Create accounts and databases for an ApsaraDB RDS for MySQL instance - RDS MySQL Database| Alibaba Cloud Documentation Center

For more information about how to create accounts and databases for RDS instances that run other database engines, see the following topics:

Create accounts and databases for an ApsaraDB RDS instance that runs SQL Server 2012, 2016, 2017 SE, or 2019
Create accounts and databases for an ApsaraDB RDS instance that runs SQL Server 2008 R2
Create accounts and databases for an ApsaraDB RDS for PostgreSQL instance
Create accounts and databases for an ApsaraDB RDS for PPAS instance
Create accounts and databases for an ApsaraDB RDS for MariaDB instance

Account types

ApsaraDB RDS for MySQL supports two types of accounts: privileged accounts and standard accounts. You can manage all the accounts and databases of your RDS instance by using the ApsaraDB RDS console. For more information about the permissions that can be granted to each type of account, see Account permissions.

Note After an account is created, you cannot change the type of the account. However, you can delete the account. Then, you can create an account that has the same username as the deleted account. For more information, see Delete a standard account from an ApsaraDB RDS for MySQL instance.


Account type	Description
Privileged account	You can create and manage privileged accounts by using the ApsaraDB RDS console or the ApsaraDB RDS API. Only one privileged account is allowed per RDS instance. A privileged account has the permissions to manage all the databases and standard accounts of the RDS instance on which the privileged account is created. A privileged account allows you to manage more permissions at fine-grained levels based on your business requirements. For example, you can grant each standard account the permissions to query specific tables from the RDS instance on which the privileged account is created. A privileged account has all the permissions on all the databases of the RDS instance on which the privileged account is created. A privileged account has the permissions to disconnect all the standard accounts of the RDS instance on which the privileged account is created.
Standard account	You can create and manage standard accounts by using the ApsaraDB RDS console, ApsaraDB RDS API, or SQL statements. More than one standard account is allowed per RDS instance. The maximum number of standard accounts that are allowed varies based on the minor engine version that is used. You must manually grant the permissions on specific databases to each standard account. A standard account does not have the permissions to create, manage, or disconnect other accounts of the RDS instance on which the standard account is created.


Account type	Maximum number of databases	Maximum number of tables	Maximum number of accounts
Privileged account	Unlimited	< 200,000	Varies based on the minor engine version.
Standard account	500	< 200,000	Varies based on the minor engine version.

Note After a privileged account is created, the maximum number of databases that can be created by using standard accounts is unlimited.

Comparison between privileged and superuser accounts

To reduce unintentional operations that may interrupt your workloads, ApsaraDB RDS for MySQL does not provide a superuser account. Only a privileged account is provided for you to manage all of the databases and standard accounts that are created on your RDS instance.

Privileged account

The privileged account is granted the highest permissions. For more information, see Permissions of various accounts.
The privileged account has the permissions to disconnect all standard accounts.

Superuser account

The superuser account has the permissions to close the connections for all queries.
The superuser account has the permissions to modify global variables by executing the SET statement.
The superuser account has the permissions to execute the CHANGE MASTER and PURGE MASTER LOGS statements.
The superuser account has the permissions to edit the files on the physical server that hosts your RDS instance.

Create a privileged account

Visit the RDS instance list, select a region above, and click the target instance ID.
In the left-side navigation pane, click Accounts.
Click Create Account.

Configure the following parameters.


Parameter	Description
Database Account:	Enter the username of the account. The username must meet the following requirements: The name must be 2 to 16 characters in length. The username must start with a lowercase letter and end with a lowercase letter or digit. The username can contain lowercase letters, digits, and underscores (_).
Account Type:	Select the type of the account. You must select Privileged Account. Note For more information about the permissions of various accounts, see the "Permissions of various accounts" section of this topic.
Password:	Enter the password of the account. The password must meet the following requirements: The password must be 8 to 32 characters in length. The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Special characters include: @ # $ % ^ & * ( ) _ + - = !
Confirm Password:	Enter the password of the account again.
Description	Enter a description that helps identify the account. The description can be up to 256 characters in length.

Click OK.

Create a standard account

Visit the RDS instance list, select a region above, and click the target instance ID.
In the left-side navigation pane, click Accounts.
Click Create Account.

Configure the following parameters.


