All Products
Search

This Product

    ApsaraDB for OceanBase:Policy management

    Document Center

    ApsaraDB for OceanBase:Policy management

    Last Updated:Jan 10, 2024

    Security management is essential to databases. OceanBase Database provides special security management policies to protect data and resources. The security management policies include resource isolation and privilege control. Resource isolation allows you to restrict the access to data, ensuring resource security. Privilege control allows you to set access privileges for shared data, ensuring data security.

    Manage account privileges

    You can set user privileges in the RAM console.

    1. Log on to the RAM console. In the left-side navigation pane, click Policy Management. On the page that appears, click Create Policy.1

    2. On the Create Policy page, specify Policy Name, select Script, and create privilege policies for RAM users.2

    3. In the left-side navigation pane, click Users. On the page that appears, search for the user to which you want to add privileges.

    4. On the user details page, click Privileges.

    5. On the Personal Privileges tab, click Add Privilege.

    6. In the dialog box that appears on the right, click Custom Policy, select the created policy, and then click OK.

    Manage user privileges

    OceanBase Database allows you to create and delete users, change passwords, change usernames, lock users, grant privileges to users, and revoke privileges from users.

    Users in the same tenant have unique names and have access only to objects in the tenant. The privileges for the users are compatible with those of MySQL and can be classified into the following levels:

    • Global: Privileges at this level apply to all databases. You can use the GRANT ALL ON *.* statement to grant global privileges.

    • Database level: Privileges at this level apply to all objects in a specified database. You can use the GRANT ALL ON db_name.* statement to grant database privileges.

    • Table level: Privileges at this level apply to all columns in a specified table. Run the GRANT ALL ON db_name.tbl_name command to grant table privileges.

    The following table describes the privileges.

    Privilege

    Description

    ALL PRIVILEGES

    All privileges except GRANT OPTION.

    ALTER

    The ALTER TABLE privilege.

    CREATE

    The CREATE TABLE privilege.

    CREATE USER

    The CREATE USER, DROP USER, RENAME USER, and REVOKE ALL PRIVILEGES privileges.

    CREATE TABLEGROUP

    The global CREATE TABLEGROUP privilege.

    DELETE

    The DELETE privilege.

    DROP

    The DROP privilege.

    GRANT OPTION

    The GRANT OPTION privilege.

    INSERT

    The INSERT privilege.

    SELECT

    The SELECT privilege.

    UPDATE

    The UPDATE privilege.

    SUPER

    The SET GLOBAL privilege for modifying global system parameters.

    SHOW DATABASES

    The global SHOW DATABASES privilege.

    INDEX

    The CREATE INDEX and DROP INDEX privileges.

    CREATE VIEW

    The privilege to create and drop views.

    SHOW VIEW

    The SHOW CREATE VIEW privilege.