DocsICP FilingConsole
官方文档
首页

Policies

更新时间:
复制 MD 格式
产品详情
我的收藏

The DMS policy feature allows you to manage access to DMS features and data resources with fine-grained control. By defining a policy, you can specify permissions, such as query and modification permissions, for data resources at various levels like instances and databases. You can also control which actions are allowed for specific DMS features.

Features

  • Control access to data resources

    You can use both policies and the standard permission system to grant permissions, including query and modification permissions, for data resources at different levels, such as an instance, database, logical database, or table.

  • Control access to features

    You can use policies to control actions for DMS features, such as allowing or denying the creation and viewing of sub-features.

Notes

This feature is in canary release.To use this feature, join the DingTalk group (ID: 67215001618) to contact DMS technical support.

Differences between policies and permission templates

Item

Policy

Permission template

Manageable objects

Data resources and DMS features

Data resources

Scope of manageable data resources

Wide scope, including data resources like instances, physical databases, logical databases, and tables.

Narrow scope, including only instances, databases, and tables.

Scope of supported authorization targets

Users and roles

Users

Authentication

DMS policies and the standard permission system are complementary.

For example, if a user is granted query permissions on the dmstest_db database through a policy and is also granted modification permissions on the same database through the standard permission system, the user has both query and modification permissions on the database.

Data resource authentication process

image

Prerequisites

You must have permissions to manage policies. If not, ask an administrator to grant you the administrator system role. For more information, see Edit user information.

Note

By default, users with the administrator role have the permissions to manage policies.

Step 1: Create and configure a policy

  1. Log in to DMS 5.0.

  2. In the upper-left corner of the console, click the 2023-01-28_15-57-17.png icon and choose All Features > Security and Specifications > Permission Center > Policy.

    Note

    • If you are using the console in normal mode, choose Security and Specifications > Permission Center > Policy from the top navigation bar.

    • This feature is in canary release.To see the entry point for this feature, you must first apply for access. To apply, contact DMS technical support through DingTalk (Group ID: 67215001618).

  3. Click Create Policy. On the page that opens, fill in the Basic Information and Remarks.

  4. Configure the policy content.

    Note

    After configuring a policy statement, you can click Add Policy at the bottom of the page to add more statements for data and feature resources.

    Data resources

    1. Select an Effect.

      An effect of Allow grants authorized users or roles access to the data resources and related features defined in the policy. Conversely, an effect of Deny prohibits authorized users or roles from accessing the resources and features defined in the policy.

    2. On the Resource Type > Data tab, select the resources you want to control, such as Instance, Database, or Logical Database.

      Note

      The console lists all supported data resource types.

    3. In the Actions section, select an action type, such as Read actions (query permissions) or Write actions (modification permissions).

      All Actions includes both Read actions and Write actions. For Specified Actions, you can select read or write actions based on your needs. After making your selection, click the image icon to add it to the Selected Actions area.

      Under Read actions, select Instance Query (instance:InstanceQuery), and under Write actions, select Instance Modification (instance:InstanceCorrect). Then, click the icon to add them to the Selected Actions area.

    4. In the Resource section, select the resource scope: All Resources or Specified Resources.

      If you select Specified Resources, click Add Resource in the lower-right corner.

      In the Add Resource dialog box, select the target instance in the Instance field (you can search by keyword), and then click Confirm.

    5. (Optional) Configure policy conditions.

      In the Condition section, click Add Condition. In the Add Condition dialog box, configure the Condition Key, Operator, and value.

      Note

      The available condition parameters depend on the resource type and actions you selected.

      Examples of condition key configurations:

      • Select database type

        For example, if you set Operator to StringEqualsIgnoreCase (case-insensitive string match) and Condition Value to MySQL, the policy applies only to MySQL databases.

      • Select time

        For example, if you set Operator to DateGreaterThan and Condition Value to 2024-09-19 05:00, the policy takes effect only after 2024-09-19 05:00.

    Feature usage

    1. Select an Effect.

      An effect of Allow grants authorized users or roles access to the data resources and related features defined in the policy. Conversely, an effect of Deny prohibits authorized users or roles from accessing the resources and features defined in the policy.

    2. On the Resource Type > Feature tab, select the feature you want to control, such as data export ticket, user management, role management, or sensitive data protection.

    3. In the Actions section, select an action type.

      For Specified Actions, you can select read or write actions based on your needs. After making your selection, click the image icon to add it to the Selected Actions area.

    4. In the Resource section, select the resource scope: All Resources or Specified Resources.

      If you select Specified Resources, click Add Resource to add resources.

    5. (Optional) Configure policy conditions.

      In the Condition section, click Add Condition. In the Add Condition dialog box, configure the Condition Key, Operator, and value.

      Note

      The available condition parameters depend on the resource type and actions you selected.

      For example, if you select Data Export Ticket as the Resource Type, you can use the Instance Environment Type condition key as follows:

      If you set Operator to StringEqualsIgnoreCase (case-insensitive string match) and Condition Value to dev, the policy takes effect only for databases in the development (dev) environment.

  5. Click Confirm in the lower-left corner of the page to generate the policy.

Step 2: Authorize a user or role

  1. On the policy list page, find the target policy and click Authorize in the policy's row.

  2. In the Authorize dialog box, select the Users or Roles you want to authorize. You can select multiple items.

    A role refers to a custom role. Users who are assigned this role are subject to the policy.

  3. Click Confirm.

Manage policies

On the policy list page, you can modify, delete, or create a similar policy.

Permission diagnosis

Note

  • Currently, DMS only supports permission diagnosis for data resources.

  • On the operation log page, you can only perform permission diagnosis on operations from the last three months.

The permission diagnosis feature helps you trace the source of a user's permissions for data resources. You can start a diagnosis in two ways:

From operation logs

  1. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > Security and disaster recovery (DBS) > Operation Audit.

    Note

    If you use the DMS console in normal mode, choose Security and disaster recovery (DBS) > Operation Audit in the top navigation bar.

  2. On the Operation Logs tab, filter for operation logs from the SQL Console.

  3. Click Permission Diagnosis to the right of a log entry.

    The Permission Diagnosis dialog box opens and displays the authentication process. The system first checks for a matching policy. If a policy matches, its effect determines the outcome: 'Allow' grants access, and 'Deny' revokes it. If no policy matches, the system then checks for standard permissions. If standard permissions exist, access is granted. Otherwise, the system performs a final RAM permission check on the instance, granting access on success and denying it on failure.

From the SQL Console

  1. In the database instance list on the left, find and double-click the target database to open the SQL Console.

  2. At the top of the page in the My Permissions section, select a permission type and then click Permission Diagnosis.

  3. Click Permission Diagnosis to view the authentication process.

    image

Previous:Create a permission templateNext:Configure an approval process