Help Center/ GaussDB/ Centralized_2.x/ Database Security Management/ Managing Users and Their Permissions/ Administrator
Updated on 2023-10-23 GMT+08:00
View PDF

Administrator

Initial User

The account automatically generated during database installation is called an initial user. The initial user is also the system administrator, monitor administrator, O&M administrator, and security policy administrator. It has the highest permissions in the system and can perform all operations. If the initial username is not specified during installation, the username is the same as the name of the OS user who installs the database. If the password of the initial user is not specified during the installation, the password is empty after the installation. In this case, you need to change the password of the initial user on the GSQL client before performing other operations. If the initial user password is empty, you cannot perform other SQL operations, such as upgrade, capacity expansion, and node replacement, except changing the password.

An initial user bypasses all permission checks. You are advised to use an initial user as a database administrator only for database management other than service running.

System Administrator

A system administrator is an account with the SYSADMIN attribute. By default, a system administrator has the same permissions as the object owner but does not have the object permissions in the dbe_perf schema or the permission to use Roach to perform backup and restoration.

To create a database administrator, connect to the database as an administrator and run the CREATE USER or ALTER USER statement with SYSADMIN specified.

1
 
openGauss=# CREATE USER sysadmin WITH SYSADMIN password "xxxxxxxxx";

or

1
 
openGauss=# ALTER USER joe SYSADMIN;

To run the ALTER USER statement, the user must exist.

Monitor Administrator

A monitor administrator is an account with the MONADMIN attribute and has the permission to view views and functions in the dbe_perf schema. The monitor administrator can also grant or revoke object permissions in the dbe_perf schema.

To create a monitoring administrator, connect to the database as a system administrator and run the CREATE USER or ALTER USER statement with MONADMIN specified.

1
 
openGauss=# CREATE USER monadmin WITH MONADMIN password "xxxxxxxxx";

Alternatively,

1
 
openGauss=# ALTER USER joe MONADMIN;

To run the ALTER USER statement, the user must exist.

O&M Administrator

An O&M administrator is an account with the OPRADMIN attribute and has the permission to use Roach to perform backup and restoration.

To create an O&M administrator, connect to the database as an initial user and run the CREATE USER or ALTER USER statement with OPRADMIN specified.

1
 
openGauss=# CREATE USER opradmin WITH OPRADMIN password "xxxxxxxxx";

Alternatively,

1
 
openGauss=# ALTER USER joe OPRADMIN;

To run the ALTER USER statement, the user must exist.

Security Policy Administrator

A security policy administrator is an account with the POLADMIN attribute and has the permission to create resource tags, masking policies, and unified audit policies.

To create a security policy administrator, connect to the database as an administrator and run the CREATE USER or ALTER USER statement with POLADMIN specified.

1
 
openGauss=# CREATE USER poladmin WITH POLADMIN password "xxxxxxxxx";

Alternatively,

1
 
openGauss=# ALTER USER joe POLADMIN;

To run the ALTER USER statement, the user must exist.