ApsaraDB RDS secures your database through two complementary mechanisms: account-level permissions that define what each user can do, and IP address whitelists that define which clients can connect to your instance.
Manage accounts
ApsaraDB RDS supports two account types. Choose based on the level of permission granularity you need:
| Account type | Permission scope | When to use |
|---|---|---|
| Standard account | Database level: read-only, read/write, DDL-only, or DML-only | Most applications that need access to specific databases |
| Privileged account | Fine-grained: table, view, and field levels | When you need precise control over which tables, views, or fields each user can access |
Create both account types using the ApsaraDB RDS console or API.
For fine-grained access control, create a privileged account first. Use the privileged account to log on to your instance, create standard accounts, and grant table-, view-, and field-level permissions to those accounts. For details, see Authorize accounts to manage tables, views, and fields.
For standard account creation, see Create an account on an ApsaraDB RDS for MySQL instance.
Control network access
ApsaraDB RDS uses an IP address whitelist to control which clients can connect to your instance. By default, the whitelist contains only 127.0.0.1, which means the instance rejects all connections from the Internet and from internal networks.
Configure the whitelist on the Data Security page in the ApsaraDB RDS console, or use the ApsaraDB RDS API. No restart is required after updating the whitelist, avoiding interruptions to your workloads.
For configuration steps, see Configure a whitelist for an ApsaraDB RDS for MySQL instance.