AnalyticDB for MySQL uses two distinct layers of accounts: platform accounts for cluster-level operations (creating, scaling, and managing clusters) and database accounts for database-level operations (creating tables and connecting to databases). A third type, the service account, exists exclusively for authorized Alibaba Cloud technical support.
Platform accounts
Platform accounts control who can create and manage AnalyticDB for MySQL clusters through the console or API. Two types are available:
| Account type | Scope | Description |
|---|---|---|
| Alibaba Cloud account | AnalyticDB for MySQL clusters | Use it to create and manage clusters, configure whitelists, create database accounts, manage public endpoints, set maintenance windows, and delete clusters. |
| RAM user | AnalyticDB for MySQL clusters | A secondary identity created under an Alibaba Cloud account for a specific function. RAM users perform the same cluster operations as the Alibaba Cloud account, but only within the permissions granted to them. RAM users cannot own resources — all resources belong to the Alibaba Cloud account. |
For cluster operations available to both account types, see Configure a whitelist, Create a database account, Apply for or release a public endpoint, Set a maintenance window, and Delete a cluster.
For day-to-day operations, use RAM users with the minimum permissions required rather than the Alibaba Cloud account directly. This limits the impact of accidental or unauthorized actions.
Database accounts
Database accounts operate at the database level — they are used to connect to a cluster and perform SQL operations such as creating databases, tables, and views. Two subtypes are available:
| Account type | Description |
|---|---|
| Privileged account | Has full permissions across all databases in the cluster. Use it to manage standard accounts and databases. |
| Standard account | Has permissions limited to the specific databases it has been granted access to. Grant permissions to a standard account manually after creation. |
Database accounts are created by a platform account (Alibaba Cloud account or an authorized RAM user). For connection methods, see Connect to a cluster.
Service account
A service account lets Alibaba Cloud technical support perform operations on your cluster when you request assistance. Permissions are automatically revoked when the authorization period expires — no manual cleanup is required.