Integrate DMS with your enterprise development platform

更新时间:
复制 MD 格式

Integrate Data Management (DMS) with your enterprise development platform to centrally manage database access, changes, and permissions.

Process overview

  1. Identity authentication

    Log on to DMS with Alibaba Cloud identity authentication. Create RAM users for your enterprise before using DMS.

  2. Initialize DMS

  3. Integrate DMS with your enterprise development platform

  4. Add database instances

    After you add database instances to DMS, you can manage your databases with DMS features.

Step 1: Identity authentication

Alibaba Cloud identity authentication

If your enterprise already has a RAM user system on Alibaba Cloud, you can skip this step.

Create a RAM user.

Self-managed identity system

If your enterprise uses a self-managed identity system not connected to Alibaba Cloud, use IDaaS to connect it to the Alibaba Cloud RAM user system.

When connecting through IDaaS, your enterprise acts as the identity provider (IdP). The IDaaS integration workflow is shown in the diagram below.

image
  1. Create an IDaaS EIAM instance.

    Log on to the Alibaba Cloud IDaaS console and activate an instance. Activate an instance for free.

  2. Bind an IdP for IDaaS.

    After you bind an IdP, you can log on to IDaaS applications through that IdP (for example, Alibaba Cloud SSO through DingTalk) and synchronize accounts from your original account system to IDaaS. Identity Provider.

  3. Create IDaaS accounts.

    Create accounts manually or by calling an OpenAPI operation. Create an account and Create an EIAM account.

    Note

    If you have already synced your internal enterprise accounts to IDaaS in Step 2, you can skip this step.

  4. Create an application.

    An application in IDaaS represents a business application, system, or service. The following examples show how to add an application using role-based SSO and user-based SSO:

    • Create an Alibaba Cloud user-based SSO application

      Create an application.

      Note

      If user-based SSO is enabled, save the existing metadata file first. The file cannot be recovered if overwritten. After you bind the new metadata file, the original user-based SSO logon settings for the RAM user become invalid.

      image.png

      After you create the application, use account synchronization to sync IDaaS accounts to RAM instead of creating them manually. Account data synchronization.

      image.png

    • Create an Alibaba Cloud role-based SSO application

      With role-based SSO, users can log on to Alibaba Cloud using a RAM role without creating individual RAM users. Alibaba Cloud role-based SSO.

  5. Log on to the application through IDaaS.

    First single sign-on.

    After an administrator completes the user-based SSO configurations, an employee, Alice, logs on to Alibaba Cloud as shown in the following flowchart. User-based SSO overview.image.png

Step 2: Initialize Data Management DMS

After integrating with Alibaba Cloud identity authentication, enterprise users can log on to DMS using their Alibaba Cloud accounts (root accounts, RAM users, or RAM roles). The first user to log on becomes the DMS administrator. All subsequent users are assigned the regular user role.

System roles

DMS has five system roles: regular user, security administrator, DBA, DMS administrator, and structure read-only user.

Each system role has different permissions. Grant DMS system roles to users based on the features and user groups associated with each role. System Roles.

Add Users

Two methods are available to add enterprise employees to DMS:

Automatic addition

  • If you initialize DMS with an Alibaba Cloud account (root account), DMS automatically syncs all RAM users under that account.

  • If you initialize DMS with a RAM user, automatic sync is unavailable. Manually add the Alibaba Cloud account (root account) to DMS to enable automatic sync of all RAM users under that account.

Note

This synchronization is controlled by a global configuration item in DMS, enabled by default. Configuration Management.

Manual addition

  1. Log in to DMS 5.0.

  2. Move the pointer over the 2023-01-28_15-57-17.png icon in the upper-left corner and choose All Features > O&M > Users.

    Note

    If you use the DMS console in normal mode, choose O&M > Users in the top navigation bar.

  3. Add users.

    • Manually add any user

      Click Add, enter the Alibaba Cloud Account UID and set a system Role for the user, and then click Confirm.

      image

    • Manually add RAM users under the current Alibaba Cloud account

      Click Sync Sub-accounts, select the users to sync, and click Add Selected Users. After the users are added, set their system roles. Edit user information.

      image

Step 3: Integrate DMS with your enterprise development platform

After integrating with Alibaba Cloud identity authentication, you can log on to DMS using your enterprise IdP. Choose one of the following methods to integrate DMS into your enterprise development platform.

Page integration

  1. Construct a link to a DMS page.

    Specify a redirect to a specific feature page. The link format is:

    https://dms.aliyun.com/new#to={MENU_NAME}

    For example, the link to the data change page is https://dms.aliyun.com/new#to=DC_COMMON.

    MENU_NAME is the key value for the feature. The MENU_NAME for each feature is as follows:

    • Data Change: DC_COMMON

    • Data Import: DC_BIG_FILE

    • Lockless Change: DC_CHUNK

    • Programmable Objects: DC_PROC

    • Historical Data Cleanup: DC_CRON_CLEAR

    • Test Data Generation: menus_order_data_generate

    • SQL Result Set Export: DATA_EXPORT

    • Database Export: DB_EXPORT

    • My Permissions: menus_order_my_auth

    In addition to the preceding items, the following special cases apply:

    • Link to the ticket details page: https://dms.aliyun.com/?pid={ORDER_ID}. ORDER_ID is the ticket number, which you can obtain from the DMS console or by calling an OpenAPI operation.

