure a control mode for each instance that is registered to DMS. Control modes include free operation, stable change, and security collaboration. Each control mode applies to different scenarios and supports different features. For more information about the control modes, see Control modes.

Instance registering

Databases supported by DMS

For more information about the databases supported by DMS, see Databases supported by DMS.

IP address whitelists

To ensure that DMS can access your instance, you must add the IP addresses and CIDR blocks of DMS in the corresponding region to the security settings, such as the firewall, whitelist, or security group settings, of the instance. For more information, see Add DMS IP addresses and CIDR blocks to security settings.

Procedure

Register the instance in DMS. For more information, see Register an Alibaba Cloud database instance and Register a database hosted on a third-party cloud service or a self-managed database.

Related operations

You can integrate DMS into the development platform of an enterprise or organization. After you register instance resources in DMS, you can configure access control, approval processes, and notification methods in DMS.

Access control

Access control is referred to manage permissions on resources hosted in DMS, such as instances, databases, and tables. Access control allows you to grant permissions, such as logon, query, import, or change, to authorized objects as needed. This ensures enterprise data security. For more information, see Overview.

Permissions

DMS provides the following data permissions:

  • Query permissions: the permissions to execute query statements on the SQL Console page.

  • Change permissions: the permissions to execute change statements in the SQL Console, and the permissions to submit data change tickets and database and table synchronization tickets instead of the permissions to change data without approval. DMS administrators can configure constraints on the types of SQL statements that can be executed on the SQL Console page.

  • Export permissions: the permissions to submit data export tickets instead of the permissions to export data without approval.

Note
  • Permissions at different resource levels can be inherited. For example, if a user is granted query permissions on an instance, the user has query permissions on all databases and tables in the instance.

  • For system security reasons, DMS does not allow users to query a large amount of data on the SQL Console page. When the amount of data to be queried exceeds a certain limit, the data cannot be queried. For example, you can query a maximum of 3,000 entries at a time for an instance in flexible management mode. To query complete data, you can apply for export permissions and then submit a data export ticket to query data.

  • If you have enabled the sensitive data protection feature for an instance and specifies sensitivity levels for some fields, you can also manage permissions on sensitive fields. For more information, see Overview and Manage permissions.

Resource roles

DMS provides four resource roles, including instance DBA, instance owner, database owner, and table owner. Each role supports different features and permissions. For more information, see Resource roles.

Authorization methods

DMS supports two methods to obtain permissions, including the permission authorization and the permission application. The former indicates that a permission administrator grants permissions to a demander, and the latter indicates that a demander applies for permissions.

  • Permission authorization

    Administrators and DBAs can grant permissions to users on the resource management or user management page in the DMS console. For example, you can grant permissions on the same resource to multiple users. You can also grant permissions on multiple resources to multiple users. For more information, see the Manage permissions as a DMS administrator or DBA section of the "Manage permissions" topic.

    If an administrator needs to grant permissions on resources to multiple users at the same time, you can use a permission template to manage resources that have the same business attributes. For more information, see Create a permission template.

  • Permission application

    DMS users can submit a ticket to apply for permissions. For more information, see the Submit a ticket to apply for permissions section of the "Manage permissions" topic.

Approval process

The DMS ticket system provides approval capabilities. You can perform related database operations only after a ticket is approved.

Custom approval process

DMS uses an approval template to define an approval process. An approval template can contain multiple approval nodes that each contain can multiple approvers.

  • Application approval

    When all approval nodes in an approval process pass, the entire process ends and the ticket that you submit moves to the next phase.

  • Application rejection or revoking

    When the approver of a approval node rejects the ticket that you submit or the ticket creator revokes the ticket, the entire approval process ends and the ticket is not approved.

Note

You can specify a custom approval process only when the instance control mode is set to Security Association. You can use the built-in approval process of DMS only for instances in other modes. For more information, see Customize a ticket approval process.

Approval operations

DMS supports the following approval operations:

  • Approval: The approver agrees to the application and the approval enters the next approval node.

  • Rejection: The approver rejects the application and the ticket approval process is terminated. In this case, you must submit the ticket again.

  • Revoking: The initiator of the approval process terminates the approval process.

  • Transfer: The current approver transfers the ticket to others.

  • Signing: An approval node (approver) is added before or after the current approval node. Pre- and post-signing are included.

Other settings

If you want to grant ticket approval permissions to users who do not have permissions to approve specified or all types of tickets, you can go to the Configuration Management page in the DMS console. For more information, see Configuration management.

After you complete the preceding configurations, users or roles that meet the unauthorized approval conditions can perform the approval, rejection, signing, or revoking operation.

Notifications

By default, the notification feature of DMS is enabled. The feature is used to send notifications about the status updates of tickets or task flows. The feature allows you to specify notification recipients based on your business requirements. This way, the recipients can receive notifications at the earliest opportunity. Supported notification methods include text messages, emails, DingTalk, Lark, Dedicated DingTalk, and Webhook.

  1. Configure the notification method for personal messages, Enter the required information, such as the mobile phone number and verification code based on your business requirements. For more information, see Configure personal information and notification methods.

  2. Configure the ticket types to be notified and the trigger conditions, such as application approval and successful ticket execution. For more information, see Manage notification rules.