All Products
Search
Document Center

ApsaraDB RDS:Modify the permissions of an account

Last Updated:Mar 20, 2024

This topic describes how to modify the permissions of a standard account on an ApsaraDB RDS for MySQL instance. The permissions of a privileged account can only be reset to the default settings but cannot be modified.

Note

You can use the Account Authorization and Management feature of Alibaba Cloud Data Management (DMS) to define permission combinations. You can also use this feature to manage the permissions on specific tables. For more information, see Manage user permissions on MySQL databases.

Method 1: Modify the permissions of a standard account in the ApsaraDB RDS console

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Accounts.

  3. Find the standard account whose permissions you want to modify. Then, click Edit Permissions in the Actions column.

  4. In the Edit Account Permissions panel, modify the permissions of the account.

    • If you want to add or remove an database, select the database and click the > or < icon.

    • If you want to modify the permissions on an authorized database, select the database in the Authorized Databases section. Then, select the Read/Write (DDL + DML), Read-only, DDL Only, or DML Only permissions.

      Note

      You can use SQL statements to modify permissions at a fine-grained granularity. For more information, see Account permissions.

  5. Click OK.

Method 2: Modify the permissions of a standard account in the DMS console

You can modify the permissions of a standard account in the DMS console. For more information, see Manage user permissions on MySQL databases.

Method 3: Modify the permissions of a standard account by using SQL statements

Prerequisites

A privileged account is created for the RDS instance and is used to modify the permissions.

  1. Use a client or the CLI to connect to the RDS instance.

  2. Execute the GRANT statement to grant permissions to the standard account.

    Note

FAQ

Why am I unable to create a database on an RDS instance by using a standard account? What do I do if the ERROR 1044 (42000): Access denied for user 'xxxx'@'%' to database 'xxxx' error message is displayed when I create a database on an RDS instance by using a standard account?

By default, a standard account for an RDS instance has only the permissions to log on to databases. If you want to use the standard account to create a database, you must first use a privileged account to grant the CREATE permission to the standard account. Example statement:

GRANT CREATE ON *.* TO '<Name of the standard account>'@'%';

How do I deny access to the RDS instance?

You can delete IP addresses from the IP address whitelist of the RDS instance and retain only the 127.0.0.1 entry. Then, restart the RDS instance. This way, access to the RDS instance is denied.

Can I lock an account?

You can use a privileged account to execute the ALTER USER 'Username' ACCOUNT LOCK; statement to lock a privileged account or a standard account. Then, restart the instance to terminate the connections to the RDS instance. If you want to reset the permissions of a privileged account, you can follow the instructions provided in Reset the permissions of a privileged account.

Note

The ALTER USER 'Username' ACCOUNT LOCK; statement is not supported for RDS instances that run MySQL 5.6.