Create a privileged account or a standard account on an ApsaraDB RDS for SQL Server instance - ApsaraDB RDS

This topic describes how to create a privileged account or a standard account on an ApsaraDB RDS for SQL Server instance.

Prerequisites

An RDS instance is created. For more information, see Create an ApsaraDB RDS for SQL Server instance.

Usage notes

The first account that you create for your RDS instance must be a privileged account. You can create only one privileged account for each RDS instance. The privileged account cannot be deleted in the ApsaraDB RDS console or by calling an API operation.
We recommend that you do not use Terraform to create a privileged account. A privileged account cannot be deleted by using Terraform. If you create a privileged account by using Terraform, you cannot delete the account by using Terraform. As a result, you may fail to release or unsubscribe from the RDS instance.
Databases that are created on an RDS instance share all the resources that belong to the instance.
The account name and database name cannot contain keywords.
For security purposes, we recommend that you specify strong passwords for accounts and change the passwords on a regular basis. You can also configure password policies for accounts to manage the validity period of the passwords and improve account security.
We recommend that you follow the principle of least privilege and grant read and write permissions to accounts based on your business requirements. You can create multiple accounts and grant each account only the permissions to access the data of specified databases. If an account does not need to write data to a database, we recommend that you grant only read permissions on the database to the account.

Create account

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Accounts.

On the page that appears, click Create Account and configure the following parameters.

Parameter	Description
Database Account	The name of the account. The name can be up to 50 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.
Account Type	Privileged Account: If this is the first time you create an account on the RDS instance, you must create a privileged account. You can create only one privileged account for each RDS instance. You cannot delete a privileged account. Standard Account: You can create multiple standard accounts for an RDS instance. You must manually grant the permissions on databases to each standard account. Note For more information about the permissions of different types of accounts, see Account permissions in an ApsaraDB RDS for SQL Server instance. This topic describes how to create a privileged account or a standard account for an RDS instance. For more information about how to create a system admin account, see Create a system admin account. You can create only standard accounts for RDS instances that run SQL Server 2008 R2 and use Premium Local SSDs.
Authorize Database:	You can grant different permissions on one or more databases to a Standard Account. If no databases are created, you can leave this parameter empty. After you create databases, you can grant permissions on the databases to a standard account. To grant permissions on a database to an account, perform the following steps: In the Unauthorized Databases section, select the databases on which you want to grant permissions to the account. Click the icon to add the selected databases to the Authorized Databases section. Grant the Read/Write (DML), Read-Only, or Owner permissions on the databases to the account. Note The account is authorized to create tables, delete tables, and modify schemas in a database only when the account has the Owner permissions on the database.
New Password	The password of the account. The password must meet the following requirements: It must be 8 to 32 characters in length. It contains at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters. It can contain the following special characters: ! @ # $ % ^ & * ( ) _ + - =
Confirm Password	Enter the same password as the new password to confirm it has been entered correctly.
Apply Password Policy	Specifies whether to apply the password policy that you configure. The setting helps manage the validity period of the account password and improve the account security. Before you apply a password policy, you must configure a password policy for your account.
Description	The description of the account. The description can be up to 256 characters in length.

Click OK.
You can refresh the page to view the created account. You can also modify the account permissions or manage the account based on your business requirements. For more information, see Modify the permissions of an account, Reset the password of an account, or Delete a standard account.

References

For more information about how to call an API operation to create a privileged account, a standard account, or other accounts with the required permissions, see CreateAccount.
For more information about how to create a system admin account in the ApsaraDB RDS console, see Create a system admin account.

FAQ

Can I manage the accounts that are created on the primary RDS instance on read-only RDS instances?

No, you cannot manage the accounts that are created on your primary RDS instance on the read-only RDS instances. The accounts are synchronized to the read-only RDS instances and have only read permissions on the read-only RDS instances.

How do I ignore the password complexity requirements of an RDS instance?

To ensure instance security, the password of an account must be 8 to 32 characters in length and contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.

If you want to ignore password complexity requirements, perform the following operations:

Important

A simple password increases the risk of system attacks. We recommend that you specify a strong password and change the password at regular intervals.

Create Account A on the RDS instance and use the account to connect to the RDS instance from SSMS.
Use Account A to create the required account and disable the check on the password complexity policy during the creation.
Note
If you use DMS to connect to the RDS instance, you cannot switch to the master database. You must use SSMS to connect to the RDS instance and then execute the SQL statements.
```
-- Switch to the master database.
USE master
GO
-- Create the required account.
CREATE LOGIN [Username of the required account] WITH PASSWORD=N'Password of the required account', CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO
-- Enable the required account.
ALTER LOGIN [Username of the required account] ENABLE
GO
```
CHECK_EXPIRATION = OFF indicates that the password expiration policy is disabled. CHECK_POLICY = OFF indicates that the check on the password complexity policy, such as password length and complexity, is disabled.
Note
You can separately configure password complexity policies for the accounts in ApsaraDB RDS console. This helps implement fine-grained password management and enhance account security.

Why is my RDS SQL Server account showing as inactive and I get the error `The account is disabled.` when logging in?

Problem description

On the Accounts page of your RDS SQL Server instance, the user account status shows as Inactive. When you try to log in to the database using this inactive account, you receive the error The account is disabled..

Cause

User accounts created through the Accounts page of the RDS SQL Server instance or through the API are active by default and do not require manual activation. If an account status changes to inactive, it is typically because:

The user created the account through SQL and specified the account status as disabled.
The user created the account through the RDS console or API and then manually changed the account status to disabled.

Solution

Use another active account to connect to the SQL Server instance through SSMS.
Check the disabled status of the target user account and change the status to enabled if it is disabled.
- Method 1: View and modify the target account status through the SSMS graphical interface.
- Method 2: View and modify the target account status through SQL.
  1. Execute the following SQL query to confirm the current status of the target account:
```
-- Query the status of the target login name
SELECT 
    name AS LoginName,          -- Login name
    is_disabled AS IsDisabled   -- Status: 1 means disabled, 0 means enabled
FROM 
    sys.server_principals
WHERE 
    name = 'Replace with target login name';
```
  2. If the target account is disabled (is_disabled = 1), execute the following SQL command to enable the account:
```
ALTER LOGIN [Replace with target login name] ENABLE;
```