Create and manage accounts

This topic describes how to create accounts in a tenant and manage the privileges of the accounts in different databases of the tenant.

Background information

Before you connect to a database, you need to create an account with the privilege to connect to the database. Different account types have different privileges. You can use an account with database operation privileges to log in to the database. In a MySQL-compatible tenant, you can associate an account with multiple databases. In an Oracle-compatible tenant, an account has only the privileges of its corresponding schema.

Prerequisites

Before you create an account, check whether the following condition is met:

• The tenant is not being created, deleted, or has been deleted.

Create an account

You can create an account by using one of the following four methods:

• Method 1: Log in to the OceanBase Cloud console. On the tenant overview page, click Manage Access in the left-side navigation pane, and then click Create Account in the upper-right corner.

• Method 2: Log in to the OceanBase Cloud console. On the Tenants page, click ... > Create Account in the Actions column of the target tenant.

• Method 3: Log in to the OceanBase Cloud console. On the tenant overview page, click Create Account in the upper-right corner.

• Method 4: Log in to the OceanBase Cloud console. On the instance list page, expand the target instance, and then click ... > Create Account of the tenant name.

The following example describes how to create an account by using Method 1:

1. Log in to the OceanBase Cloud console.

2. On the instance list page, click the expand icon next to the instance name, and then click the name of the target tenant.

3. In the left-side navigation pane, click Manage Access to go to the accounts page.

4. In the upper-right corner, click Create Account. Specify the following parameters based on your needs.

   Parameter	Description
   Account Name	Set the name of the account. The account name must start with a lowercase letter, be 2 to 32 characters long, and can contain uppercase letters, lowercase letters, hyphens, underscores, and numbers. It cannot contain any of the following reserved keywords (including corresponding lowercase keywords): SYS, OCEANBASE, ROOT, OPERATOR, LBACSYS, ORAAUDITOR, OBMIGRATE, OMC, IDB_DDL, ODC_RND, ODC_DDL, and DWEXP.
   Account Type	You can create a regular account, a super account, or a read-only account. A regular account has the privileges to run DML and DDL statements in the database. For more information, see Account privileges. A super account has the read and write privileges on all databases by default. A read-only account has the read privileges on all databases by default. DML statements are used to query or operate data in existing schema objects. DDL statements are used to define, modify, and delete schema objects. For more information, see SQL statement overview.
   Global Privileges	The encryption and decryption privileges. You can select Encrypt or Decrypt. Note This parameter is supported only for MySQL-compatible tenants of OceanBase Database V4.2.5. After you enable the privileges, you must enable Transparent Data Encryption (TDE) to use the encryption and decryption feature in the database. A super account has both the two privileges by default.
   Grant Database Privileges	You can authorize an unauthorized account. The privileges include: custom, read-only, read/write, DDL-only, and DML-only. In MySQL compatible mode, the account can be granted the following privileges on the database: Custom: ALTER, CREATE, DELETE, DROP, INSERT, SELECT, UPDATE, INDEX, CREATE VIEW, and SHOW VIEW. Multiple privileges can be selected. Read-only: CREATE SESSION, SELECT, and SHOW VIEW. Read/write: ALL PRIVILEGES except GRANT OPTION. DDL-only: CREATE, DROP, ALTER, SHOW VIEW, and CREATE VIEW. DML-only: SELECT, INSERT, UPDATE, DELETE, SHOW VIEW, and PROCESS.
   Password	The password policy depends on the database version. The current password policy is as follows. In MySQL compatible mode: For databases earlier than V4.2.1: The password must be 10 to 32 characters long and must contain uppercase letters, lowercase letters, numbers, and special characters. For databases V4.2.1 and later: The password must be 8 to 64 characters long. You can customize the password policy. For more information, see Set a password policy. In Oracle compatible mode: The password must be 10 to 32 characters long and must contain uppercase letters, lowercase letters, numbers, and special characters. Special characters are ~!@#$%^&*_-+=|(){}[]:;,.?/.
   Randomly Generate	Click this button to generate a random password. After the password is generated, copy it and keep it properly.
   Remarks (optional)	The remarks cannot exceed 30 characters.

5. Click Create. After the account is created, you can view the account name, account type, associated database, status, and remarks on the account list page.

Lock an account

1. Log in to the OceanBase Cloud console.

2. On the instance list page, click the expand icon next to the instance name and then click the name of the target tenant.

3. In the left-side navigation pane, click Manage Access to go to the accounts page.

4. Click the icon in the Actions column of the target account and select Lock.

5. In the dialog box that appears, click Lock. After the account is locked, it cannot be logged in to.

Reset a password

1. Log in to the OceanBase Cloud console.

2. On the Instances page, click the expand icon next to the instance name and then click the name of the target tenant.

3. In the left-side navigation pane, click Manage Access to go to the accounts page.

4. Click the icon in the Actions column of the target account and select Reset Password.

5. In the dialog box that appears, enter and confirm the new password, and then click OK.

Edit remarks

1. Log in to the OceanBase Cloud console.

2. On the Instances page, click the expand icon next to the instance name and then click the name of the target tenant.

3. In the left-side navigation pane, click Manage Access to go to the accounts page.

4. Click the icon in the Actions column of the target account and select Edit Remarks.

5. In the dialog box that appears, edit the remarks and click OK.

Update privileges

1. Log in to the OceanBase Cloud console.

2. On the Instances page, click the expand icon next to the instance name and then click the name of the target tenant.

3. In the left-side navigation pane, click Manage Access to go to the accounts page.

4. Click the icon in the Actions column of the target account and select Update Privilege.

5. In the dialog box that appears, modify the privileges and click Modify.

Delete an account

1. Log in to the OceanBase Cloud console.

2. On the Instances page, click the expand icon next to the instance name, and then click the name of the target tenant.

3. In the left-side navigation pane, click Manage Access to go to the accounts page.

4. Click the icon in the Actions column of the target account and select Delete.

5. Enter delete and click Delete. Note that the account cannot be recovered after it is deleted.

Set a password policy

1. Log in to the OceanBase Cloud console.

2. On the Instances page, click the expand icon on the left side of the instance name and then click the name of the target tenant.

3. In the left-side navigation pane, click Manage Access to go to the accounts page.

4. In the upper-right corner of the page, click Set Password Policy.

5. On the Set Password Policy page, set the following parameters.

   Parameter	Description
   Minimum Length	The minimum length of an account password. The default value is 8. The minimum password length must be greater than or equal to the sum of the minimum number of uppercase and lowercase characters * 2, digits, and special characters.
   Minimum Uppercase and Lowercase Letters	The minimum number of uppercase and lowercase English characters in an account password. The default value is 2, which indicates that the password must contain at least two uppercase letters and two lowercase letters.
   Minimum Digits	The minimum number of digits in an account password. The default value is 2.
   Minimum Special Characters	The minimum number of special characters in an account password. The default value is 2.
   Account Name Detection	If enabled, the password must not contain the account name.
   Lockout upon Consecutive Login Failures	If enabled, you can set Threshold and Lockout Duration. If the number of consecutive logon failures exceeds the threshold, the system locks the account for the specified duration.

6. Click OK to save the password policy. After the policy is saved, new passwords created or modified must comply with the new policy, and existing passwords are not affected.