All Products
Search
Document Center

Data Management:Security hosting

更新時間:Apr 08, 2024

As a best practice of Data Management (DMS) in Alibaba Group, security hosting provides your enterprise with a collection of database permission management solutions and helps your enterprise manage permissions for databases across clouds.

Background information

In traditional database management solutions, you must use a database account and password to log on to a database before you can perform operations on the database. This causes issues such as the risk of database account and password leaks, complex management of multiple accounts and multiple databases, and inefficient resource permission management.

To resolve the issues caused by traditional solutions, DMS provides the security hosting feature.

Introduction Video

Comparison before and after security hosting is enabled

Item

Before security hosting is enabled

After security hosting is enabled

Database account and password

You must use a database account and password to log on to a database. The database account or password may be leaked.

You do not need to use a database account and password to log on to a database.

Instance logon status

After you log on to a database, the logon session has a validity period. A logon session is valid for at most 24 hours.

If you have permissions on a database, you can use the database without the need to log on to the database.

Multiple accounts and multiple databases

You must manage accounts separately for each database.

You can use Alibaba Cloud accounts or single sign-on (SSO) to access a database.

Database permissions

You can manage only instance logon permissions.

DMS allows you to manage permissions at the database instance, database, table, row, and column levels.

You can also manage the lifecycle of resource permissions and specify an expiration time for permissions to automatically revoke permissions.

Instance logon permissions

You must separately apply for instance logon permissions.

You can use a database without the need to log on to the database. If you are a regular user, you can apply for the query, export, and change permissions on resources based on your business requirements.

Billing

The security hosting feature is free of charge.

Usage notes

  • If your database instance is managed in Stable Change or Flexible Management mode, you need to manually enable security hosting. For more information, see the Enable security hosting section of this topic.

    Note

    If your database instance is managed in Security Collaboration mode, security hosting is enabled by default.

  • To ensure that you can use the features provided by DMS to manage your database, we recommend that you specify a database account with higher permissions when you enable security hosting for a database instance in DMS.

Flowchart

aa9e447d7323ea27e593b783ca1cfac8.png

Check whether security hosting is enabled for a database instance

Log on to the DMS console. In the Database Instances section on the left side of the homepage, find the database instance that you want to manage and move the pointer over the instance to check whether security hosting is enabled for the database instance.

image.png

Enable security hosting

Disable secure hosting

If you are a DMS administrator or DBA, you can disable security hosting when you modify a database instance in DMS.

Important

After you disable secure hosting for a database instance, the permission configurations of the database instance become invalid.

What to do next

After security hosting is enabled for a database instance, you may need to perform the following operations:

  • Obtain permissions.

    • Apply for permissions as a regular user.

      • Submit a ticket to apply for permissions: When you query, export, or change data in a database, DMS checks whether you have the required permissions. If you have the required permissions, you can directly perform the operation. If you do not have the required permissions, you must submit a ticket to apply for permissions. For more information, see the Submit a ticket to apply for permissions section of the "Manage permissions" topic.

    • Grant permissions as a DMS administrator, DBA, or instance owner. For more information, see Manage permissions.

      Note

      If your enterprise has a large number of employees or databases, you can add resources such as database instances, databases, and tables that have the same business attributes to a permission template and authorize one or more users to manage the resources in the permission template. For more information, see Create a permission template.

  • View the resource permissions that you have. For more information, see View owned permissions.

  • View the resource permissions of other users as a DMS administrator, and view the users who have permissions on database instances and databases as a DMS administrator or DBA. For more information, see the Manage permissions as a DMS administrator section of the "Manage permissions" topic.

  • Track the details of permission change operations as a DMS administrator or DBA. For more information, see Use the operation audit feature.

FAQ

For more information about the security hosting feature, see FAQ about security hosting.