DocsICP FilingConsole
官方文档
首页

User management

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes the user management features of Data Management (DMS), including how to add users, edit users, and control user permissions.

Prerequisites

System role is administrator.

Usage notes

  • Ensure that each tenant has at least one active account with the administrator role. The application enforces this rule.

  • Any user managed in DMS can be assigned the administrator role. This is independent of the account type used to log on to DMS. For example, this applies to both Alibaba Cloud accounts and RAM users.

  • When you activate the DMS service, DMS automatically assigns the administrator role to your Alibaba Cloud account.

  • If a RAM user uses DMS for the first time and has the AdministratorAccess permission, the user is automatically initialized as an Administrator of DMS. For more information, see Manage RAM user configurations.

  • You can add multiple Alibaba Cloud accounts to a tenant from the user management page. The system automatically adds the new users to your current tenant. Users who have joined the tenant can view tenant information.

    Note

    The first time you log on to DMS with an Alibaba Cloud account, DMS automatically creates a tenant for that account.

Log on to the DMS console

You can log on to the DMS console in one of the following ways:

Add a user

Method 1: Manually add a user

  1. Log in to DMS 5.0.

  2. In the top navigation bar, choose O&M > Users.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.

  3. On the User Management page, choose Add > Add Account.

  4. In the Add User dialog box, enter the UID of the Alibaba Cloud account to add, and select one or more system Roles.

    Note

    To find your Alibaba Cloud account UID, hover over the 头像 icon in the upper-right corner of the page.

  5. Click Confirm.

Method 2: Add a RAM user

Note

  • Only the current Alibaba Cloud account or a RAM user with the ListUser permission can perform this operation.

  • Users added by using this method are assigned the regular user role by default. To change the system role, see Edit a user.

  1. Log in to DMS 5.0.

  2. In the top navigation bar, choose O&M > Users.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.

  3. On the User Management page, choose Add > Sync RAM User.

  4. In the Sync RAM User dialog box, search for the account by its display name or UID.

  5. Select the target RAM user and click Add Selected Users.

Edit a user

Edit user information

  1. Log in to DMS 5.0.

  2. In the top navigation bar, choose O&M > Users.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.

  3. On the User Management page, select the target user.

  4. Click Edit User at the top of the page.

    Note

    You can also click Edit in the Actions column for the target user.

  5. In the Edit User dialog box, you can modify the following information:

    Note

    You can change your mobile phone number and email address in your profile. For more information, see Configure personal information and notification methods.

    Category

    Setting

    Description

    Basic Information

    Display Name

    The name displayed on the User Management page for user identification.

    Role

    DMS provides five system roles: regular user, DBA, administrator, security administrator, and schema read-only.

    Maximum Daily Queries

    Sets the daily limit on the total number of queries a user can perform. Once this limit is reached, the user can no longer perform queries. The value must be an integer. You can select a predefined validity period or specify a custom period.

    Note

    If a user exceeds the daily query count or row count limit due to system releases or tracking, you can find the user and increase the corresponding limits.

    Maximum Daily Query Rows

    Sets the daily limit on the total number of rows a user can query. Once this limit is reached, the user can no longer query data. The value must be an integer. You can select a predefined validity period or specify a custom period.

    DingTalk Chatbot

    Enter the DingTalk Chatbot webhook URL.

    Webhook

    Enter the custom webhook URL. You can integrate it with your existing O&M or notification system.

    Signature Method

    Valid values: NONE and HMAC_SHA1.

    • NONE (Default): No signature is used.

    • HMAC_SHA1: The Hashed Message Authentication Code, Secure Hash Algorithm (HMAC-SHA1) encryption algorithm is used.

    Signature Key

    The signature key. This parameter is displayed only when Signature Method is set to HMAC_SHA1.

    Notification Method

    Supported methods include SMS, DingTalk, Email, DingTalk Chatbot, and webhook. You can select multiple methods.

  6. Click Confirm Change.

Grant permissions

Note

The following steps use Authorize Instance as an example. You can also grant permissions on permission templates, databases, tables, rows, and sensitive columns. For more information about permissions, see Permission management.

  1. Log in to DMS 5.0.

  2. In the top navigation bar, choose O&M > Users.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.

  3. Select the target user and click Authorize User > Authorize Instance at the top of the page.

    Note

    You can also choose Authorize > Authorize Instance in the Actions column for the target user.

  4. In the Authorize Instance dialog box, configure the following parameters:

    Category

    Setting

    Required

    Description

    Instances to Authorize

    N/A

    Yes

    Select one or more database instances on which to grant permissions.

    Permission Settings

    Permission Type

    Yes

    For an instance not in Security Collaboration mode, you can grant the Instance Logon permission. For an instance in Security Collaboration mode, you can grant the Performance View permission.

    Expiration Date

    Yes

    Select the expiration date for the permission.

Disable a user

Disabling a user prevents them from logging on to DMS. However, their existing permissions and configurations are retained. When you enable the user, all previous permissions and configurations are restored.

Note

  • A disabled user still counts towards the user quota.

