PolarDB-X supports the three-role mode for database management. In the three-role mode, three roles are created to manage databases. The three roles are database administrator (DBA), database security administrator (DSA), and data audit administrator (DAA). This makes your database more secure because the database management permissions are not granted to one account.

Risks and risk mitigation

  • Risks
    In traditional database O&M mode, the DBA of a database is granted full permissions on the database. In this mode, issues can occur on your business in the following scenarios:
    • False positives that are identified by the DBA cause system security accidents.
    • The DBA performs malicious operations.
    • The DBA, third-party outsourcing personnel, or program developers that are not granted the required permissions can access sensitive data.
  • Three-role mode

    In the three-role mode, the permissions that are granted to the DBA role in the traditional mode are divided among the DBA, DSA and DAA roles. Each role is granted a part of the database management permissions.PolarDB-X The following list describes the operations that each role can perform.

    • DBA: DBA is authorized to execute DDL statements.
    • DSA: DSA is authorized to manage roles and users, and grant permissions to standard accounts.
    • DAA: DAA is authorized to view audit logs.

Permissions for different roles

The following table describes the permissions that are granted to each system account in the default mode and the three-role mode.

Note
  • In the default mode, the DBA account is the privileged account. For more information about the privileged account, see Account types.
  • After you enable or disable the three-role mode for your instance, only the permissions that are granted to system accounts are changed. The system accounts include the privileged account, DBA account, DSA account, and DAA account. The permissions that are granted to standard accounts are not affected.
  • After the three-role mode is enabled, all system accounts are not authorized to execute DML statements, Data Query Language (DQL) statements, or Data Administration Language (DAL) statements. You can use the DSA account to grant permissions to standard accounts to execute these types of statements.
  • In the following table, Yes indicates that the account is granted the permissions for the corresponding operations. No indicates that the account is not granted the permissions for the corresponding operations.
Permission Default mode Three-role mode
Operation type Description Privileged account DBA account DSA account DAA account
DDL
  • ALTER TABLE
  • CREATE TABLE
  • CREATE VIEW
  • CREATE INDEX
  • CREATE CCL_RULE
  • DROP VIEW
  • DROP INDEX
  • DROP TABLE
  • TRUNCATE TABLE
 Yes Yes No No
DML
  • DELETE
  • UPDATE
  • INSERT
 Yes No No No
DQL
  • SELECT
  • EXPLAIN
DAL
  • SHOW CCL_RULE
  • SHOW INDEX
Operations on roles and accounts Manage accounts and permissions

Manage role permissions

 Yes No Yes No
Operations on audit logs View audit logs in the following types of tables:
  • information_schema.polardbx_audit_log
  • information_schema.polardbx_ddl_log
 Yes No No Yes

Limits

Before you use the three-role mode, you must take note of the following limits:

  • You cannot run GRANT ROLE or REVOKE ROLE commands on the DBA, DSA, and DAA accounts.
  • You cannot run GRANT PRIVILEGES or REVOKE PRIVILEGES commands on the DBA, DSA, and DAA accounts.
  • You can change the password of a system account when you use the account to log on to the database. For example, if you want to change the password of the DBA account, you must log on to the database by using the DBA account.
  • You cannot run the SET DEFAULT ROLE command on the DBA, DSA, and DAA accounts.