All Products
Search
Document Center

ApsaraDB RDS:Create a system admin account

Last Updated:Nov 20, 2023

A system admin account is the most powerful role in SQL Server. This role can bypass all security checks and perform all operations in SQL Server. This topic describes how to create a system admin account on an ApsaraDB RDS for SQL Server instance. You can use the system admin account to migrate the data of an on-premises SQL Server instance to the RDS instance.

Prerequisites

  • The RDS instance meets the following requirements:

    • The RDS instance resides in a region other than the China (Zhangjiakou) region.

    • The RDS instance runs RDS Basic Edition, RDS High-availability Edition, or RDS Cluster Edition. If your RDS instance runs RDS High-availability Edition, make sure that the instance runs SQL Server 2012 or later.

    • The RDS instance belongs to a general-purpose or dedicated instance family. The shared instance family is not supported.

    • The RDS instance resides in a virtual private cloud (VPC). For more information about how to change the network type of an RDS instance, see Change the network type of an ApsaraDB RDS for SQL Server instance.

    • The creation time of the RDS instance meets the following requirements:

      • If the RDS instance runs RDS High-availability Edition or RDS Cluster Edition, the instance is created on or after January 01, 2021.

      • If the RDS instance runs RDS Basic Edition, the instance is created on or after September 02, 2022.

      Note

      You can view the Creation Time parameter of an RDS instance in the Status section of the Basic Information page in the ApsaraDB RDS console.

  • An Alibaba Cloud account is used to log on to the RDS instance.

  • The permissions to create a system admin account are granted to the Alibaba Cloud account. If the permissions have been granted, skip this step.

    By default, Alibaba Cloud accounts do not have the permissions to create a system admin account. If this is the first time you create a system admin account, you must perform the following operations to grant the permissions to your Alibaba Cloud account: Log on to the ApsaraDB RDS console and go to the details page of your RDS instance. In the left-side navigation pane of the page that appears, click Accounts. In the upper-right corner of the page that appears, click Enable System Admin Role, read the usage notes, and then click OK.

    Warning
    • After the permissions to create a system admin account are granted to your Alibaba Cloud account, you can create system admin accounts for all RDS instances that belong to your Alibaba Cloud account. The permissions to create the system admin account cannot be disabled or revoked.

    • The system admin account has permissions that are beyond the management scope of ApsaraDB RDS. If you create the system admin account for your RDS instance, the system does not provide the service availability that is specified in Alibaba Cloud service level agreement (SLA) for the RDS instance. RDS instances for which no system admin accounts are created are not affected.

Usage notes

  • You can create only one system admin account for each RDS instance. The system admin account cannot be deleted in the ApsaraDB RDS console, by calling an API operation, or by using Terraform.

  • You cannot create system admin accounts for RDS instances in the CloudTmall system.

  • You cannot use the following usernames for system admin accounts:

    root|admin|eagleye|master|aurora|sysadmin|administrator|mssqld|public|securityadmin|serveradmin|setupadmin|processadmin|diskadmin|dbcreator|bulkadmin|tempdb|msdb|model|distribution|mssqlsystemresource|guest|add|except|percent|all|exec|plan|alter|execute|precision|and|exists|primary|any|exit|print|as|fetch|proc|asc|file|procedure|authorization|fillfactor|public|backup|for|raiserror|begin|foreign|read|between|freetext|readtext|break|freetexttable|reconfigure|browse|from|references|bulk|full|replication|by|function|restore|cascade|goto|restrict|case|grant|return|check|group|revoke|checkpoint|having|right|close|holdlock|rollback|clustered|identity|rowcount|coalesce|identity_insert|rowguidcol|collate|identitycol|rule|column|if|save|commit|in|schema|compute|index|select|constraint|inner|session_user|contains|insert|set|containstable|intersect|setuser|continue|into|shutdown|convert|is|some|create|join|statistics|cross|key|system_user|current|kill|table|current_date|left|textsize|current_time|like|then|current_timestamp|lineno|to|current_user|load|top|cursor|national|tran|database|nocheck|transaction|dbcc|nonclustered|trigger|deallocate|not|truncate|declare|null|tsequal|default|nullif|union|delete|of|unique|deny|off|update|desc|offsets|updatetext|disk|on|use|distinct|open|user|distributed|opendatasource|values|double|openquery|varying|drop|openrowset|view|dummy|openxml|waitfor|dump|option|when|else|or|where|end|order|while|errlvl|outer|with|escape|over|writetext||dbo|login|sys|drc_rds$

Procedure

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane of the page that appears, click Accounts.

  3. On the page that appears, click Create Account, configure the following parameters, and then click OK.

    Parameter

    Description

    Database Account

    The username of the account. It must be 2 to 64 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.

    Account Type

    The type of the account. Select System Admin Account. Then, read the agreement and select I have read and agree to changes to the RDS Service Level Agreement caused by the creation of a system admin account.

    Note

    New Password

    The password of the account. The password must meet the following requirements:

    • It is 8 to 32 characters in length.

    • It contains at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.

    • Special characters include ! @ # $ % ^ & * ( ) _ + - =

    Confirm Password

    The password of the account.

    Description

    The description of the account. The description can be up to 256 characters in length.

  4. Optional. Reset the password of the account or disable the account.

    You can click Reset Password or Deactivate Account in the Actions column to manage the account. For more information, see Reset the password of an account.

    image..png