Database accounts control access to AnalyticDB for PostgreSQL instances and their database objects. Create a database account before connecting to a database or managing data.
Account types
AnalyticDB for PostgreSQL has two account types:
| Account type | How to create | Permissions | Restrictions |
|---|---|---|---|
| Privileged account | Console or API (initial account); SQL (CREATE ROLE ... RDS_SUPERUSER) | All permissions on all databases: create databases and accounts (including LOGIN), read and modify other accounts' tables (SELECT, UPDATE, DELETE, and changing owners), manage extensions, cancel other accounts' SQL statements | Cannot delete the initial account; no SUPERUSER permission (uses RDS_SUPERUSER instead) |
| Standard account | SQL only (CREATE ROLE) | No permissions by default; must be granted by a privileged account | Cannot create via console or API |
AnalyticDB for PostgreSQL does not grant superuser permissions. Instead, it provides the RDS_SUPERUSER role, which is consistent with ApsaraDB RDS for PostgreSQL.Best practices
Privileged accounts have unrestricted access to all databases. For business databases, create standard accounts and grant only the permissions required for each use case. See Manage account permissions to set up role-based access control for your standard accounts.
Create a database account
Create an initial account
The initial account is a privileged account with RDS_SUPERUSER permission. Create it before creating any other accounts.
After creating an initial account, you cannot delete it. If you forget its password, reset it from the console.
Console
Log on to the AnalyticDB for PostgreSQL console. In the upper-left corner, select a region, find the instance, and click its ID.
In the left-side navigation pane, click Account Management.
Click Create Account. In the panel that appears, enter an account name and password, then click OK.
| Parameter | Requirements |
|---|---|
| Account | Lowercase letters, digits, and underscores (_) only. Must start with a lowercase letter and end with a lowercase letter or digit. Cannot start with gp. Length: 2–16 characters. |
| New Password / Confirm Password | Must contain at least three of the following: uppercase letters, lowercase letters, digits, special characters (! @ # $ % ^ & * ( ) _ + - =). Length: 8–32 characters. |
Change your password regularly and do not reuse previous passwords.
API
Call the CreateAccount operation.
Create a privileged account
Add RDS_SUPERUSER to the CREATE ROLE statement:
CREATE ROLE username WITH LOGIN ENCRYPTED PASSWORD 'userPassword' RDS_SUPERUSER;Create a standard account
Standard accounts cannot be created from the console or via API. Run the following SQL:
CREATE ROLE username WITH LOGIN ENCRYPTED PASSWORD 'userPassword';For the full CREATE ROLE syntax, see the SQL syntax topic.
Query database accounts
The console only shows the initial account. To list all accounts — including privileged accounts created via SQL and all standard accounts — use SQL or the API.
SQL
SELECT * FROM pg_roles;adbpgadminandaurorain the results are system accounts.
API
| Operation | Returns |
|---|---|
| DescribeAccounts | All accounts, account types, and creation status |
| DescribeDiagnosisDimensions | All accounts and databases (no account type or creation status) |
| DescribeRoles | Account list (no account type or creation status) |
Change an account password
Console
The console supports password changes for the initial account only. To change a standard account's password, use SQL.
Log on to the AnalyticDB for PostgreSQL console. In the upper-left corner, select a region, find the instance, and click its ID.
In the left-side navigation pane, click Account Management.
Find the account and click Reset Password in the Actions column. In the dialog box that appears, re-enter the new password.
SQL
ALTER ROLE username WITH PASSWORD 'userPassword';For the full ALTER ROLE syntax, see the SQL syntax topic.
API
Call the ResetAccountPassword operation.
What's next
A new standard account has no database permissions. Grant the permissions it needs on specific database objects. See Manage account permissions.