All Products
Search

This Product

    PolarDB:Three-role mode

    Document Center

    PolarDB:Three-role mode

    Last Updated:Mar 21, 2026

    PolarDB-X offers the three-role mode to help you implement the principle of separation of duties. This mode distributes the permissions of a single Privileged Account among three distinct Roles: a System Administrator, a Security Administrator (DSA), and an Audit Administrator (DAA). This approach enhances database security by reducing the risks of overly concentrated permissions.

    Limitations

    The three-role mode is available only for Enterprise Edition instances.

    Note

    A Read Replica inherits its three-role mode setting from the Primary Instance and does not require separate configuration. When the three-role mode is enabled or disabled on the Primary Instance, the change is automatically synchronized with its associated Read Replicas.

    Risks and solutions

    • Risks

      In a traditional database operations model, the Database Administrator (DBA) holds extensive, centralized permissions.

      • Security incidents caused by DBA errors or misjudgment.

      • Malicious operations by DBAs.

      • Unauthorized access to sensitive data by DBAs, third-party contractors, or application developers.

    • Solution

      PolarDB-X provides the three-role mode to implement the principle of separation of duties. This mode replaces the traditional single-administrator system by defining the responsibilities of three distinct Roles:

      • System Administrator: Can only perform Data Definition Language (DDL) operations.

      • Security Administrator (DSA): Manages Roles and Users, and grants permissions to other accounts.

      • Audit Administrator (DAA): Can only view the Audit Log.

    Permission comparison for system accounts

    The following table compares the permissions of different system accounts in Default Mode and Three-Role Mode.

    Note

    • In Default Mode, the Privileged Account is the sole administrative account. For more information about the Privileged Account, see Account types.

    • Enabling or disabling the three-role mode affects only the permissions of system accounts, which include the Privileged Account, System Administrator, Security Administrator (DSA), and Audit Administrator (DAA). The permissions of a Standard Account are not affected.

    • In three-role mode, system accounts cannot perform Data Manipulation Language (DML), Data Query Language (DQL), or Data Administration Language (DAL) operations. However, the Security Administrator (DSA) can grant these permissions to a Standard Account.

    Permission

    Default mode

    Three-role mode

    Category

    SQL

    Privileged account

    System administrator

    Security administrator (DSA)

    Audit administrator (DAA)

    DDL

    • ALTER TABLE

    • CREATE TABLE

    • CREATE VIEW

    • CREATE INDEX

    • CREATE CCL_RULE

    • DROP VIEW

    • DROP INDEX

    • DROP TABLE

    • TRUNCATE TABLE

    Supported

    Supported

    Not supported

    Not supported

    DML

    • DELETE

    • UPDATE

    • INSERT

    Supported

    Not supported

    Not supported

    Not supported

    DQL

    • SELECT

    • EXPLAIN

    DAL

    • SHOW CCL_RULE

    • SHOW INDEX

    Account and Role management

    Manage accounts and permissions

    Role permission management

    Supported

    Not supported

    Supported

    Not supported

    View Audit Log

    View audit logs from the following two tables:

    • information_schema.polardbx_audit_log

    • information_schema.polardbx_ddl_log

    Supported

    Not supported

    Not supported

    Supported