Integrate Data Management (DMS) with your enterprise development platform to centrally manage database access, changes, and permissions.
Process overview
Identity authentication
Log on to DMS with Alibaba Cloud identity authentication. Create RAM users for your enterprise before using DMS.
Initialize DMS
Integrate DMS with your enterprise development platform
Add database instances
After you add database instances to DMS, you can manage your databases with DMS features.
Step 1: Identity authentication
Alibaba Cloud identity authentication
If your enterprise already has a RAM user system on Alibaba Cloud, you can skip this step.
Self-managed identity system
If your enterprise uses a self-managed identity system not connected to Alibaba Cloud, use IDaaS to connect it to the Alibaba Cloud RAM user system.
When connecting through IDaaS, your enterprise acts as the identity provider (IdP). The IDaaS integration workflow is shown in the diagram below.
Create an IDaaS EIAM instance.
Log on to the Alibaba Cloud IDaaS console and activate an instance. Activate an instance for free.
Bind an IdP for IDaaS.
After you bind an IdP, you can log on to IDaaS applications through that IdP (for example, Alibaba Cloud SSO through DingTalk) and synchronize accounts from your original account system to IDaaS. Identity Provider.
Create IDaaS accounts.
Create accounts manually or by calling an OpenAPI operation. Create an account and Create an EIAM account.
NoteIf you have already synced your internal enterprise accounts to IDaaS in Step 2, you can skip this step.
Create an application.
An application in IDaaS represents a business application, system, or service. The following examples show how to add an application using role-based SSO and user-based SSO:
Create an Alibaba Cloud user-based SSO application
NoteIf user-based SSO is enabled, save the existing metadata file first. The file cannot be recovered if overwritten. After you bind the new metadata file, the original user-based SSO logon settings for the RAM user become invalid.

After you create the application, use account synchronization to sync IDaaS accounts to RAM instead of creating them manually. Account data synchronization.

Create an Alibaba Cloud role-based SSO application
With role-based SSO, users can log on to Alibaba Cloud using a RAM role without creating individual RAM users. Alibaba Cloud role-based SSO.
Log on to the application through IDaaS.
After an administrator completes the user-based SSO configurations, an employee, Alice, logs on to Alibaba Cloud as shown in the following flowchart. User-based SSO overview.

Step 2: Initialize Data Management DMS
After integrating with Alibaba Cloud identity authentication, enterprise users can log on to DMS using their Alibaba Cloud accounts (root accounts, RAM users, or RAM roles). The first user to log on becomes the DMS administrator. All subsequent users are assigned the regular user role.
System roles
DMS has five system roles: regular user, security administrator, DBA, DMS administrator, and structure read-only user.
Each system role has different permissions. Grant DMS system roles to users based on the features and user groups associated with each role. System Roles.
Add Users
Two methods are available to add enterprise employees to DMS:
Automatic addition
If you initialize DMS with an Alibaba Cloud account (root account), DMS automatically syncs all RAM users under that account.
If you initialize DMS with a RAM user, automatic sync is unavailable. Manually add the Alibaba Cloud account (root account) to DMS to enable automatic sync of all RAM users under that account.
This synchronization is controlled by a global configuration item in DMS, enabled by default. Configuration Management.
Manual addition
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
Add users.
Manually add any user
Click Add, enter the Alibaba Cloud Account UID and set a system Role for the user, and then click Confirm.

Manually add RAM users under the current Alibaba Cloud account
Click Sync Sub-accounts, select the users to sync, and click Add Selected Users. After the users are added, set their system roles. Edit user information.

