hosted database-Data Management-阿里云帮助中心

The security hosting feature of Data Management (DMS) resolves issues in traditional database management. These issues include the risk of database account and password leaks, the complex management of multiple databases and accounts, and disorganized user permissions for resources. After you enable security hosting for an instance, the instance becomes passwordless. It is also subject to fine-grained access control for resources in DMS. You can access authorized resources, such as instances and databases, without using database accounts or passwords.

Background information

Traditional database management solutions	DMS security hosting solution
Managing multiple databases and accounts is difficult, and authorization is complex. If permissions are not revoked promptly, data breaches can easily occur. In addition, it is difficult to trace personnel who operate the database.	Security hosting is a best practice of DMS for database permission access control within Alibaba Group. It provides enterprises with a series of database permission controls and helps them achieve unified permission management for multicloud databases.

Video introduction

Comparison before and after enabling security hosting

Item	Before enabling	After enabling
Database account and password	Connections to the database require a database account and password. This poses a risk of account and password leaks.	Employees do not handle accounts or passwords. This eliminates the risk of leaks.
Instance logon status	The logon status can easily expire. The database connection is disconnected after 24 hours. After the disconnection, you must log on to the database again.	The instance is passwordless. You can directly use permissions, such as query and change, on the instance.
Managing multiple accounts and databases	Management is difficult because you must manage accounts and databases together.	You can use an Alibaba Cloud account or a domain account for database access authentication.
Database permission management	Only instance logon permissions can be managed.	DMS provides unified permission management. You can perform fine-grained access control at the instance, database, table, row, and column levels. DMS supports managing the entire lifecycle of resource permissions. You can set an expiration time for permissions to enable automatic revocation.
Instance logon permissions	Users must apply for logon permissions separately.	Passwordless logon is used, so you do not need to apply for logon permissions. Regular users can apply for query, export, or change permissions on resources as needed.

Billing

The security hosting feature is free of charge.

Notes

For instances in Stable Change or Flexible Management mode, you must manually enable security hosting. For more information, see Enable security hosting.
Note
For instances in Security Collaboration mode, security hosting is enabled by default.
To better use the features of DMS and fully control your databases, we recommend that you host a database account that has high-level permissions in DMS.
Enabling security hosting for an instance does not affect the database itself or normal connections to it.
When you register an instance that belongs to another Alibaba Cloud account, you cannot set the access mode to security hosting.

Using a flowchart

Enable security hosting

An administrator or a database administrator (DBA) can log on to the DMS console 5.0 and enable security hosting for an instance.

For an instance that is not registered with DMS
An administrator or DBA can enable security hosting when registering the database instance. For more information about how to register an instance, see Register an ApsaraDB instance and Register a third-party cloud or self-managed database.
The instance has been successfully added to DMS.
An administrator or DBA can right-click the target instance in the database instance list in the navigation pane on the left of the DMS homepage, select Edit Instance, and then enable Security Hosting. For more information, see Edit instance information.

Disable security hosting

You can disable security hosting to remove an instance from the passwordless list.

An administrator or DBA can right-click the target instance in the database instance list in the navigation pane on the left of the DMS homepage, select Edit Instance, and then select Not Hosted.

Important

After security hosting is disabled, the original permission configurations for the instance become invalid. You must enter the database account and password each time you log on to the database.

Other operations

Check whether security hosting is enabled for an instance
In the Database Instances area on the left side of the DMS console, find the target instance. You can hover the mouse pointer over the instance name to check whether security hosting is enabled.
An administrator, a DBA, or an instance owner can manually grant permissions to a user. For more information, see Manage access control permissions.
In the database instance list, you can right-click the target instance or database, select Manage Permissions, and grant permissions on the instance, database, or other resources to the user.
Note
- If your enterprise has many employees or databases, you can use permission templates to centrally manage instances, databases, and tables with the same business properties, and grant permissions to users in batches. For more information, see Create a permission template.
- Regular users can also request resource permissions. For more information, see Request permissions by submitting a ticket.
View your resource permissions. For more information, see View my permissions.
An administrator can view the resource permissions of other users. An administrator or a DBA can view the owners of instance and database permissions. For more information, see Manage the permissions of other users as an administrator
An administrator or a DBA can trace the details of permission change operations. For more information, see Operation audit.

FAQ

Q: After I enable security hosting, how can I prevent users who do not have permissions on an instance from viewing information about that instance?
A: You can perform the following steps:
1. Disable RAM permission verification.
  In the Operations Management > Configuration Management section, turn off Enable RAM Permission Verification. This prevents Resource Access Management (RAM) users from using their existing RAM permissions to perform operations on instances in DMS.
2. Enable access control for the instance.
  Note
  Access control can be enabled only for instances in Security Collaboration mode.
  In the Data Asset > Instance Management section, find the target instance. Choose More > Access Control and turn on the switch. After you enable access control, only authorized users can search for the instance. For more information, see Access control.
Q: After I enable security hosting, how can I prevent a user from viewing information about instances for which they do not have permissions?
A: You can perform the following steps:
1. Disable RAM permission verification.
  In the Operations Management > Configuration Management section, turn off Enable RAM Permission Verification. This prevents RAM users from using their existing RAM permissions to perform operations on instances in DMS.
2. Enable access control for the user.
  In the Operations Management > User Management section, find the target user. Choose More > Access Control and turn on the switch. After you enable access control, the user can search only for instances or databases for which they have permissions. For more information, see Access control.

For more frequently asked questions about security hosting, see FAQ about security hosting.