Parameter	Description
Database Account:	Enter the username of the account. The username must meet the following requirements: The name must be 2 to 16 characters in length. The username must start with a lowercase letter and end with a lowercase letter or digit. The username can contain lowercase letters, digits, and underscores (_).
Account Type:	Select the type of the account. You must select Standard Account.
Authorized Databases:	Select the authorized databases of the account. You can leave this parameter empty. This is because you can grant the permissions on a database to the account after the account is created. In the left-side section, select one or more databases. Then, click the > icon to move the selected databases to the right-side section. In the right-side section, specify the Read/Write (DDL + DML), Read-only, DDL Only, or DML Only permissions on each selected database. Note For more information about the permissions of various accounts, see the "Permissions of various accounts" section of this topic.
Password:	Enter the password of the account. The password must meet the following requirements: The password must be 8 to 32 characters in length. The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Special characters include: @ # $ % ^ & * ( ) _ + - = !
Confirm Password:	Enter the password of the account again.
Description	Enter a description that helps identify the account. The description can be up to 256 characters in length.

Click OK.

Create a database

Visit the RDS instance list, select a region above, and click the target instance ID.
In the left-side navigation pane, click Databases.
Click Create Database.

Configure the following parameters.


Parameter	Description
Database Name	The name of the database must be 2 to 64 characters in length. The name of the database must start with a lowercase letter and end with a lowercase letter or digit. The name of the database can contain lowercase letters, digits, underscores (_), and hyphens (-). The name of the database must be unique within the RDS instance.
Supported Character Set	Select the character set that is supported by the RDS instance.
Authorized Account:	Select the authorized account of the database. You can leave this parameter empty. This is because you can grant the permissions on the database to an account after the database is created. Note Only standard accounts (Standard Account) appear. The privileged account has all permissions on all the created databases and does not require authorization.
Account Type:	Select the permissions that you want to grant on the database to the specified account. The supported permissions are Read/Write, Read-only, DDL Only, and DML Only. For more information about the permissions of various accounts, see the "Permissions of various accounts" section of this topic. Note This parameter is available only when the Authorized Account parameter is set.
Description	Enter a description that helps identify the account. The description can be up to 256 characters in length.

Click Create.

Permissions of various accounts


Account type	Permission	Operation
Privileged account	-	SELECT	INSERT	UPDATE	DELETE	CREATE
		DROP	RELOAD	PROCESS	REFERENCES	INDEX
		ALTER	CREATE TEMPORARY TABLES	LOCK TABLES	EXECUTE	REPLICATION SLAVE
		REPLICATION CLIENT	CREATE VIEW	SHOW VIEW	CREATE ROUTINE	ALTER ROUTINE
		CREATE USER	EVENT	TRIGGER
Standard account	Read-only	SELECT	LOCK TABLES	SHOW VIEW	PROCESS	REPLICATION SLAVE
	Read-only	REPLICATION CLIENT
	Read/Write	SELECT	INSERT	UPDATE	DELETE	CREATE
		DROP	REFERENCES	INDEX	ALTER	CREATE TEMPORARY TABLES
		LOCK TABLES	EXECUTE	CREATE VIEW	SHOW VIEW	CREATE ROUTINE
		ALTER ROUTINE	EVENT	TRIGGER	PROCESS	REPLICATION SLAVE
		REPLICATION CLIENT
	DDL Only	CREATE	DROP	INDEX	ALTER	CREATE TEMPORARY TABLES
		LOCK TABLES	CREATE VIEW	SHOW VIEW	CREATE ROUTINE	ALTER ROUTINE
		PROCESS	REPLICATION SLAVE	REPLICATION CLIENT
	DML Only	SELECT	INSERT	UPDATE	DELETE	CREATE TEMPORARY TABLES
		LOCK TABLES	EXECUTE	SHOW VIEW	EVENT	TRIGGER
		PROCESS	REPLICATION SLAVE	REPLICATION CLIENT

FAQ

After I create accounts on my primary RDS instance, can I manage the accounts from the read-only RDS instances?
No, although the accounts created on your primary RDS instance are synchronized to the read-only RDS instances, you cannot manage the accounts from the read-only RDS instances. The accounts have only the read permissions on the read-only RDS instances.
Can I manage accounts at fine-grained levels, such as the source IP address and table levels?
Yes, after you connect to your RDS instance, you can use commands to manage accounts at fine-grained levels, such as the source IP address and table levels. For more information, see Connect to an ApsaraDB RDS for MySQL instance.
Does ApsaraDB RDS provide a superuser account such as the root user?
No, ApsaraDB RDS does not provide a superuser account such as the root user. This allows you to protect your RDS instance from damages such as data losses and leaks that are caused by unintentional operations.

Related operations


API	Description
Create account	Creates an account for an ApsaraDB RDS instance.
Create database	Creates a database for an ApsaraDB RDS instance.