ApsaraDB RDS for MySQL provides two account types — privileged accounts and standard accounts — each with a fixed set of MySQL privileges. The table below lists all supported permissions. You cannot obtain privileges not listed here.
Use a standard account with the minimum required privileges for your applications. Reserve the privileged account for administrative tasks.
Accounts and permissions
Privileged account
A privileged account holds the same full set of privileges regardless of the permission mode selected (Read-only, Read/write, DDL-only, or DML-only):
ALTER, ALTER ROUTINE, CREATE, CREATE VIEW, CREATE ROUTINE, CREATE USER, CREATE TEMPORARY TABLES, DELETE, DROP, EVENT, EXECUTE, INDEX, INSERT, LOCK TABLES, PROCESS, RELOAD, REFERENCES, REPLICATION SLAVE, REPLICATION CLIENT, SELECT, SHOW VIEW, TRIGGER, UPDATE
Standard account
The privileges granted to a standard account depend on the permission mode you select when creating or modifying the account:
| Permission mode | Privileges |
|---|---|
| Read-only | REPLICATION SLAVE, REPLICATION CLIENT, SELECT, SHOW VIEW |
| Read/write | ALTER, ALTER ROUTINE, CREATE, CREATE TEMPORARY TABLES, CREATE VIEW, CREATE ROUTINE, DELETE, DROP, EVENT, EXECUTE, INSERT, INDEX, LOCK TABLES, PROCESS, REFERENCES, REPLICATION SLAVE, REPLICATION CLIENT, SELECT, SHOW VIEW, TRIGGER, UPDATE |
| DDL-only | ALTER, ALTER ROUTINE, CREATE, CREATE VIEW, CREATE TEMPORARY TABLES, CREATE ROUTINE, DROP, INDEX, LOCK TABLES, PROCESS, REPLICATION SLAVE, REPLICATION CLIENT, SHOW VIEW |
| DML-only | CREATE TEMPORARY TABLES, DELETE, EVENT, EXECUTE, INSERT, LOCK TABLES, PROCESS, REPLICATION SLAVE, REPLICATION CLIENT, SELECT, SHOW VIEW, TRIGGER, UPDATE |
Privilege descriptions
| Privilege | Description |
|---|---|
ALTER | Modify the structure of existing tables, including adding, changing, or dropping columns and indexes. |
ALTER ROUTINE | Modify or drop stored procedures and functions. |
CREATE | Create databases, tables, indexes, and other schema objects. |
CREATE ROUTINE | Create stored procedures and functions. |
CREATE TEMPORARY TABLES | Create temporary tables that exist only for the duration of a session. |
CREATE USER | Create, rename, drop, and manage database accounts. |
CREATE VIEW | Create and modify views. |
DELETE | Delete rows from tables. |
DROP | Drop databases, tables, views, and other schema objects. |
EVENT | Create, modify, and drop events in the Event Scheduler. |
EXECUTE | Run stored procedures and functions. |
INDEX | Create and drop indexes on existing tables. |
INSERT | Insert rows into tables. |
LOCK TABLES | Acquire explicit table locks on tables you have SELECT privilege on. |
PROCESS | View information about all active threads and connections on the instance. |
REFERENCES | Create foreign key constraints. |
RELOAD | Run FLUSH statements to reload privilege tables, logs, and caches. |
REPLICATION CLIENT | Query the status and configuration of replication, including the positions of primary and replica servers. |
REPLICATION SLAVE | Read binary log events from the primary server — required for replication to function. |
SELECT | Read rows from tables. |
SHOW VIEW | View the definition of views using SHOW CREATE VIEW. |
TRIGGER | Create, drop, and execute triggers on tables. |
UPDATE | Modify existing rows in tables. |
FAQ
Can I change a privileged account to a standard account?
No. A privileged account has fixed permissions that cannot be modified or downgraded to a standard account. If unexpected permission changes occur — for example, an unintended REVOKE — reset the permissions of the privileged account to restore them. If you no longer need the privileged account, delete it and then create a new account with the appropriate type.