A system admin account is the most powerful role in SQL Server. This role can bypass all security checks and perform all operations in SQL Server. This topic describes how to create a system admin account on an ApsaraDB RDS for SQL Server instance. You can use the system admin account to migrate the data of an on-premises SQL Server instance to the RDS instance.
Usage notes
If your RDS instance meets the preceding requirements but the creation of system admin accounts is not available in the console, you can migrate the instance across zones and then refresh the Accounts page. For more information about how to migrate instances across zones, see Migrate an ApsaraDB RDS for SQL Server instance across zones.
You can create only one system admin account for each RDS instance. You can delete the system admin account of an RDS instance in the console.
You cannot create system admin accounts for RDS instances in the CloudTmall system.
You cannot use the following usernames for system admin accounts:
root|admin|eagleye|master|aurora|sysadmin|administrator|mssqld|public|securityadmin|serveradmin|setupadmin|processadmin|diskadmin|dbcreator|bulkadmin|tempdb|msdb|model|distribution|mssqlsystemresource|guest|add|except|percent|all|exec|plan|alter|execute|precision|and|exists|primary|any|exit|print|as|fetch|proc|asc|file|procedure|authorization|fillfactor|public|backup|for|raiserror|begin|foreign|read|between|freetext|readtext|break|freetexttable|reconfigure|browse|from|references|bulk|full|replication|by|function|restore|cascade|goto|restrict|case|grant|return|check|group|revoke|checkpoint|having|right|close|holdlock|rollback|clustered|identity|rowcount|coalesce|identity_insert|rowguidcol|collate|identitycol|rule|column|if|save|commit|in|schema|compute|index|select|constraint|inner|session_user|contains|insert|set|containstable|intersect|setuser|continue|into|shutdown|convert|is|some|create|join|statistics|cross|key|system_user|current|kill|table|current_date|left|textsize|current_time|like|then|current_timestamp|lineno|to|current_user|load|top|cursor|national|tran|database|nocheck|transaction|dbcc|nonclustered|trigger|deallocate|not|truncate|declare|null|tsequal|default|nullif|union|delete|of|unique|deny|off|update|desc|offsets|updatetext|disk|on|use|distinct|open|user|distributed|opendatasource|values|double|openquery|varying|drop|openrowset|view|dummy|openxml|waitfor|dump|option|when|else|or|where|end|order|while|errlvl|outer|with|escape|over|writetext||dbo|login|sys|drc_rds$
Impacts
The permissions of a system admin account are beyond the management scope of ApsaraDB RDS for SQL Server. If you create a system admin account for your RDS instance, the service availability that is specified in the service level agreement (SLA) is no longer guaranteed for the RDS instance. The running environment of the RDS instance completely belongs to you. You can use the RDS instance and obtain after-sales service as normal. If you do not create a system admin account for your RDS instance, the service availability that is specified in the SLA is guaranteed for the RDS instance.
Important
We recommend that you use other methods instead of creating system accounts to manage instance data. For example, you can migrate or synchronize data to other instances on which you have permissions. If you need more alternatives to system accounts, contact us.
Suggestions
If you use a system admin account, take note of the following items:
Do not manage the rdscore
database on an RDS instance that runs RDS High-availability Edition or RDS Cluster Edition.
Do not manage system accounts. For more information, see System accounts.
Do not perform physical backups on your on-premises device. If you perform physical backups on your on-premises device, the point-in-time recovery (PITR) of your RDS instance is affected. We recommend that you use the backup feature provided by ApsaraDB RDS. For more information, see Back up an ApsaraDB RDS for SQL Server instance.
Do not move the RDS instance that runs RDS High-availability Edition or RDS Cluster Edition or manage high-availability objects, such as the DROP AVAILABILITY GROUP
operation.
Do not store data in drive C (system disk).
Do not modify the existing server-level triggers in the RDS instance, including [_$$_tr_$$_rds_alter_database]
, [_$$_tr_$$_rds_alter_login]
, [_$$_tr_$$_rds_create_database]
, [_$$_tr_$$_rds_create_login]
, [_$$_tr_$$_rds_drop_database]
, [_$$_tr_$$_rds_drop_login]
, and [_$$_tr_$$_rds_server_role]
.
Do not modify the core configurations of the RDS instance, such as the startup account and port.
Do not change the password of the Windows administrator.
Procedure
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click .
On the page that appears, click Create Account, configure the following parameters, and then click OK.
Parameter | Description |
Database Account | The username of the account. It must be 2 to 64 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit. |
Account Type | The type of the account. Select System Admin Account. Then, read the agreement and select I have read and agree to changes to the RDS Service Level Agreement caused by the creation of a system admin account. |
New Password | The password of the account. The password must meet the following requirements: It must be 8 to 32 characters in length. It can contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters. The following special characters are supported: ! @ # $ % ^ & * ( ) _ + - =
|
Confirm Password | The password of the account. |
Apply password policy | Specifies whether to apply the password policy that you configure. The setting helps manage the validity period of the account password and improve the account security. Before you apply a password policy, you must configure a password policy for your account. For more information, see Configure account password policies. |
Description | The description of the account. The description can be up to 256 characters in length. |
Optional. Reset the password of the account, disable the account, or delete the account.
You can click Reset Password or Deactivate Account, or Delete in the Actions column to manage the account. For more information, see Reset a password.