Create a regular account for an ApsaraDB for OceanBase serverless instance and grant privileges to the account - ApsaraDB for OceanBase

This topic describes how to create a regular account for a serverless instance of ApsaraDB for OceanBase and grant the account the minimum privileges that are required by different phases of data migration.

Background

ApsaraDB for OceanBase supports only serverless instances of the Serverless for MySQL type. A serverless instance supports three types of database accounts: regular account, super account, and read-only account. When you use the data transmission service to migrate data from a serverless instance, observe the following rules:

If you use a regular account, grant privileges to the account based on the descriptions in this topic.
If you use a super account, it has read/write privileges on all databases by default.
If you use a read-only account, it has the read privilege on all databases by default.

The name of the regular account created for your serverless instance can be used for the Username parameter when you create an OceanBase data source.

If you want to migrate a table without a unique key, you must also create an __oceanbase_inner_drc_user user with the read-only privilege before data migration. Then, when you create an OceanBase data source, specify the password of the __oceanbase_inner_drc_user user.

Create a regular account for an serverless instance

Go to the Serverless Instance Workspace page.
1. Log on to the ApsaraDB for OceanBase console.
2. In the upper-left corner, select the region where the target instance is located.
3. In the left-side navigation pane, click Instances. Then, click the name of the target instance, whose type is Serverless.
On the Serverless Workspace page, click Account Management in the left-side navigation pane.
On the Account Management page, click Create Account in the upper-right corner.

In the Create Account dialog box, configure the parameters.

Parameter	Description
Username	The username can contain letters, digits, and underscores (_). It must start with a letter and end with a letter or digit, and cannot exceed 32 characters in length.
Account Type	Select Normal Account.
Authorized Databases (Optional)	Select one or more databases accessible to the account. In the left-side Unauthorized list, select one or more databases and click > to add them to the right-side list. In the Authorized list, grant the read/write, DDL-only, DML-only, or read-only privilege on each database to the account.
Password	The password must be 10 to 32 characters in length and contain any three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Supported special characters are the following ones: ! @ # $ % ^ & * ( ) _ + - =. You can click Randomly generated to automatically generate a random password. Note You can also click Copy Password to copy the password and keep it confidential.
Remarks (Optional)	Enter the description of the account.

Click OK.

Grant privileges to a regular account in a source serverless instance

The following table lists the minimum privileges required for a regular account in a source serverless instance in different phases of data migration.

Table type	Schema migration	Full migration	Incremental DML synchronization	Incremental DDL synchronization	Full verification	Reverse incremental synchronization
Table with a primary key or not-null unique key	Read-only	Read-only	Read-only	Read-only	Read-only	DDL-only (only DDL operations are synchronized) DML-only (only DML operations are synchronized) Read/Write (both DDL and DML operations are synchronized)
Table without a primary key or not-null unique key	Read-only	Read-only __oceanbase_inner_drc_user required	Read-only	Read-only	__oceanbase_inner_drc_user required	DDL-only (only DDL operations are synchronized) DML-only (only DML operations are synchronized) Read/Write (both DDL and DML operations are synchronized)

Grant privileges to a regular account in a destination serverless instance

The following table lists the minimum privileges required for a regular account in a destination serverless instance in different phases of data migration.

Table type	Schema migration	Full migration	Incremental DML synchronization	Incremental DDL synchronization	Full verification	Reverse incremental DML synchronization	Reverse incremental DDL synchronization
Table with a primary key or not-null unique key	DDL-only	Read/Write	Read/Write	DDL-only	Read-only	Read-only	Read-only
Table without a primary key or not-null unique key	DDL-only	Read/Write	Read/Write	DDL-only	Not supported	Read-only	Read-only

Create __oceanbase_inner_drc_user and grant privileges to the user

Log on to the ApsaraDB for OceanBase console and go to the Tenant Workspace page.
On the Tenant Workspace page, click Log on to Database in the upper-right corner.
You can also go to the Database Management page for logon.
In the Enter a database account dialog box, enter the name of the database to log on and click OK.
In the Enter the connection password dialog box, enter the password for logging on to the database and click OK.
After logon, run the following command to create the user __oceanbase_inner_drc_user:
```
create user __oceanbase_inner_drc_user identified by '<password>';
```
Run the following command to grant privileges to the user:
```
grant select on *.* to __oceanbase_inner_drc_user;
```