Grant or revoke permissions on instances, databases, and tables for specific users in DMS.
Prerequisites
-
Security hosting is enabled for the instance. Enable security hosting.
-
The target user is added to DMS. User management.
Notes
-
Fine-grained permission management on databases, tables, rows, and sensitive columns requires security hosting. Sensitive column permissions also require sensitive data protection.
-
An administrator or DBA can grant and revoke resource permissions for users within the current DMS tenant.
-
A data owner can grant and revoke permissions for the databases and tables they manage.
Permission management methods
|
User role |
Management method |
Resource types |
|
Administrator |
Instance permissions, database permissions, table permissions, sensitive column permissions, row permissions, and resource ownership. |
|
|
Instance permissions, database permissions, and table permissions. |
||
|
DBA |
Instance permissions, database permissions, table permissions, sensitive column permissions, row permissions, and resource ownership. |
|
|
Instance permissions, database permissions, and table permissions. |
||
|
Resource owner |
Instance permissions, database permissions, table permissions, sensitive column permissions, row permissions, and resource ownership. |
|
|
All users in the current tenant (role-independent) |
Instance permissions, database permissions, table permissions, programmable object permissions, sensitive column permissions, row permissions, and resource ownership. |
A resource owner can be an instance owner, database owner, or table owner.
Manage permissions with instance management
Log in to DMS 5.0.
Move the pointer over the
icon in the upper-left corner of the DMS console and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
On the Instance List tab, find the target instance, and then click in the Actions column.
-
On the Instance Permission tab, grant or revoke instance permissions.
-
Grant instance permissions
Click Grant Instance Permissions, select the Performance View, Query, Export, or Change permissions to grant to a specific user, and then click Confirm.
In the Permission Settings area, under Security Hosting Only, select the required permissions and set an Expiration Time, such as 1 month.
-
Revoke instance permissions
-
To revoke permissions from a single user: In the row of the target user, click Revoke Permission. Select the permissions to revoke and click Confirm.
-
To revoke permissions from multiple users: Select the users, click Revoke Permission, select the permissions to revoke, and then click Confirm.
-
-
Extend authorization
To extend expiring permissions, select the user and click Extend Authorization.
-
-
On the Database Permission tab, grant or revoke database permissions.
-
Grant database permissions
Click Grant Database Permissions, select the Query, Export, or Change permissions to grant for a specific database, and then click Confirm.
From the Expiration Time drop-down list, select a validity period, such as 1 month.
-
Revoke database permissions
-
To revoke permissions from a single user: In the Actions column for the target user, click Revoke Permission. Select the permissions to revoke and click Confirm.
-
To revoke permissions from multiple users: Select the users, click Revoke Permission, select the permissions to revoke, and then click Confirm.
In the Manage Permissions dialog box, on the Database Permission tab, select the records to revoke by selecting the check box in the row of the target database, for example,
dmsdb.
-
-
Extend authorization
To extend expiring permissions, select the user and click Extend Authorization.
-
-
On the Database List tab, batch set owners, transfer ownership, or manage permissions for databases, tables, columns, and rows.
NoteYou can also click next to the target database to manage its resource permissions.
Manage permissions with user management
Grant or revoke resource permissions
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
Grant user permissions.
NoteSecurity hosting must be enabled for the instance before an administrator can grant users permissions on databases, tables, rows, and sensitive columns.
Select the target user and click Authorize User at the top of the page, or click Authorize in the row for the target user. Grant permissions for instances, databases, tables, rows, or sensitive columns, or add the user to a permission template.
NoteYou can also click Authorize next to the target database to manage resource permissions.
-
Revoke user permissions.
-
In the row for the target user, click .
-
Select the target resource, select the resource permissions to revoke, and then click Revoke Permission.
-
Select the permission types to revoke, such as Export and Change, and then click Confirm.
-
-
Extend the authorization period.
Apply to extend permissions that are about to expire.
View user permissions
Administrators can view a user's permissions for instances, databases, tables, rows, and sensitive columns, and the resources they own.
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
In the row for the target user, click .
-
On the Standard Permissions tab, view the resource permissions that the user has.
Permissions are categorized as Instance Permission, Database Permission, Table Permission, Row Permission, and Sensitive Column Permission. The table displays the Permission type, Grant time, Expiration time, Current status, and Actions (you can click Permission Details to view more information) for each permission.
-
On the My Resources tab, view the resources that the user owns.
You can filter resources by Owner's instances, Owner's databases, or Owner's tables. The table displays information such as Schema, Region, and Data Owner. The Actions column provides links to Permission Management and Adjust Data Owner.
