Key concepts used in Data Management (DMS).
This page defines the core terms used across DMS features.
Routing algorithm
A routing algorithm reduces the overhead of querying or modifying sharded data. By associating a routing algorithm with a logical database, DMS locates the relevant physical shard directly, rather than scanning all shards.
A routing algorithm consists of a routing field and an algorithm type.
Without a routing algorithm, every operation on a logical table iterates over all underlying physical tables, multiplying execution time by the number of shards.
Applies to: querying, modifying, and exporting data across sharded tables.
Column security level
DMS classifies sensitive columns into three security levels to apply appropriate masking and access controls. These levels apply only when data is accessed through DMS or the DMS Secure Access Proxy — third-party tools are not affected.
|
Level |
Former name |
Display behavior |
|
Low-sensitivity |
Internal |
Plaintext |
|
Medium-sensitivity |
Sensitive |
Masked |
|
High-sensitivity |
Confidential |
Masked |
When a column is set to medium- or high-sensitivity:
SQL Console displays masked values (asterisks
*or a custom mask pattern) for users without explicit access.Querying, exporting, or modifying the column requires a separate permission request.
DBAs and administrators can configure distinct approval workflows for export and data change operations involving sensitive columns.
Security-collaboration instances default to low-sensitivity for all columns.
Logical database
A logical database is a virtual grouping that abstracts one or more physical databases (shards) behind a single name. DMS routes operations to the correct physical shard based on the logical database's routing algorithm.
For more information, see the Routing algorithm section on this page.
Logical table
A logical table maps to a set of physical tables that share the same schema but are distributed across shards. DMS treats them as a single table for queries, data changes, and exports.
Each logical table belongs to a logical database and inherits its routing algorithm.
Data owner
A data owner is the designated person responsible for a specific database or table. Owners control how other users access the data they manage.
Responsibilities:
Act as an approval node in security rule workflows.
Grant or revoke permissions on their databases and tables.
How ownership is assigned:
By a DBA or existing owner: Right-click the target database in the instance list on the DMS home page, then select Manage Owner.
By self-service request: The team lead responsible for the data applies through the permission request flow.
Metadata
Metadata in DMS refers to the structural information about database objects: database names, character sets, table names, table sizes, row counts, field names, field types, field precision, indexes, and descriptions. This information comes from internal database sources such as information_schema. Table size and row count figures are approximate order-of-magnitude references, not exact values.
DMS uses metadata for:
In-product search and display
Automated identification of sensitive data
Fine-grained permission control at the database, table, column, row, and programmable-object level
Collection scope by instance mode:
|
Aspect |
Security-collaboration mode |
Standard mode |
|
Collection scope |
All metadata for all instances |
Database-level information only; remaining metadata loaded on login |
|
Full collection on first registration |
Yes |
Yes |
|
Scheduled full collection |
Daily at 18:00 (automatic) |
Not supported |
|
Incremental collection |
Via Refresh in SQL Console; via Sync Metadata in instance management; automatically triggered by DDL changes completed through DMS |
Via Refresh or Sync Dictionary buttons |
Supported metadata by database type:
|
Object |
MySQL family |
PostgreSQL family |
SQL Server |
Oracle |
MongoDB |
Redis |
|
Database |
Name, character set |
Name |
Name |
Name |
— |
Name |
|
Table |
Name, description, character set, row count, size |
Name, description, row count, size |
Name, description, row count, size |
Name, description, row count, size |
— |
— |
|
Column |
Name, type, nullable, length, precision, description |
Name, type, nullable, length, precision, description |
Name, type, nullable, length, precision, description |
Name, type, nullable, length, precision, description |
— |
— |
|
Index |
Name, type, indexed columns |
Name, type, indexed columns |
Name, type, indexed columns |
Name, type, indexed columns |
Name, indexed columns |
— |
|
Programmable object |
Name, type |
Name, type |
Name, type |
— |
— |
— |
|
Schema |
— |
Name |
— |
— |
— |
— |
|
Collection |
— |
— |
— |
— |
Name |
— |
|
Key |
— |
— |
— |
— |
— |
Name, type |
MySQL family includes MySQL, PolarDB MySQL Edition, PolarDB Distributed Edition, AnalyticDB for MySQL, DLA, ClickHouse, OceanBase MySQL mode, and MariaDB. PostgreSQL family includes PostgreSQL, PolarDB PostgreSQL Edition (Oracle-compatible), PolarDB PostgreSQL Edition, AnalyticDB for PostgreSQL, and OceanBase Oracle mode.
Security rules
Security rules define the approval workflows that govern DMS operations — SQL execution, data changes, data exports, and permission requests. The system includes three default risk levels (low, medium, high) that cannot be deleted but can be edited.
Each database instance is associated with exactly one security rule, so you can apply strict controls to production while keeping development environments unrestricted.
Core components:
Approval nodes
Nodes represent the people who must approve an operation.
System nodes (cannot be edited or deleted):
Admin — any system administrator; approval by any one admin passes the step.
DBA — the DBA assigned to the instance; approval by the instance's DBA passes the step.
DBA Roles — any user with the DBA role, including the instance's assigned DBA.
Owner — the data owner of the target database; configured by a DBA when the instance is registered.
Custom nodes can be added and edited as needed.
Approval templates
Templates combine nodes into ordered approval chains. System templates (Admin, DBA, Owner, Owner→DBA, Owner→DBA→Admin) cannot be deleted but can be referenced as baselines for custom templates.
Configurable controls
|
Feature area |
What security rules control |
|
SQL Console |
Allow/deny DML and DDL execution; set row-count and table-size thresholds; block high-risk DDL (DROP TABLE, DROP COLUMN) |
|
Data change |
Allow/deny DML and DDL; set impact-row thresholds; block high-risk DDL |
|
Data export |
Enable/disable approval; set export-volume thresholds; set separate workflows for sensitive data |
|
Permission requests |
Set approval workflows for table/column permissions, sensitive-column permissions, confidential-column permissions, and security-level downgrades |
Data volume
In database backup contexts, DMS uses four distinct volume measurements:
|
Term |
Definition |
|
Database disk space |
Total storage allocated to the database instance, including data files, log files, OS files, and free space. For RDS, this is the storage purchased at instance creation. For ECS, this is the sum of system and data disks. |
|
Data file space |
Disk space actually occupied by the database's data files on the server. |
|
Backup data volume |
The actual size of data transferred through the backup channel. Varies by database type, backup method, and backup granularity. |
|
Storage data volume |
The actual size stored on the storage medium after compression. Always smaller than or equal to backup data volume. |
Size order: Database disk space ≥ Data file space > Backup data volume > Storage data volume.
Built-in storage and user OSS
Data Backup (DBS) stores backup data in cloud storage. Two storage options are available:
|
DBS built-in storage |
User OSS |
|
|
Access control |
Customers cannot access backup sets directly; integrated with DBS security permissions |
Customers can access backup sets directly; self-managed security |
|
Reliability |
Alibaba Cloud Apsara distributed storage |
Alibaba Cloud Apsara distributed storage |
|
Cost |
Pay-per-use for actual data volume; no OSS request fees |
OSS request fees apply; see OSS pricing |
|
Management |
No OSS bucket to manage |
Requires managing bucket name and quota |
|
Extra features |
Backup lifecycle management; automatic CSV download |
Backup lifecycle management |
DBS built-in storage scales automatically with your data — no manual capacity planning required. For large data volumes, consider purchasing a DBS storage plan for discounted rates compared to pay-as-you-go pricing.