Hologres is deeply integrated with the Alibaba Cloud account system. Hologres users are authenticated by using Alibaba Cloud accounts. This topic describes the Alibaba Cloud account system that is used in Hologres.
Accounts
Hologres is deeply integrated with the Alibaba Cloud account system. Hologres accounts include Alibaba Cloud accounts and RAM users. The following table describes the Hologres accounts. To grant permissions on a Hologres instance to Alibaba Cloud accounts and RAM users, you must use their logon accounts or account IDs. For more information, see Logon accounts and Account IDs.
Account type | Description |
Alibaba Cloud account | Alibaba Cloud accounts are used to create and manage Hologres instances. For example, you can use your Alibaba Cloud account to log on to the Hologres console, create a database, change the billing method of an instance from pay-as-you-go to subscription, and grant permissions on objects to other users. |
RAM user | After you create a RAM user by using your Alibaba Cloud account and grant permissions to the RAM user, the RAM user can create and manage Hologres instances within the scope of the granted permissions. For example, the RAM user can log on to the Hologres console, create a database, change the billing method of an instance from pay-as-you-go to subscription, and grant permissions on objects to other users. RAM users are subordinate to Alibaba Cloud accounts and do not actually own resources. All resources belong only to Alibaba Cloud accounts. |
Custom account | You can use a custom account to perform operations on databases within the scope of the granted permissions. For example, you can use a custom account to create or delete databases, tables, and views, and connect to databases. |
Logon accounts
When you grant permissions to an Alibaba Cloud account or a RAM user, you must use the logon account of the Alibaba Cloud account. You can obtain the logon account on the Security Settings page of the Account Center. 
When you grant permissions to an Alibaba Cloud account, the full expression of the Alibaba Cloud account must contain the logon account. The following table describes the account formats.
Account format
Description
Example
ALIYUN$<Login Account>@aliyun.com
<Login Account>: the logon account of the Alibaba Cloud account.
ALIYUN$company@aliyun.com
<Login Account>@aliyun.com
company@aliyun.com
When you grant permissions to a RAM user, the full expression of the RAM user must contain the logon account of the Alibaba Cloud account to which the RAM user belongs. The following table describes the account formats.
Account format
Description
Example
<subUserName>@<Login Account>.onaliyun.com
The account formats contain the following parameters:
<subUserName>: the name of the RAM user.
<Login Account>: the logon account of the Alibaba Cloud account.
<AccountID>: the account ID of the Alibaba Cloud account.
holouser@company.onaliyun.com
<subUserName>@<Login Account>
holouser@company
<subUserName>@<Account ID>.onaliyun.com
holouser@123456789xxxx
RAM$<subUserName>
RAM$holo_test
RAM$<Login Account>:<subUserName>
RAM$company:holouser
RAM$<Account ID>:<subUserName>
RAM$123456789xxxx:holouser
<subUserName>@<Account ID>
holouser@123456789xxxx
Account IDs
An account ID is a string of digits. Example: 189813715xxxx. You can obtain the account ID on the Security Settings page of the Account Center. 
The account ID of a RAM user is the UID of the RAM user. You can obtain the UID on the user details page in the Resource Access Management (RAM) console. When you grant permissions to a RAM user by using its UID in Hologres, the UID must be in the p4_UID format. Example: p4_12333388xxx. 
The following sample statements show how to grant permissions to users in Hologres by using account IDs:
create USER "189813715xxxx"; --Authorize the user whose Alibaba Cloud account ID is 189813715xxxx to connect to Hologres.
create USER "p4_12333388xxx" superuser; --Assign the superuser role to the RAM user whose UID is 12333388xxx. You can execute the following statement in Hologres to view your account ID:
SELECT current_user;AccessKey ID and AccessKey secret
The AccessKey ID and AccessKey secret are issued by Alibaba Cloud for you to connect to Hologres instances. The AccessKey ID is similar to a logon account, and the AccessKey secret is similar to a logon password. You can view the AccessKey ID and AccessKey secret on the Security Management page of the User Management console.
The AccessKey ID and AccessKey secret are access credentials that are issued by Alibaba Cloud. They have a validity period. If the AccessKey ID and AccessKey secret expire, you can create another AccessKey pair. For more information, see Create an Alibaba Cloud account.
When you use tools such as the PostgreSQL client or a JDBC client to connect to a Hologres instance, you must enter your AccessKey ID and AccessKey secret as the username and password.
Custom accounts
You can use a custom account to perform operations on databases within the scope of the granted permissions. For example, you can use a custom account to create or delete databases, tables, and views, and connect to databases. Custom accounts can be used only in Hologres instances. For more information about how to create a custom account, see Create a custom account.
By default, custom accounts cannot access MaxCompute tables. To access MaxCompute tables, you must define a mapping of a RAM user that has permissions to access MaxCompute projects to a custom user. For more information, see FAQ.