This topic describes how to create an account in a tenant and manage its permissions on different databases.
Background information
Before using a database, you must create an account in the tenant with permission to connect to it. Different account types have different permissions. You must use an account with database operation permissions to log on to and operate a database.
When you create an account in a MySQL tenant, you can associate the account with multiple databases. In contrast, an account created in an Oracle tenant has permissions only on its corresponding schema.
Prerequisites
Before you create an account, ensure that the tenant meets the following conditions:
The tenant is not in the Creating state.
The tenant is not in the Deleting state.
The tenant is not in the Deleted state.
Procedure
Log on to the OceanBase console.
In the navigation pane on the left, click Instance List.
In the instance list, find the target cluster instance and click its name to open the Cluster Instance Workspace page.
On the Cluster Instance Workspace page, click Tenant Management in the navigation pane on the left. In the tenant list, find the target tenant and click its Tenant Name.
On the Tenant Workspace page, click the Create Account button in the upper-right corner and set the following parameters as needed:
Parameter
Description
Username
You can set the account name.
The name must start with a letter and be 2 to 32 characters long. It can contain uppercase letters, lowercase letters, digits, hyphens (-), and underscores (_). The name cannot be a reserved keyword (case-insensitive), such as SYS, OCEANBASE, ROOT, OPERATOR, LBACSYS, ORAAUDITOR, OBMIGRATE, OMC, IDB_DDL, ODC_RND, ODC_DDL, or DWEXP.
Account Type
Select Regular Account, Super Account, or Read-only Account.
A regular account has the permissions to run data manipulation language (DML) and data definition language (DDL) statements in the database. For more information, see Account permission list.
By default, a super account has read and write permissions on all databases.
By default, a read-only account has read-only permission on all databases.
NoteData manipulation language (DML) statements are used to query or manipulate data in existing schema objects. Data definition language (DDL) statements are used to define, change, and drop schema objects. For more information, see SQL statements.
Global Permissions (Optional)
The encryption and decryption permissions. Select Encrypt or Decrypt.
NoteThis parameter is available only for MySQL tenants of OceanBase Database V4.2.5.
After the permissions are granted, you must also enable Transparent Data Encryption (TDE) to use encryption and decryption in the database.
The super account has two default permissions.
Authorized Databases
This parameter is optional and appears only when you create a regular account in a MySQL tenant. You can grant the following types of permissions to an unauthorized account: Read/Write, DDL only, DML only, Read-only, and Custom.
In MySQL mode, you can grant the following database permissions to the account:
Read/Write: ALL PRIVILEGES
DDL only: CREATE, DROP, ALTER, SHOW VIEW, CREATE VIEW
DML only: SELECT, INSERT, UPDATE, DELETE, SHOW VIEW, PROCESS
Read-only: CREATE SESSION, SELECT, SHOW VIEW.
Custom: You can select the commands that the account can execute from the following: ALTER, CREATE, DELETE, DROP, INSERT, SELECT, UPDATE, INDEX, CREATE VIEW, SHOW VIEW, and PROCEDURE FUNCTION.
NoteThe PROCEDURE FUNCTION permission is supported only in database versions V4.2.2 and later and V4.3.0 and later.
Password
Enter a password or select to generate one randomly. The password must be 10 to 32 characters long and contain characters from at least three of the following types: uppercase letters, lowercase letters, digits, and special characters. The supported special characters are:
!@#$%^&* ()_ +-=
Remarks (Optional)
The remarks cannot exceed 30 characters in length.
Click OK.