This topic lists the permissions for different account types in ApsaraDB RDS for SQL Server and their scopes. You can modify the permissions of standard and privileged accounts. A system admin account has all permissions on all databases, and its permissions cannot be modified.
Account permissions
For security, ApsaraDB RDS for SQL Server restricts certain permissions. Instead, Alibaba Cloud provides stored procedures to perform these restricted operations. For more information, see stored procedures.
The ApsaraDB RDS console lets you grant permissions at the database level. To grant more granular permissions on specific objects in a database, such as tables, you can use standard SQL statements in SQL Server. For more information, refer to the official Microsoft tutorial GRANT object permissions.
System admin account
-
Scope: All databases on the instance
-
Permissions: A system admin account has all permissions on the SQL Server instance. For more information, refer to the official Microsoft tutorial Database Permissions.
Standard and privileged accounts
Scope: The databases authorized for the account.
|
Type |
Roles |
Permissions |
|
Owner |
|
|
|
Read-Only |
|
|
|
Read/Write (DML) |
|
|
Global read-only account
-
Scope: All user databases on the instance.
-
Permission type: Read-only. This permission automatically applies to newly created databases.
Modify account permissions
Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
-
In the left-side navigation pane, click Accounts.
-
Find the account you want to modify, and then click Change Permissions in the Actions column.
-
In the Edit Account Permissions panel, configure the account permissions:
-
To modify the authorized databases, select one or more databases and click
or
to configure their permissions. -
To modify the permission level, in the Authorized Databases section, select a permission level:
-
Read-Only: Grants the
db_datareaderdatabase role in SQL Server. -
Read/Write (DML): Grants the
db_datawriteranddb_datareaderdatabase roles in SQL Server. -
Owner: Grants the
db_ownerdatabase role in SQL Server.
For more information about database-level roles, refer to the Microsoft official documentation.
-
-
-
Click OK.
FAQ
-
Q: Why can't I create a table in my ApsaraDB RDS for SQL Server database using an account with Read/Write (DML) permissions?
-
A: Accounts with the Read/Write (DML) permission level are mapped to the standard SQL Server database roles
db_datareaderanddb_datawriter. These roles do not include theCREATE TABLEpermission. For more information, see Account permissions. If you need to create tables in the database, use one of the following methods:-
Method 1: Run standard SQL statements in SQL Server. For more information, refer to the official Microsoft tutorials GRANT Database Permissions and Database-Level Roles.
-
Method 2: In the ApsaraDB RDS console, go to the Accounts page and change the permission level of the account to Owner. The Owner permission level includes the permission to create tables, but it also grants extensive permissions. Grant this permission level with caution. For instructions, see Modify account permissions.
If you need to grant only the
CREATE TABLEpermission to an account, we recommend that you use Method 1. This method provides a higher level of security. -