  • You cannot disable a user who is the DBA of a database instance. You must first assign the DBA role for that instance to another user. For more information about how to change the DBA of a database instance, see Edit instance information.

  1. Log in to DMS 5.0.

  2. In the top navigation bar, choose O&M > Users.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.

  3. Select the target user and choose Operate User > Disable User at the top of the page.

  4. In the Confirm dialog box, click Confirm.

Delete a user

After a user is deleted, they can no longer log on to DMS, and all their data owner configurations and permission data are also cleared from DMS.

Note

  • You cannot delete a user who is associated with any resources. For example, you cannot delete a user who is the DBA of an instance or an approver in security rules.

  • When a user is deleted, their permissions and ownership settings are cleared. However, their user record and operation logs are retained, and their account is marked with a Deleted tag.

  • A deleted user does not count towards the user quota.

  1. Log in to DMS 5.0.

  2. In the top navigation bar, choose O&M > Users.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.

  3. Select the target user and choose Operate User > Delete User at the top of the page.

  4. In the Confirm dialog box, click Confirm.

Enable a user

You can enable a user to restore their access to DMS. If the user was previously disabled, their original permissions and configurations are restored. However, if the user was deleted, they are treated as a new user upon being enabled. They can log on to DMS, but their previous permissions and configurations are cleared and they must apply for permissions again.

  1. Log in to DMS 5.0.

  2. In the top navigation bar, choose O&M > Users.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.

  3. Select the target user and choose Operate User > Enable User at the top of the page.

  4. In the Confirm dialog box, click Confirm.

Enable user access control

If metadata access control is enabled for a user, the following restrictions apply:

  • In DMS, the user can only query and access databases for which they have permissions. To view their permissions, the user can choose Security and Specifications > Permission Center in the top navigation bar to query granted permissions.

  • The user cannot see other databases or instances for which they lack permissions, nor can they apply for permissions on them.

  1. Log in to DMS 5.0.

  2. In the top navigation bar, choose O&M > Users.

    Note

    If you use the DMS console in simple mode, move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner of the DMS console and choose All Features > O&M > Users.

  3. In the Actions column for the target user, choose More > Access Control.

    Note

    You can also select multiple users and click the Access Control button at the top of the page to enable access control for them in bulk.

  4. In the User Access Control dialog box, turn on the metadata access control switch and click Confirm.

Related documents

FAQ

  • Q: Can an administrator or a DBA role in DMS be assigned to a RAM user?

    A: Yes. Role configuration is independent of the account type.

  • Q: What should I do if a user performs suspicious operations on a database?

    A: You can choose one of the following methods:

    • If you want to retain the user's permissions, you can disable the user. After being disabled, the user cannot log on to the DMS service. You can then use the operation audit feature of DMS to view all database operations performed by the user. If the investigation clears the user, you can enable the user again. The user's original permissions and configurations are restored, allowing them to resume work quickly.

    • If you do not need to retain the user's permissions, you can delete the user. A deleted user cannot log on to the DMS service, and their permissions and data ownership configurations are cleared.

  • Q: As an administrator, how can I quickly find other accounts?

    A: In the top navigation bar of the console, choose O&M > User Management. On the User Management page, you can search for a target account by account name, email address, display name, or Alibaba Cloud UID, and filter by account status.

  • Q: Can a user log on to DMS after being disabled?

    A: No, they cannot.

  • Q: When I try to disable a user, a message indicates that the user is the DBA of an instance and cannot be disabled. What should I do?

    A: You can edit the instance to change its DBA.

    Note

    Only a user with the DBA system role in DMS can be assigned as the DBA of an instance. If the user that you want to assign does not have the DBA role, go to the User Management page to edit their role.

  • Q: Why is a user who was deleted in DMS not completely removed from the user list?

    A: Currently, deleted users are only marked as deleted in the list and cannot be permanently purged from DMS.

  • Q: How can I revoke a user's existing permissions on resources such as instances and databases in user management?

    A: As an administrator or DBA, go to user management and find the target user. In the Actions column, choose More > Permission Details. Select the resource permissions that you want to revoke and click Revoke Permission.

  • Q: After the name of a RAM user is updated, the RAM display name in DMS User Management is not updated.

    A: The display name of a RAM user is synchronized from RAM to DMS only when the RAM user is first synchronized. Subsequent changes to the display name in RAM are not automatically synchronized to DMS. To update the display name in DMS, go to O&M > User Management, click Edit, modify the Display Name in Basic Information, and save your changes.

  • Q: After logging in to DMS, a regular user with permissions for only some databases sees all databases.

    A: This behavior is expected. The databases on the left side of the DMS console are displayed at the instance level, which means all databases in the instance are listed. Regular users can perform read and write operations only on the databases for which they have permissions. If you want to restrict users to see only the instances and databases for which they have permissions, you need to configure this by using metadata access control.

  • Q: Why are some accounts grayed out and cannot be selected when I synchronize RAM users?

    A: These RAM users are missing the AliyunDMSLoginConsoleAccess permission. You need to grant them this permission before you can select and synchronize them.

Previous:Role managementNext:Manage tasks