Users
You can use CREATE USER and ALTER USER to create and manage database users, respectively. A database system contains one or more databases. Users and roles are shared within the entire database system, but their data is not shared. That is, a user can connect to any database, but after the connection is successful, any user can access only the database declared in the connection request.
In non-Separation of Duties scenarios, GaussDB accounts can be created and deleted only by a system administrator or a security administrator with the CREATEROLE attribute. In separation-of-duties scenarios, a user account can be created only by an initial user or a security administrator.
When a user logs in, GaussDB authenticates the user. A user can own databases and database objects (such as tables), and grant permissions of these objects to other users and roles. In addition to system administrators, users with the CREATEDB attribute can create databases and grant permissions on these databases.
Adding, Modifying, and Deleting Users
- To create a user, use the SQL statement CREATE USER.
For example, create a user joe and set the CREATEDB attribute for the user.
1 2
openGauss=# CREATE USER joe WITH CREATEDB PASSWORD "xxxxxxxxx"; CREATE ROLE
- To create a system administrator, use the CREATE USER statement with the SYSADMIN parameter.
- To delete an existing user, use DROP USER.
- To change a user account (for example, rename the user or change the password), use ALTER USER.
- To view the user list, query the view PG_USER:
1
openGauss=# SELECT * FROM pg_user;
- To view user attributes, query the system catalog PG_AUTHID.
1
openGauss=# SELECT * FROM pg_authid;
Private Users
If multiple service departments use different database user accounts to perform service operations and a database maintenance department at the same level uses database administrator accounts to perform maintenance operations, service departments may require that database administrators, without specific authorization, can perform the DROP, ALTER, and TRUNCATE operations on their data but cannot perform the INSERT, DELETE, UPDATE, SELECT, and COPY operations on the data. That is, the management permissions of database administrators for tables need to be isolated from their access permissions to improve the data security of common users.
In Separation of Duties mode, a database administrator does not have permissions for the tables in schemas of other users. In this case, database administrators have neither management permissions nor access permissions, which does not meet the requirements of the service departments mentioned above. Therefore, GaussDB provides private users to solve the problem. That is, create private users with the INDEPENDENT attribute in non-separation-of-duties mode. Users with the CREATEROLE permission or the system administrator permission can create private users or change the attributes of common users to private users. Common users can also change their own attributes to private users.
1
|
openGauss=# CREATE USER user_independent WITH INDEPENDENT IDENTIFIED BY "1234@abc"; |
System administrators can manage (DROP, ALTER, and TRUNCATE) table objects of private users but cannot access (INSERT, DELETE, SELECT, UPDATE, COPY, GRANT, REVOKE, and ALTER OWNER) the objects before being authorized.
PG_STATISTIC and PG_STATISTIC_EXT store sensitive information about statistical objects, such as high-frequency MCVs. After separation of duties is enabled, the system administrator can still access the two system catalogs to obtain the statistics.
Permanent User
GaussDB provides the permanent user solution. That is, create a permanent user with the PERSISTENCE attribute.
1
|
openGauss=# CREATE USER user_persistence WITH PERSISTENCE IDENTIFIED BY "1234@abc"; |
Only the initial user is allowed to create, modify, and delete permanent users with the PERSISTENCE attribute.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot