User management

Add or delete users, assign roles, and manage permissions from the User Management module in the Hologres console.

The Alibaba Cloud account that purchased the instance is the default superuser with full permissions. Before you add other users, only this account appears on the User Management page.

Item	Description
Members	Usernames in the instance, including Alibaba Cloud accounts, RAM users, and Basic Users.
Account ID	The user's account ID. Examples: Alibaba Cloud account: `11822780xxx`. RAM user: `p4_269499383xxxx`. Basic User: `BASIC$xxx`.
Account Type	The user's account type. Alibaba Cloud account (ALIYUN). RAM user (RAM). Basic User (BASIC).
Role Type	The role assigned to the user. superuser normal
Actions	Click Delete in the Actions column to remove a user and revoke all access permissions.

Limits

Basic Users cannot query MaxCompute foreign tables by default. To enable access, configure a user mapping (FAQ).

Add a user

To add users to an instance:

On the Users page, select the target instance and click Add User in the upper-right corner.
In the Add User dialog box, select an existing RAM user under your Alibaba Cloud account and select a role type: superuser or Normal User.
Note
- If no RAM user exists under your Alibaba Cloud account, create one first. Quick start for RAM user authorization.
- Only Alibaba Cloud accounts or superuser RAM users can add users. The RAM user must have the AliyunRAMReadOnlyAccess permission. Grant permissions to a RAM user.
- superuser: Full permissions on the instance. No additional grants needed.
- normal user: No initial permissions on any objects (databases, schemas, tables). Grant permissions before the user can access resources.
  
  Grant permissions on the DB Management page or by running SQL statements. Quick start for RAM user authorization.

Delete a user

On the Users page, select the instance, find the user, and click Delete in the Actions column. This revokes all access permissions.

Create a basic user

Important

Basic Users exist only within Hologres. To access other Alibaba Cloud services such as MaxCompute foreign tables, create a user mapping (FAQ).

Console

Create a Basic User from the User Management page.

On the Users page, select the target instance and click Create Custom User in the upper-right corner.

In the Create Custom User dialog box, configure the following parameters. Usernames are prefixed with BASIC$ and are case-sensitive.

Parameter	Description
Username	The Basic User's username. Up to 57 characters; lowercase letters, digits, and underscores (_) only.
Select Member Role	The role for the user. superuser: Full permissions on the instance. No additional grants needed. normal user: No initial permissions on any objects (databases, schemas, tables). Grant permissions before the user can access resources.
Password	The account password. Requirements: At least three of: uppercase letters, lowercase letters, digits, and special characters. 8 to 32 characters. Supported special characters: `!@#$%^&*()_+-=`.
Confirm Password	Re-enter the password.

Click OK to create the Basic User.

SQL

create user "BASIC$<user_name>" with password '<password>';

user_name is the username of the Basic User. password is the password for the Basic User.

Other operations

Change the password of a Basic User.

Note
Password changes apply only to Basic Users. Alibaba Cloud accounts and RAM users authenticate with automatically generated AccessKey pairs.

Change a Basic User's password:
- Use the console.
  1. On the Users page, go to the User Account Authorization tab. In the user list, find the target Basic User and click Reset Password in the Actions column.
  2. In the Reset Password dialog box, enter and confirm the new password, and then click OK.
- Use SQL statements.
```
alter user "BASIC$<user_name>" with password '<password>';
```
  user_name is the username of the Basic User. password is the new password for the Basic User.
Delete a Basic User.

Delete a Basic User:
- Use the console.
  1. On the Users page, go to the User Account Authorization tab. In the user list, find the target Basic User and click Delete in the Actions column.
  2. In the Remove User dialog box, click OK.
- Use SQL statements.
```
drop user "BASIC$<user_name>";
```
  user_name is the username of the Basic User that you want to delete.

FAQ

Symptom: When a Basic User tries to access a MaxCompute foreign table, the following error is reported:

ERROR:  Query:[xxxxxx] Build desc failed: failed to check permission: Authorization Failed [4002], You don't exist in project hologres_test. Context ID:xxxxxx-xxxx-xxxx-xxxx-xxxxxxx.    --->Tips: Pricipal:INVALID$BASIC$xxx; You don't exist in project xxx

Cause: Basic Users exist only within Hologres and, by default, lack permissions to access external resources such as MaxCompute foreign tables.

Solution: Create a user mapping in Hologres to bind the Basic User to a RAM user with permissions to access the MaxCompute project and the Hologres internal table.

Syntax

CREATE USER MAPPING
FOR "<user_name>"
SERVER odps_server
OPTIONS
(
    access_id '<Access_id>',
    access_key '<Access_key>'
);

Parameters

Parameter	Description
user_name	The username of the Basic User.
access_id	The AccessKey ID of an account authorized to access the current database. Obtain it from the AccessKey Management page.
access_key	The AccessKey Secret of an account authorized to access the current database. Obtain it from the AccessKey Management page.

Examples

-- Create a user mapping for the user BASIC$test.
CREATE USER MAPPING
FOR "BASIC$test"
SERVER odps_server
OPTIONS (
  access_id 'LTxxxxxxxxxx',
  access_key 'y8xxxxxxxxxxxxx');
-- Create a user mapping for the current user.
CREATE USER MAPPING
FOR CURRENT_USER
SERVER odps_server
OPTIONS (
  access_id 'LTxxxxxxxxxx',
  access_key 'y8xxxxxxxxxxxxx');