This topic describes how to create accounts and databases for an ApsaraDB RDS instance that runs SQL Server 2017 EE or 2019 EE.

Prerequisites

Your RDS instance runs SQL Server 2017 EE or 2019 EE.

Note For more information about how to create accounts and databases for an RDS instance that runs a different SQL Server version, see the following topics:

Precautions

  • Databases on the same RDS instance share all the resources that belong to the RDS instance. You can manage standard accounts and databases by using SQL statements.
  • You must follow the principle of least privilege to create accounts and grant the read-only permissions or the read and write permissions to the accounts based on the required roles. If necessary, you can create more than one account and grant each account only the permissions to access the data of specific databases within its authorized workloads. If an account does not need to write data to a database, you must grant only the read-only permissions on the database to the account.
  • For security purposes, we recommend that you configure strong passwords for the created accounts and change the passwords on a regular basis.

Create an account

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Accounts.
  3. Click Create Account.
  4. Configure the following parameters.
    ParameterDescription
    Database Account:Enter the username of the account. The username must be 2 to 64 characters in length. It can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.
    Account Type:
    • Privileged Account: You can select the Privileged Account option only when the account is the first account that you create for your RDS instance. This is because the first account that you create must be a privileged account. Each RDS instance can have only one privileged account. The privileged account of an RDS instance cannot be deleted.
    • Standard Account: You can select the Standard Account option only after you have created a privileged account for your RDS instance. Each RDS instance can have more than one standard account. You must manually grant the permissions on specific databases to each standard account.
    Authorized Databases:Select the authorized databases of the account. If no databases are created, you can leave this parameter empty.

    You can perform the following steps to grant the permissions on more than one database to the account:

    1. In the Unauthorized Databases section, select the required databases.
    2. Click the > icon to move the selected databases to the Authorized Databases: section.
    3. In the Authorized Databases section, specify the permissions that the account will be granted on each authorized database. The supported permissions are Read/Write (DML), Read-only, and Owner.
      Note The account is authorized to create tables, delete tables, and modify schemas in a database only when it has the Owner permissions on the database.
      Authorized Databases
    Password:

    Enter the password of the account. The password must meet the following requirements:

    • The password must be 8 to 32 characters in length.
    • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
    • The password can contain any of the following special characters: ! @ # $ % ^ & * ( ) _ + - =
    Confirm Password: Enter the password of the account again.
    DescriptionEnter a description that is used to identify the account. The description can be up to 256 characters in length.
  5. Click OK.

Create a database

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Databases.
  3. Click Create Database.
  4. Configure the following parameters.
    ParameterDescription
    Database NameEnter the name of the database. The name must be 2 to 64 characters in length. It can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter and end with a letter or a digit.
    Supported Character SetSelect the character set that is supported by the database.
    Authorized Account:Select the account to which you want to grant the permissions on the database. Then, you must set the Account Type parameter to Read/Write, Read-only, or Owner.

    If no accounts are created, you can leave this parameter empty.

    Note An account is authorized to create tables, delete tables, and modify schemas in a database only when it has the Owner permissions on the database.
    DescriptionEnter a description that is used to identify the database. The description can be up to 256 characters in length.
  5. Click Create.

FAQ

After I create accounts on my primary RDS instance, can I manage the accounts on its read-only RDS instances?

No, although the accounts created on your primary RDS instance are synchronized to its read-only RDS instances, you cannot manage the accounts on the read-only RDS instances. The accounts have only read permissions on the read-only RDS instances.

References