Help Center> GaussDB> Distributed_8.x> Database Security> Users and Permissions> Administrators

Updated on 2024-06-03 GMT+08:00

View PDF

Administrators

Initial User

The account automatically generated during the cluster installation is called the initial user. The initial user is also the system administrator, security administrator, audit administrator, monitor administrator, O&M administrator, and security policy administrator. It has the highest permissions in the system and can perform all operations. If the initial username is not set during the installation, the username is the same as the name of the OS user who installs the cluster. If the password of the initial user is not set during the cluster installation, the password is empty after the installation. In this case, you need to change the password of the initial user on the gsql client before performing other operations. If the initial user password is empty, you cannot perform other SQL operations, such as upgrade, capacity expansion, and node replacement, except changing the password.

The OID of the initial user is 10, which can be queried in the pg_roles view.
An initial user bypasses all permission checks. It is recommended that this user be used only as a database administrator for database management instead of service applications.

System Administrator

A system administrator is an account with the SYSADMIN attribute. By default, a system administrator has the same permissions as the object owner but does not have the object permissions in the dbe_perf schema.

To create a database administrator, connect to the database as the initial user or a system administrator and use the CREATE USER or ALTER USER statement with the SYSADMIN option.

    
         gaussdb=# CREATE USER sysadmin WITH SYSADMIN password "********";

Or

    
         gaussdb=# ALTER USER joe SYSADMIN;

When ALTER USER is executed, the user must exist.

Security Administrator

A security administrator is an account with the CREATEROLE attribute. It has the permission to create, modify, and delete users or roles, and grant or revoke the permission of any non-system administrator, built-in role, permanent user, or O&M administrator.

If you want to create a security administrator and separation of duties is disabled, connect to the database as a system administrator or security administrator. If separation of duties is enabled, connect to the database as a security administrator and use the CREATE USER or ALTER USER statement with the CREATEROLE option.

    
         gaussdb=# CREATE USER createrole WITH CREATEROLE password "********";

Or

    
         gaussdb=# ALTER USER joe CREATEROLE;

When ALTER USER is executed, the user must exist.

Audit Administrator

An audit administrator is an account with the AUDITADMIN attribute, which has the permission to view and delete audit logs.

If you want to create an audit administrator and separation of duties is disabled, connect to the database as a system administrator or security administrator. If separation of duties is enabled, connect to the database only as the initial user and use the CREATE USER or ALTER USER statement with the AUDITADMIN option.

    
         gaussdb=# CREATE USER auditadmin WITH AUDITADMIN password "********";

Or

    
         gaussdb=# ALTER USER joe AUDITADMIN;

When ALTER USER is executed, the user must exist.

Monitor Administrator

A monitor administrator is an account with the MONADMIN attribute and has the permission to view views and functions in the dbe_perf schema. The monitor administrator can also grant or revoke object permissions in the dbe_perf schema.

To create a monitor administrator, connect to the database as a system administrator and use the CREATE USER or ALTER USER statement with MONADMIN specified.

    
         gaussdb=# CREATE USER monadmin WITH MONADMIN password "********";

Or

    
         gaussdb=# ALTER USER joe MONADMIN;

When ALTER USER is executed, the user must exist.

O&M Administrator

An O&M administrator is an account with the OPRADMIN attribute and has the permission to use Roach to perform backup and restoration.

To create an O&M administrator, connect to the database as an initial user and use the CREATE USER or ALTER USER statement with OPRADMIN specified.

    
         gaussdb=# CREATE USER opradmin WITH OPRADMIN password "********";

Or

    
         gaussdb=# ALTER USER joe OPRADMIN;

When ALTER USER is executed, the user must exist.

Security Policy Administrator

A security policy administrator is an account with the POLADMIN attribute and has the permission to create resource tags, masking policies, and unified audit policies.

To create a security policy administrator, connect to the database as an administrator and use the CREATE USER or ALTER USER statement with POLADMIN specified.

    
         gaussdb=# CREATE USER poladmin WITH POLADMIN password "********";

Or

    
         gaussdb=# ALTER USER joe POLADMIN;

When ALTER USER is executed, the user must exist.

Parent topic: Users and Permissions

Previous topic: Default Permission Mechanism

Next topic: Separation of Duties

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.