Step 3: Integrate DMS with your enterprise development platform
After integrating with Alibaba Cloud identity authentication, you can log on to DMS using your enterprise IdP. Choose one of the following methods to integrate DMS into your enterprise development platform.
Page integration
Construct a link to a DMS page.
Specify a redirect to a specific feature page. The link format is:
https://dms.aliyun.com/new#to={MENU_NAME}For example, the link to the data change page is
https://dms.aliyun.com/new#to=DC_COMMON.In addition to the preceding items, the following special cases apply:
Link to the ticket details page: https://dms.aliyun.com/?pid={ORDER_ID}.
ORDER_IDis the ticket number, which you can obtain from the DMS console or by calling an OpenAPI operation.Link to the SQL Console page:
https://dms.aliyun.com/websql/index?dbId={DB_ID}&logic={IS_LOGIC}&dbType={DB_TYPE}&instanceId={INSTANCE_ID}&insertSql={INSERT_SQL}.DB_ID: The database ID. This is an integer.
IS_LOGIC: Specifies whether the database is a logical database. Valid values are true and false.
DB_TYPE: The database type. You can call the OpenAPI operation GetPhysicalDatabase to retrieve the corresponding database and its DbType.
INSTANCE_ID: The instance ID. You can call the OpenAPI operation GetPhysicalDatabase to retrieve the corresponding database and its InstanceId.
INSERT_SQL: The query SQL statement that has been URL-encoded. When you are redirected to the SQL Console, the query SQL is automatically entered in the execution area. If you do not need to enter a query, do not pass the
insertSqlfield.
Construct a link for password-free access to DMS and embed it in your internal system.
Replace the password-free access address
https://dms.aliyun.comwith the constructed DMS feature page link. Access the DMS console without a password.
OpenAPI integration
Both Alibaba Cloud identity authentication systems and self-managed identity systems support OpenAPI integration.
Call DMS OpenAPI operations to add users and resources. API overview.
Step 4: Add database instances
Control modes
Configure a control mode for each instance registered in DMS. The control modes are Flexible Management, Stable Change, and Security Collaboration, each suited to different scenarios and supporting different features. Control Modes.
Add an instance
Supported databases
Add IP addresses to a whitelist
Add the DMS IP addresses for your region to the security settings of your database instance (firewall, whitelist, or security group). Add DMS IP address CIDR blocks.
Register an instance
To add a database instance to DMS: Add an ApsaraDB database instance or Add a database instance from another cloud or a self-managed database.
API operation: Register a database instance.
Other operations
After you integrate DMS with your enterprise development platform and add instances, you can manage access control, approval flows, and notification methods. Features.
Access control
Access control manages permissions for DMS resources (instances, databases, and tables). Grant logon, query, export, and change permissions to users as needed. Access control overview.
Permission types
DMS provides three types of data access permissions:
Query permissions: Execute query SQL statements in the SQL Console.
Change permissions: Execute change statements in the SQL Console (constrained by security rules) and submit data change and schema synchronization tickets (indirect changes).
Export permissions: Submit data export tickets (indirect exports).
Permissions are inherited across resource levels. For example, query permissions granted at the instance level apply to all databases and tables within that instance.
DMS limits query results in the SQL Console for security. For example, Flexible Management instances cap queries at 3,000 rows. To retrieve a complete dataset, request export permissions and submit a data export ticket.
If you enable data protection and set sensitivity levels for fields, you can also manage permissions for sensitive fields. Data protection overview and Manage access control permissions.
Resource roles
DMS provides four resource roles: instance DBA, instance owner, database owner, and table owner. Each role has different permissions. Resource roles.
Authorization methods
DMS supports two methods for obtaining permissions: administrators grant permissions to users, or users apply for permissions.
Active authorization
Administrators and DBAs can grant permissions to users on the Resource Management or User Management page. Manage access control permissions.
To grant permissions on a resource to multiple users at once, use a permission template to manage resources with the same business attributes. Create a permission template.
Permission application
Users can apply for permissions by submitting a ticket. Manage access control permissions.
Approval flows
The DMS ticket system requires approval before database operations can proceed.
Custom approval flows
Approval flows are defined by approval templates. Each template can contain multiple approval nodes, and each node can have multiple approvers.
Approval
After all approval nodes in the flow are approved, the entire approval flow ends, and the ticket proceeds to the next stage.
Rejection or revocation
When an approver at an approval node rejects the request or the ticket creator revokes the ticket, the approval flow ends, and the ticket is not approved.
Custom approval flows are available only for instances in Security Collaboration mode. Other modes use built-in DMS approval flows. Customize ticket approval flows.
Approval operations
DMS supports these approval operations:
Approve: The request proceeds to the next approval node.
Reject: The approval flow is terminated. Submit a new ticket to retry.
Revoke: The initiator terminates the approval flow.
Change Owner: Transfer approval responsibility to another user.
Add Signature: Add an approval node before or after the current node (pre-signature or post-signature).
Other configurations
Escalated approval allows users without approval permissions to participate in approving specified or all ticket types. Configure this on the Configuration Management page. Configuration Management.
Users or roles that meet escalated approval conditions can then perform Approve, Reject, Add Signature, or Revoke operations. Otherwise, the process remains unchanged.
Message notifications
DMS enables message notifications by default for various ticket types and task flows. Configure custom recipients to ensure effective delivery. Supported methods include text messages, emails, DingTalk, Lark, dedicated DingTalk, DingTalk robots, and webhooks.
Configure personal notification methods by entering the required information (such as a mobile number and verification code). Configure personal information and notification methods.
Configure the ticket types and trigger conditions for notifications (such as approval passed or ticket execution completed). Manage message notifications.


