Create a database account with System Admin permissions for an RDS SQL Server instance - ApsaraDB RDS

A System Admin (SA) account grants unrestricted access to all SQL Server operations by bypassing all security checks. Creating an SA account on an RDS for SQL Server instance enables quick migration of on-premises software to the cloud.

Prerequisites

The following conditions must be met:

Log on to the console with an Alibaba Cloud account, not a RAM user.

The RDS for SQL Server instance must meet all of the following requirements:

Requirement	Supported	Not supported
Instance edition	Basic Edition, High-availability Edition (SQL Server 2012 and later), Cluster Edition	--
Instance type	General-purpose, Dedicated	Shared
Billing method	Subscription, pay-as-you-go	Serverless
Network type	Virtual private cloud (VPC)	Classic network

The instance was created within the required timeframe:
- High-availability Edition or Cluster Edition: on or after January 1, 2021
- Basic Edition: on or after September 2, 2022

Note

To check when an instance was created, go to the Basic Information page and find the Created At field under Status. To switch from classic network to VPC, see Change the network type.

SLA impact

Creating a System Admin account removes the instance from coverage under the ApsaraDB RDS Service-Level Agreement (SLA). The SA role has permissions beyond what RDS for SQL Server can control, so the instance runtime environment becomes your responsibility.

Normal use and after-sales service are not affected.
Instances without a System Admin account remain fully covered by the SLA.

Procedure

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Accounts.

Click Create Account and configure the following parameters.

Parameter	Description
Database Account	Enter the account name. The name can contain lowercase letters, digits, and underscores (_). It must start with a letter and end with a letter or digit. Maximum length: 64 characters.
Account Type	Select System Admin Account. Read and select I have read and agree to changes to the ApsaraDB RDS Service Level Agreement caused by the creation of a system admin account. Note If the System Admin Account option does not appear under Account Type, verify that the instance meets all prerequisites listed above. If the instance meets all prerequisites but the option still does not appear, perform a zone migration, then refresh the Accounts page. For information about other account types, see Standard and privileged accounts and Host account.
New Password	Set the account password. Requirements: 8 to 32 characters in length; at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters (`!@#$%^&*()_+-=`).
Confirm Password	Re-enter the password.
Apply Password Policy	Optional. Apply a password policy to control the validity period of the account password. Before applying a policy, configure the password policy first.
Description	Optional. Enter a description of the account. Maximum length: 256 characters.

Click OK.

Manage the account after creation

After the System Admin account is created, manage it from the Accounts page. The Actions column provides the following options:

Action	Description
Reset Password	Change the account password. For details, see Reset a password.
Deactivate Account	Temporarily disable the account.
Delete	Permanently remove the account.

Limits and restrictions

Only one System Admin account is allowed per instance. The account can be deleted from the console after creation.
Apsara Stack does not support System Admin accounts.

Reserved account names

The System Admin account name cannot use SQL Server reserved words or system names. The following names are reserved:

root, admin, eagleye, master, aurora, sysadmin, administrator, mssqld, public, securityadmin, serveradmin, setupadmin, processadmin, diskadmin, dbcreator, bulkadmin, tempdb, msdb, model, distribution, mssqlsystemresource, guest, dbo, login, sys, drc_rds$

SQL Server reserved keywords such as SELECT, INSERT, CREATE, ALTER, DROP, DELETE, UPDATE, EXEC, GRANT, and all other T-SQL reserved words are also prohibited.

Usage recommendations

Because the SA role has permissions beyond what RDS for SQL Server can control, follow these guidelines:

Do not operate the rdscore database on High-availability Edition or Cluster Edition instances.
Do not operate system accounts. For details, see System account description.
Do not perform physical backup operations in the local environment. These operations affect the point-in-time recovery (PITR) capability of the instance. Use the built-in RDS backup feature instead. For details, see Back up SQL Server data.
Do not remove or modify high-availability objects on High-availability Edition or Cluster Edition instances, such as running DROP AVAILABILITY GROUP.
Do not store data on drive C (the system disk).
Do not modify existing server-level triggers in the instance, including:
- [_$$_tr_$$_rds_alter_database]
- [_$$_tr_$$_rds_alter_login]
- [_$$_tr_$$_rds_create_database]
- [_$$_tr_$$_rds_create_login]
- [_$$_tr_$$_rds_drop_database]
- [_$$_tr_$$_rds_drop_login]
- [_$$_tr_$$_rds_server_role]
Do not modify core SQL Server configurations such as the startup account or port.
Do not modify the Windows Administrator password.

References

To create a System Admin account through the API, see CreateAccount - Create a database account.
To create a standard or privileged account, see Create a standard or privileged account.
To create a host account, see Host account.