    • Link to the SQL Console page: https://dms.aliyun.com/websql/index?dbId={DB_ID}&logic={IS_LOGIC}&dbType={DB_TYPE}&instanceId={INSTANCE_ID}&insertSql={INSERT_SQL}.

      • DB_ID: The database ID. This is an integer.

      • IS_LOGIC: Specifies whether the database is a logical database. Valid values are true and false.

      • DB_TYPE: The database type. You can call the OpenAPI operation GetPhysicalDatabase to retrieve the corresponding database and its DbType.

      • INSTANCE_ID: The instance ID. You can call the OpenAPI operation GetPhysicalDatabase to retrieve the corresponding database and its InstanceId.

      • INSERT_SQL: The query SQL statement that has been URL-encoded. When you are redirected to the SQL Console, the query SQL is automatically entered in the execution area. If you do not need to enter a query, do not pass the insertSql field.

  2. Construct a link for password-free access to DMS and embed it in your internal system.

    Replace the password-free access address https://dms.aliyun.com with the constructed DMS feature page link. Access the DMS console without a password.

    image

OpenAPI integration

Both Alibaba Cloud identity authentication systems and self-managed identity systems support OpenAPI integration.

Call DMS OpenAPI operations to add users and resources. API overview.

Step 4: Add database instances

Control modes

Configure a control mode for each instance registered in DMS. The control modes are Flexible Management, Stable Change, and Security Collaboration, each suited to different scenarios and supporting different features. Control Modes.

Add an instance

Supported databases

Databases supported by DMS.

Add IP addresses to a whitelist

Add the DMS IP addresses for your region to the security settings of your database instance (firewall, whitelist, or security group). Add DMS IP address CIDR blocks.

Register an instance

To add a database instance to DMS: Add an ApsaraDB database instance or Add a database instance from another cloud or a self-managed database.

API operation: Register a database instance.

Other operations

After you integrate DMS with your enterprise development platform and add instances, you can manage access control, approval flows, and notification methods. Features.

Access control

Access control manages permissions for DMS resources (instances, databases, and tables). Grant logon, query, export, and change permissions to users as needed. Access control overview.

Permission types

DMS provides three types of data access permissions:

  • Query permissions: Execute query SQL statements in the SQL Console.

  • Change permissions: Execute change statements in the SQL Console (constrained by security rules) and submit data change and schema synchronization tickets (indirect changes).

  • Export permissions: Submit data export tickets (indirect exports).

Note
  • Permissions are inherited across resource levels. For example, query permissions granted at the instance level apply to all databases and tables within that instance.

  • DMS limits query results in the SQL Console for security. For example, Flexible Management instances cap queries at 3,000 rows. To retrieve a complete dataset, request export permissions and submit a data export ticket.

  • If you enable data protection and set sensitivity levels for fields, you can also manage permissions for sensitive fields. Data protection overview and Manage access control permissions.

Resource roles

DMS provides four resource roles: instance DBA, instance owner, database owner, and table owner. Each role has different permissions. Resource roles.

Authorization methods

DMS supports two methods for obtaining permissions: administrators grant permissions to users, or users apply for permissions.

Approval flows

The DMS ticket system requires approval before database operations can proceed.

Custom approval flows

Approval flows are defined by approval templates. Each template can contain multiple approval nodes, and each node can have multiple approvers.

  • Approval

    After all approval nodes in the flow are approved, the entire approval flow ends, and the ticket proceeds to the next stage.

  • Rejection or revocation

    When an approver at an approval node rejects the request or the ticket creator revokes the ticket, the approval flow ends, and the ticket is not approved.

Note

Custom approval flows are available only for instances in Security Collaboration mode. Other modes use built-in DMS approval flows. Customize ticket approval flows.

Approval operations

DMS supports these approval operations:

  • Approve: The request proceeds to the next approval node.

  • Reject: The approval flow is terminated. Submit a new ticket to retry.

  • Revoke: The initiator terminates the approval flow.

  • Change Owner: Transfer approval responsibility to another user.

  • Add Signature: Add an approval node before or after the current node (pre-signature or post-signature).

Other configurations

Escalated approval allows users without approval permissions to participate in approving specified or all ticket types. Configure this on the Configuration Management page. Configuration Management.

Users or roles that meet escalated approval conditions can then perform Approve, Reject, Add Signature, or Revoke operations. Otherwise, the process remains unchanged.

Message notifications

DMS enables message notifications by default for various ticket types and task flows. Configure custom recipients to ensure effective delivery. Supported methods include text messages, emails, DingTalk, Lark, dedicated DingTalk, DingTalk robots, and webhooks.

  1. Configure personal notification methods by entering the required information (such as a mobile number and verification code). Configure personal information and notification methods.

  2. Configure the ticket types and trigger conditions for notifications (such as approval passed or ticket execution completed). Manage message notifications.