Help Center> Relational Database Service> Best Practices> RDS for SQL Server> Creating a Subaccount of rdsuser
Updated on 2023-12-18 GMT+08:00
View PDF

Creating a Subaccount of rdsuser

Scenarios

This section describes how to create a subaccount and grant permissions to the subaccount. Permissions of rdsuser lists the permissions supported by rdsuser.

Prerequisites

You have created a database. For details, see Creating a Database.

Procedure

  1. Log in to the instance through DAS.

    1. Log in to the management console.
    2. Click in the upper left corner and select a region and a project.
    3. Click in the upper left corner of the page and choose Databases > Relational Database Service.
    4. Locate the target instance and click Log In in the Operation column.
    5. On the displayed page, configure required parameters.
      Table 1 Instance login

      Parameter

      Description

      Login Username

      Enter rdsuser.

      Password

      Enter the password of rdsuser.

      NOTE:

      You can select Remember Password so that you can directly log in to the instance next time.

      Collect Metadata Periodically

      Enable this function as required. If this function is enabled:

      • DAS can store structure definition data such as database names, table names, and field names in instances, but does not store data in tables.
      • Metadata is collected in the early morning every day.

      Show Executed SQL Statements

      Enable this function as required. This function allows you to view executed SQL statements. You can re-execute an SQL statement without having to enter it again.
    6. Click Log In.

  2. Create a subaccount.

    1. On the main menu of the DAS console, choose Account Management > Login Name.
    2. On the displayed page, click Create Login Name.
    3. On the Create Login Name page, configure login information.
      Table 2 Login information

      Parameter

      Description

      Login Name

      Enter a new login name.

      Authentication Type

      The value is fixed to Microsoft SQL Server Authentication.

      Password

      The password for the new login username must meet the following requirements:

      • It must contain at least three of the following: uppercase letters, lowercase letters, digits, and special characters ~!@#$^*-_=+?%
      • It must be 8 to 128 characters long.
      • It cannot contain the login username.
      • It cannot be a weak password.

      Confirm Password

      Enter the password again.

      NOTE:

      For security purposes, select Enforce Password Policy.

      Default Database

      From the drop-down list, select a database the new login user will log in by default.

      Default Language

      Select a language for the new login user.
    4. Click Save.
    5. Click Back to Login Name List.
    6. In the login name list, view the new login name.

  3. Grant permissions to the new login user.

    • Table 3 describes how to add a single permission. To add multiple permissions to the new login user at the same time, for example, to grant both read and write permissions, select both db_datareader and db_datawriter on the Edit Database Role page.
    • For details about the permissions supported by rdsuser, see Permissions of rdsuser.
    Table 3 Permissions that can be granted to a subaccount

    Permission

    Procedure

    Database operation permission
    1. Locate the new login name and click Edit in the Operation column.
    2. On the displayed page, click the User Mapping tab.
    3. In the Users mapped to this login list, click Edit in the row where both the user database and the new login username exist.
    4. On the Edit Database Role page, select db_owner and click OK.
    5. Click Save.

    Server role permission
    1. Locate the new login name and click Edit in the Operation column.
    2. On the displayed page, click the Server Roles tab.
    3. In the Server Roles list, select the desired server role.
    4. Click Save.

    Securable object permission
    1. Locate the new login name and click Edit in the Operation column.
    2. On the displayed page, click the Securables tab.
    3. In the securables list, select the desired server permission.
    4. Click Save.

    Read-only permission
    1. Locate the new login name and click Edit in the Operation column.
    2. On the displayed page, click the User Mapping tab.
    3. In the Users mapped to this login list, click Edit in the row where both the user database and the new login username exist.
    4. On the Edit Database Role page, select db_datareader and click OK.
    5. Click Save.

    Write permission
    1. Locate the new login name and click Edit in the Operation column.
    2. On the displayed page, click the User Mapping tab.
    3. In the Users mapped to this login list, click Edit in the row where both the user database and the new login username exist.
    4. On the Edit Database Role page, select db_datawriter and click OK.
    5. Click Save.

Permissions of rdsuser

Table 4 Permissions of rdsuser

Name

Category

Permission

DB instance permissions

DB instance role permissions

[processadmin]

[setupadmin]

DB instance object permissions

ALTER ANY CONNECTION

ALTER ANY LOGIN

ALTER ANY SERVER ROLE

ALTER SERVER STATE

ALTER TRACE

CONNECT ANY DATABASE

CONTROL SERVER

CONNECT SQL

CREATE ANY DATABASE

SELECT ALL USER SECURABLES

VIEW ANY DEFINITION

VIEW ANY DATABASE

VIEW SERVER STATE

Database permissions

master: Public

Msdb: Public

SQLAgentUserRole

Model: Public

Rdsadmin: Public

OtherDB: Db_Owner
Parent topic: RDS for SQL Server