Authorize accounts to manage tables, views, and fields - ApsaraDB RDS

0.0.201

By default, you can grant permissions on all data in databases to accounts that are created in the ApsaraDB RDS console. If you want to grant permissions on specific tables, views, or fields in a database of an ApsaraDB RDS for MySQL instance, you can execute the required SQL statements to perform fine-grained authorization.

Prerequisites

A privileged account is created. For more information, see Create an account.

Procedure

Use a privileged account to connect to the RDS instance by using a client or the CLI.

Execute SQL statements to create an account and authorize the account to manage tables, views, and fields in a database.

Note

The created account does not have permissions to view its authorized databases in the ApsaraDB RDS console.

Create an account.

CREATE USER `<Username of the account>`@`%` IDENTIFIED BY '<Password of the account>';

Grant global permissions, such as PROCESS and replication-related permissions, to the account.

GRANT PROCESS, REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO '<Username of the account>'@'%';

Grant full permissions on tables in a specific database to the account.

GRANT ALL PRIVILEGES ON `<Database name>`.`<Table name>` TO '<Username of the account>'@'%';

Grant read-only permissions on commonly used tables in the mysql system database to the account.

GRANT SELECT ON `mysql`.`help_topic` TO '<Username of the account>'@'%';
GRANT SELECT ON `mysql`.`func` TO '<Username of the account>'@'%';
GRANT SELECT ON `mysql`.`time_zone` TO '<Username of the account>'@'%';
GRANT SELECT ON `mysql`.`slow_log` TO '<Username of the account>'@'%';
GRANT SELECT ON `mysql`.`proc` TO '<Username of the account>'@'%';
GRANT SELECT ON `mysql`.`general_log` TO '<Username of the account>'@'%';
-- Grant permissions on other system tables based on your business requirements.

Examples

Authorize an account to manage a table: Create an account named test01 and authorize the account to manage the test100 table in the rds001 database.
```
CREATE USER `test01`@`%`IDENTIFIED BY 'passwd';
GRANT PROCESS, REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'test01'@'%';
GRANT ALL PRIVILEGES ON `rds001`.`test100`  TO 'test01'@'%';
GRANT SELECT ON `mysql`.`help_topic` TO 'test01'@'%';
GRANT SELECT ON `mysql`.`func` TO 'test01'@'%';
```
Note
If you replace test100 with an asterisk (*), the account has permissions on all tables in the rds001 database and can view the database to which the account belongs in the ApsaraDB RDS console.

Authorize an account to manage multiple tables: Create an account named test02 and authorize the account to manage the test100, test200, and test300 tables in the rds001 database.

CREATE USER `test02`@`%`IDENTIFIED BY 'passwd';
GRANT PROCESS, REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO 'test02'@'%';
GRANT ALL PRIVILEGES ON `rds001`.`test100`  TO 'test02'@'%';
GRANT ALL PRIVILEGES ON `rds001`.`test200`  TO 'test02'@'%';
GRANT ALL PRIVILEGES ON `rds001`.`test300`  TO 'test02'@'%';
GRANT SELECT ON `mysql`.`help_topic` TO 'test02'@'%';
GRANT SELECT ON `mysql`.`func` TO 'test02'@'%';

Authorize the account to query views from a database.
```
GRANT SELECT ON <Database name>.<View name> to <Username of the account>;
```
Examples
- Authorize an account to manage a view: Authorize the test01 account to query the view_test1 view from the rds001 database.
```
GRANT SELECT ON rds001.view_test1 to test01;
```
- Authorize an account to manage multiple views: Authorize the test01 account to query the view_test1 and view_test2 views from the rds001 database.
```
GRANT SELECT ON rds001.view_test1 to test01;
GRANT SELECT ON rds001.view_test2 to test01;
```

Authorize the account to update or query fields in a table from a database.

GRANT UPDATE (<Field name>) ON TABLE <Table name> to <Username of the account>;     -----Authorize the account to update fields in a table.
GRANT SELECT (<Field name>) ON TABLE <Table name> to <Username of the account>;     -----Authorize the account to query fields in a table.

Examples

Authorize an account to manage a field: Authorize the test01 account to update the testid field in the testtable table.
```
GRANT UPDATE (testid) ON TABLE testtable to test01;
```
Authorize an account to manage multiple fields: Authorize the test01 account to update the test_id and test_name fields in the testtable table.
```
GRANT UPDATE (test_id) ON TABLE testtable to test01;
GRANT UPDATE (test_name) ON TABLE testtable to test01;
```

You can also execute SQL statements in Data Management (DMS). For more information, see Manage user permissions on MySQL databases.

FAQ

When I execute SQL statements on my RDS instance, the "Access denied; you need (at least one of) the CREATE USER privilege(s) for this operation TraceId." error message is displayed. What do I do?

Causes: The SQL statements that you executed include the CREATE USER statement. However, you do not have the permissions to execute the statement.
Solutions:
- Solution 1: Use the privileged account to log on the RDS instance and execute the SQL statements.
- Solution 2: Execute the GRANT CREATE USER ON *.* TO 'your_user'@'host';FLUSH PRIVILEGES; statement to grant a standard user the permissions to execute the CREATE USER statement.

Feedback

Previous: Authorize an account to access its authorized databases from specified IP addressesNext: System accounts

On this page （1）

Prerequisites

Procedure

FAQ

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)