Manage permissions with permission templates
Grant or revoke permissions
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
Click an existing template name to open the details page, or Create a permission template.
-
Add resources.
-
Click Add Resource to add instance, database, and table resources to the template.
-
In the search box, enter the name of the target instance, press Enter, and then select the target resource and Permission Type.
NoteBefore you confirm, you can add instances, databases, and tables on different tabs at the same time.
With security hosting, the available permission types include Performance View, Query, Export, and Change. Without security hosting, only the Instance-Login permission is available. After you make your selections, click Confirm.
-
Click Confirm.
-
-
Add users.
-
On the template details page, click Authorize.
-
Click the search box to select the users you want to authorize, and set the permission validity period.
In the Authorize dialog box, note that this authorization is an additive operation. If a permission is granted again for the same permission type, the new validity period overrides the old one. You can also click Load from Authorized User List to quickly add users.
-
Click Confirm.
-
View and revoke permissions
-
On the template details page, click Authorization Records.
The page displays two subtabs: Authorization Logs and Authorized Personnel. The table on the Authorization Logs tab contains columns such as Authorized person, Expiration time, Authorizer, Action (Revoke/Authorize), and Authorization time, which records the details of each authorization or revocation.
-
On the Authorized Personnel tab, view users who have been granted permissions through this template and use the Revoke button to revoke their permissions.
NoteThis action revokes all permissions on all resources in the template that were most recently granted to the user.
The list of authorized personnel includes columns such as Authorized person, Last operation time, Last operator, and Revocation status. The status can be Revoked or Not Revoked. For users with a Not Revoked status, you can view Permission Details and perform a Revoke action. For revoked users, you can only view Permission Details. You can use the Batch Revoke button to revoke permissions from multiple users at once.
Permission ticket application
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
On the Permission Ticket List page, click Apply for Permission and select the type of permission you want to apply for from the drop-down menu.
-
On the Permission Application page, configure the permissions you are requesting for the instance, database, table, or other resources.
-
Select the resources for your application.
Category
Permission types
Description
Security hosting disabled
Instance - Login
When security hosting is disabled, only instance login permissions are available.
-
Enter the instance endpoint or name, and then click Search or press Enter.
-
In the search results list, select the target instance.
-
Click
to add the selected instance to the Confirm Selected Instances list.
Security hosting enabled
-
Instance Owner
-
Database Owner
-
Table Owner
-
Instance Permissions
-
Instance Performance
-
Database Permissions
-
Table Permissions
-
Programmable Object Permissions
-
Row Permissions
-
Sensitive Column Permissions
The following steps use a database permission application as an example:
-
Enter the database name and click Search or press Enter. You can use the percent sign (
%) as a wildcard for fuzzy matching. For example:dms%test. -
In the search results list, select the target for which you want to add permissions.
-
Click
to add the selected target to the Confirm Selected Databases/Tables/Columns list.
-
-
Select the Permission Type you are applying for (Login, Query, Export, or Change), set a Duration for the permissions, and enter a Reason for Application.
-
-
Click Submit Application to submit the request for approval.
-
After the ticket is approved, the system grants the requested permissions automatically.
-
For Security Collaboration instances, the approval workflow is customizable.
-
For non-Security Collaboration instances: if security hosting is disabled, only instance login permissions are available, and the instance DBA approves by default. If security hosting is enabled, the resource owner approves. If no owner is set, the instance DBA approves.
-
Manage permissions with My Permissions
Log in to DMS 5.0.
-
Move the pointer over the
icon in the upper-left corner and choose . NoteIf you use the DMS console in normal mode, choose in the top navigation bar.
-
On the My Resources tab, manage resource permissions:
-
Grant other users permissions on the resource.
Click Permission Management next to the target instance or database/table resource, and then grant the permissions.
In the Permission Management dialog box, you can view the list of authorized users, including their usernames (for example,
db_doc), permission types (Query, Export, and Change), expiration time, and grant method. -
Adjust the owner of an instance, database, or table.
Select the target resource and click Transfer Ownership, Add Owner, or Release Owner.
In the instance list on the My Resources tab, select a target resource and click Transfer Ownership, Add Owner, or Release Owner to adjust the resource owner.
-
Related APIs
-
ListDatabaseUserPermissions: Lists permission details for users of a specified database.
-
ListUserPermissions: Queries database and table permissions for a specified user.
-
GrantUserPermission: Grants a user permissions for a database or table.
-
RevokeUserPermission: Revokes a user's permissions for a database or table.