All Products
Search

This Product

    PolarDB:Three-role mode

    Document Center

    PolarDB:Three-role mode

    Last Updated:Apr 29, 2025

    PolarDB-X's three-role mode distributes the high-level privileges traditionally held by a privileged account among three distinct roles: database administrator (DBA), security administrator (DSA), and audit administrator (DAA). This approach helps mitigate the risks associated with highly concentrated privileges and enhances overall database security.

    Supported versions

    The three-role mode is supported only for Enterprise Edition instances.

    Background information

    • Risks

      In traditional database O&M mode, the DBA's high and centralized privileges may pose the following risks to business operations in specific scenarios:

      • Security breaches or incidents caused by errors or misjudgment.

      • Illegal operations performed for personal reasons.

      • Unauthorized access to sensitive information by the DBA, third-party outsourced personnel, or application developers.

    • Solutions

      PolarDB-X introduces the three-role mode to address these risks by dividing responsibilities and permissions among three distinct roles: DBA, DSA, and DAA. This mode breaks the traditional system where the DBA has exclusive control.

      • DBA: has only DDL permissions.

      • DSA: manages roles and users and grants permissions to other accounts.

      • DAA: has only the permissions to view audit logs.

    Permissions for different roles

    The following table describes the permissions granted to each system account in the default mode and the three-role mode.

    Note

    • In the default mode, the DBA account is the privileged account. For more information about the privileged account, see Account types.

    • The three-role mode affects only the permissions granted to system accounts. The system accounts include the privileged, DBA, DSA, and DAA accounts.

    • After the three-role mode is enabled, system accounts are no longer authorized to execute DML, Data Query Language (DQL), or Data Administration Language (DAL) statements. You can use the DSA account to grant permissions to standard accounts to execute these statements.

    Permission

    Default mode

    Three-role mode

    Operation type

    SQL

    Privileged account

    DBA account

    DSA account

    DAA account

    DDL

    • ALTER TABLE

    • CREATE TABLE

    • CREATE VIEW

    • CREATE INDEX

    • CREATE CCL_RULE

    • DROP VIEW

    • DROP INDEX

    • DROP TABLE

    • TRUNCATE TABLE

    Supported

    Supported

    Unsupported

    Unsupported

    DML

    • DELETE

    • UPDATE

    • INSERT

    Supported

    Unsupported

    Unsupported

    Unsupported

    DQL

    • SELECT

    • EXPLAIN

    DAL

    • SHOW CCL_RULE

    • SHOW INDEX

    Operations on roles and accounts

    Manage accounts and permissions

    Manage roles and permissions

    Supported

    Unsupported

    Supported

    Unsupported

    Operations on audit logs

    View audit logs in the following types of tables:

    • information_schema.polardbx_audit_log

    • information_schema.polardbx_ddl_log

    Supported

    Unsupported

    Unsupported

    Supported