PolarDB for MySQL supports three account types—privileged, standard, and global read-only—each designed for a different role in your cluster. This page covers how to create each account type from the console, how to manage permissions using the console or SQL, and how to delete accounts.
Root accounts are disabled in PolarDB for MySQL. Use a privileged account for administrative tasks instead.
Use the privileged account for cluster administration only—creating databases, managing standard accounts, and granting permissions. For application connections, create a standard account with the minimum permissions required. Using a privileged account for application traffic increases your attack surface and complicates permission audits.
Account types
| Account type | Created via | Limit per cluster | Can create databases | Can create accounts | Can disconnect other accounts |
|---|---|---|---|---|---|
| Privileged account | Console only | 1 | Yes | Yes (standard accounts) | Yes (all standard accounts) |
| Standard account | Console or SQL | Multiple (engine-dependent) | No | No | No |
| Global read-only account | Console or SQL | Multiple | No | No | No |
Privileged account — Use this account for administration: creating databases and standard accounts, granting permissions, and managing the cluster.
Standard account — Use this account for applications and users. Each standard account can only access databases it has been explicitly granted permissions on.
Global read-only account — This account has read-only access to all databases in the cluster by default. Use it for analytics, reporting, or any workload that only needs to read data.
Prerequisites
Before you begin, make sure you have:
A PolarDB for MySQL cluster
Access to the PolarDB console
Create a privileged account
Log on to the PolarDB console. In the left-side navigation pane, click Clusters.
In the upper-left corner of the page, select the region where the cluster resides, then click the cluster ID to go to the Basic Information page.
In the left-side navigation pane, choose Settings and Management > Accounts.
Click Create Account.
In the Create Account panel, configure the following parameters.
Parameter Description Account Name The account username. Must start with a lowercase letter and end with a letter or digit. Can contain lowercase letters, digits, and underscores ( _). Length: 2–32 characters. Cannot beroot,admin, or any other system-reserved name.Account Type Select Privileged Account. If a privileged account already exists, this option is unavailable—each cluster supports only one. Password Must contain at least three of: uppercase letters, lowercase letters, digits, and special characters. Length: 8–32 characters. Allowed special characters: !@#$%^&*()_+-=~Confirm Password Re-enter the password. Description (Optional) A description to help you identify the account. Length: 2–256 characters. Cannot start with http://orhttps://.Click OK.
For a full list of privileged account permissions, see Account permissions.
Create a standard account
You can create a standard account from the console or by running SQL statements.
Create a standard account from the console
Log on to the PolarDB console. In the left-side navigation pane, click Clusters.
In the upper-left corner of the page, select the region where the cluster resides, then click the cluster ID to go to the Basic Information page.
In the left-side navigation pane, choose Settings and Management > Accounts.
Click Create Account.
In the Create Account panel, configure the following parameters.
Parameter Description Account Name The account username. Must start with a lowercase letter and end with a letter or digit. Can contain lowercase letters, digits, and underscores ( _). Length: 2–32 characters. Cannot beroot,admin, or any other system-reserved name.Account Type Select Standard Account. Authorized Databases (Optional) Grant the account access to one or more databases. Select databases from the Unauthorized Database list and click the 
icon to move them to the Authorized Database list. Then set the permission level for each database. Valid values: Read/Write, Read-only, DML Only, DDL Only, and Read-only + Index. Leave this blank to grant permissions later.Password Must contain at least three of: uppercase letters, lowercase letters, digits, and special characters. Length: 8–32 characters. Allowed special characters: !@#$%^&*()_+-=~Confirm Password Re-enter the password. Description (Optional) A description to help you identify the account. Length: 2–256 characters. Cannot start with http://orhttps://.Click OK.
To set per-table permissions or use advanced permission controls, click Customize Permissions below the Unauthorized Database list. This opens Database Management Service (DMS), where you can manage permissions at a granular level. For details, see Manage user permissions on MySQL databases. When granting permissions in batches, select up to 80 databases at a time.
Create a global read-only account
Log on to the PolarDB console. In the left-side navigation pane, click Clusters.
In the upper-left corner of the page, select the region where the cluster resides, then click the cluster ID to go to the Basic Information page.
In the left-side navigation pane, choose Settings and Management > Accounts.
Click Create Account.
In the Create Account panel, configure the following parameters.
Parameter Description Account Name The account username. Must start with a lowercase letter and end with a letter or digit. Can contain lowercase letters, digits, and underscores ( _). Length: 2–32 characters. Cannot beroot,admin, or any other system-reserved name.Account Type Select Global Read-only Account. Authorized Databases By default, global read-only accounts have read-only access to all databases in the cluster. Password Must contain at least three of: uppercase letters, lowercase letters, digits, and special characters. Length: 8–32 characters. Allowed special characters: !@#$%^&*()_+-=~Confirm Password Re-enter the password. Description (Optional) A description to help you identify the account. Length: 2–256 characters. Cannot start with http://orhttps://.Click OK.
Manage account permissions
Reset the permissions of a privileged account
If the privileged account's permissions are accidentally revoked or become inconsistent, reset them to restore the account to its initial state.
In the left-side navigation pane, choose Settings and Management > Accounts.
Find the privileged account and click Reset Permissions in the Actions column.
Enter the account password and click OK.
Modify the permissions of a standard account
In the left-side navigation pane, choose Settings and Management > Accounts.
Find the account and click Modify Permissions in the Actions column.
In the Modify Permissions dialog box, update the authorized and unauthorized databases as needed, then click OK.
Modify the permissions of a global read-only account
In the left-side navigation pane, choose Settings and Management > Accounts.
Find the account and click Modify Permissions in the Actions column.
In the Modify Permissions dialog box, update the database permissions as needed, then click OK.
Granting read/write access to a specific database does not affect the account's read-only access to other databases. After the change, the account remains a global read-only account and the Database column shows the granted permissions.
Grant permissions using SQL
Log on to the cluster with the privileged account and run the following statement:
GRANT <privileges> ON <databasename>.<tablename> TO '<username>'@'<host>' [WITH GRANT OPTION];| Parameter | Description |
|---|---|
<privileges> | The permissions to grant, such as SELECT, INSERT, or UPDATE. Use ALL to grant all permissions. |
<databasename> | The target database. Use * to apply to all databases. |
<tablename> | The target table. Use * to apply to all tables. |
<username> | The account to grant permissions to. |
<host> | The host from which the account can connect. Use % to allow connections from any host. |
WITH GRANT OPTION | (Optional) Allows the account to grant its permissions to other accounts. |
An account with SELECT, LOCK TABLES, and SHOW VIEW on all tables in all databases—but no write permissions—is displayed as a global read-only account in the console.
To delete a custom account whose host is not set to %, use a privileged account to log on to the DMS console and perform the deletion there.
Delete an account
In the left-side navigation pane, choose Settings and Management > Accounts.
Find the account and click Delete in the Actions column.
In the Delete Account dialog box, click OK.
API reference
| API | Description |
|---|---|
| CreateAccount | Creates a database account. |
| DescribeAccounts | Lists accounts for a cluster. |
| ModifyAccountDescription | Updates an account description. |
| ModifyAccountPassword | Changes an account password. |
| GrantAccountPrivilege | Grants a standard account permissions on one or more databases. |
| RevokeAccountPrivilege | Revokes permissions from a standard account. |
| ResetAccount | Resets a privileged account's permissions. |