Create a system admin account on an ApsaraDB RDS for SQL Server instance - ApsaraDB RDS

A system admin account is the most powerful role in SQL Server. This role can bypass all security checks and perform all operations in SQL Server. This topic describes how to create a system admin account on an ApsaraDB RDS for SQL Server instance. You can use the system admin account to migrate the data of an on-premises SQL Server instance to the RDS instance.

Prerequisites

The RDS instance meets the following requirements:
- The RDS instance runs RDS Basic Edition, RDS High-availability Edition, or RDS Cluster Edition. If your RDS instance runs RDS High-availability Edition, make sure that the instance runs SQL Server 2012 or later.
- The RDS instance belongs to the general-purpose or dedicated instance family. The shared instance family is not supported.
- The RDS uses the subscription or pay-as-you-go billing method. Serverless instances are not supported.
- The RDS instance resides in a virtual private cloud (VPC). For more information about how to change the network type of an RDS instance, see Change the network type.
- The creation time of the RDS instance meets the following requirements:
  - If the RDS instance runs RDS High-availability Edition or RDS Cluster Edition, the instance is created on or after January 01, 2021.
  - If the RDS instance runs RDS Basic Edition, the instance is created on or after September 02, 2022.
  Note
  You can view the Creation Time parameter of an RDS instance in the Status section of the Basic Information page in the ApsaraDB RDS console.
An Alibaba Cloud account is used to log on to the RDS instance.

Usage notes

You can create only one system admin account for each RDS instance. The system admin account cannot be deleted in the ApsaraDB RDS console, by calling an API operation, or by using Terraform.
You cannot create system admin accounts for RDS instances in the CloudTmall system.

You cannot use the following usernames for system admin accounts:

root|admin|eagleye|master|aurora|sysadmin|administrator|mssqld|public|securityadmin|serveradmin|setupadmin|processadmin|diskadmin|dbcreator|bulkadmin|tempdb|msdb|model|distribution|mssqlsystemresource|guest|add|except|percent|all|exec|plan|alter|execute|precision|and|exists|primary|any|exit|print|as|fetch|proc|asc|file|procedure|authorization|fillfactor|public|backup|for|raiserror|begin|foreign|read|between|freetext|readtext|break|freetexttable|reconfigure|browse|from|references|bulk|full|replication|by|function|restore|cascade|goto|restrict|case|grant|return|check|group|revoke|checkpoint|having|right|close|holdlock|rollback|clustered|identity|rowcount|coalesce|identity_insert|rowguidcol|collate|identitycol|rule|column|if|save|commit|in|schema|compute|index|select|constraint|inner|session_user|contains|insert|set|containstable|intersect|setuser|continue|into|shutdown|convert|is|some|create|join|statistics|cross|key|system_user|current|kill|table|current_date|left|textsize|current_time|like|then|current_timestamp|lineno|to|current_user|load|top|cursor|national|tran|database|nocheck|transaction|dbcc|nonclustered|trigger|deallocate|not|truncate|declare|null|tsequal|default|nullif|union|delete|of|unique|deny|off|update|desc|offsets|updatetext|disk|on|use|distinct|open|user|distributed|opendatasource|values|double|openquery|varying|drop|openrowset|view|dummy|openxml|waitfor|dump|option|when|else|or|where|end|order|while|errlvl|outer|with|escape|over|writetext||dbo|login|sys|drc_rds$

Suggestions

A system admin account has high permissions that are beyond the management scope of ApsaraDB RDS for SQL Server. If you use a system admin account, take note of the following items:

Do not manage the rdscore database on an RDS instance that runs RDS High-availability Edition or RDS Cluster Edition.
Do not manage system accounts. For more information, see System accounts.
Do not perform physical backups on your on-premises device. If you perform physical backups on your on-premises device, the point-in-time recovery (PITR) of your RDS instance is affected. We recommend that you use the backup feature provided by ApsaraDB RDS. For more information, see Back up an ApsaraDB RDS for SQL Server instance.
Do not move the RDS instance that runs RDS High-availability Edition or RDS Cluster Edition or manage high-availability objects, such as the DROP AVAILABILITY GROUP operation.
Do not store data in drive C (system disk).
Do not modify the existing server-level triggers in the RDS instance, including [_$$_tr_$$_rds_alter_database], [_$$_tr_$$_rds_alter_login], [_$$_tr_$$_rds_create_database], [_$$_tr_$$_rds_create_login], [_$$_tr_$$_rds_drop_database], [_$$_tr_$$_rds_drop_login], and [_$$_tr_$$_rds_server_role].
Do not modify the core configurations of the RDS instance, such as the startup account and port.
Do not change the password of the Windows administrator.

Procedure

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Accounts.

On the page that appears, click Create Account, configure the following parameters, and then click OK.

Warning

A system admin account has the highest permissions on the RDS instance. The highest permissions are beyond the management scope of ApsaraDB RDS for SQL Server. If you create a system admin account for your RDS instance, the service availability that is specified in the service level agreement (SLA) is no longer guaranteed for the RDS instance. However, you can use the RDS instance and obtain after-sales service as expected. If you do not create a system admin account for your RDS instance, the service availability that is specified in the SLA is guaranteed for the RDS instance.

Parameter	Description
Database Account	The username of the account. It must be 2 to 64 characters in length and can contain lowercase letters, digits, and underscores (_). It must start with a lowercase letter and end with a lowercase letter or a digit.
Account Type	The type of the account. Select System Admin Account. Then, read the agreement and select I have read and agree to changes to the RDS Service Level Agreement caused by the creation of a system admin account. Note If the type is not displayed, check whether the RDS instance meets the prerequisites. For more information about other types of accounts, see Create an account and Create and use a host account for logons.
New Password	The password of the account. The password must meet the following requirements: It must be 8 to 32 characters in length. It can contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters. Special characters include `! @ # $ % ^ & * ( ) _ + - =`
Confirm Password	The password of the account.
Apply password policy	Species whether to apply the password policy that you configure. The setting helps manage the validity period of the account password and improve the account security. Before you apply a password policy, you must configure a password policy for your account. For more information, see Configure account password policies.
Description	The description of the account. The description can be up to 256 characters in length.

Optional. Reset the password of the account or disable the account.
You can click Reset Password or Deactivate Account in the Actions column to manage the account. For more information, see Reset a password.

References

You can call an operation to create a system admin account or other accounts. For more information, see CreateAccount.
You can create a standard or privileged account in the ApsaraDB RDS console. For more information, see Create a privileged account or a standard account.