Security hosting FAQ-Data Management-阿里云帮助中心

Core features	Security hosting	Security Collaboration
Password-free logon	✔️	✔️
Fine-grained, full-lifecycle permission management	✔️	✔️
Table schema design	❌	✔️
Security rules (Granular control over operational standards and development workflows)	❌	✔️
Custom ticket approval processes	❌	✔️
SQL review and optimization	Identifies potential optimizations or improvements in SQL statements.	Reviews SQL statements based on optimization suggestions in security rules. DMS blocks statements that require mandatory improvements.
Operation audit	You can view database operation logs from the last 24 hours.	You can view database operation logs from the last three years.

Changes after enabling security hosting

Before you enable security hosting, users must log on to an instance with a database account and password. You must manage permissions for each database account individually.
After you enable security hosting, users can log on to an instance without a database account or password. You can manage permissions at the instance, database, table, and row levels.

For more information, see security hosting.

Using password-free logon without permission management

Users with the administrator, DBA, or instance owner roles can use the password-free logon feature without applying for additional permissions. Other users must apply for instance permissions or have them granted by an administrator, DBA, or instance owner. For more information, see Submit a ticket to apply for permissions and Manage permissions as a DMS administrator or DBA.

Logon permissions after enabling security hosting

Administrators, DBAs, and instance owners can use the instance directly. Regular users must apply for Query, Export, and Change permissions depending on their needs.

Applicable permissions with security hosting

You can apply for Query, Export, and Change permissions.

Query: Allows you to run query statements in the SQL Console.
Export: Allows you to submit data export tickets. Direct export is not permitted.
Change: Allows you to run change statements in the SQL Console, subject to administrator-configured constraints. This permission also lets you submit data change tickets and database and table synchronization tickets. Direct changes are not permitted.

Permission request approvers

For instances not using Security Collaboration, the instance owner is the approver. If no owner is assigned, the instance DBA is the approver. For instances using Security Collaboration, you can specify approvers in the security rules before you submit a ticket. For more information, see Custom ticket approval processes.

Viewing permission operation records

DMS operation logs record permission operations such as applying for permissions, granting permissions, and revoking permissions. Administrators and DBAs can query these records by using the operation audit feature. For more information, see operation audit.

Setting permission expiration dates

Yes. After you set a validity period for a permission, it is automatically revoked upon expiration. Administrators, DBAs, or instance owners can also manually revoke a user's permissions at any time.

Controlling sensitive data with column permissions

If sensitive data protection is enabled for an instance, you can use sensitive column permissions to control access to specific fields. The system automatically classifies and ranks sensitive data, and allows only users with the appropriate permissions to view sensitive fields. For more information, see Overview.

Using domain accounts for permission management

Yes. After you integrate your domain accounts with DMS, you can implement fine-grained permission management. For more information, see Use SSO to log on to DMS and Manage permissions.

Pricing for security hosting

The security hosting feature is free of charge.

Handling DMS client connection errors

During a DMS upgrade, the client may experience connection errors. To work around this issue, switch the access mode of the instance to manual hosting. In this mode, you must manually enter the database account and password to connect. This bypasses the automatic logon process, which might be affected by the upgrade.