Create a user

This topic describes how to create a user.

Who can create a user

During database runtime, different users are often created and granted corresponding privileges. Generally, users with the CREATE USER privilege can create users.

The CREATE USER privilege is powerful. By default, only cluster administrators and tenant administrators have this system privilege. If other users need to create users, they must be granted the CREATE USER privilege. For more information about how to grant privileges, see Directly grant privileges.

User name rules

When you specify a username, note the following restrictions:

• Uniqueness of the username: Each username must be unique within a tenant.

  The username is unique within a tenant. Users in different tenants can have the same username. Therefore, you can uniquely identify a tenant user by using the username@tenant name format.

• Naming conventions for usernames:

  • When you use a client such as OBClient or ODC to create a user, the username must be no longer than 64 bytes.

  • When you use OCP to create a user, the username must start with an English letter and can contain uppercase letters, lowercase letters, digits, and underscores. The length of the username must be 2 to 64 characters.

Create a user with the minimum database privileges

For users with the CREATE USER system privilege, it is recommended to follow the principle of least privilege. That is, all users should only have the minimum privileges required to perform their tasks.

The SQL statement for creating a user is as follows:

   CREATE USER user_name [host_name] IDENTIFIED BY password [REQUIRE {NONE | SSL | X509 | tls_option_list}]
 [PROFILE user_profile] [DEFAULT TABLESPACE table_space] [PRIMARY_ZONE 'zone_name']

password:
    STR_VALUE
    
tls_option_list:
      tls_option
    | tls_option_list, tls_option
    
tls_option:
      CIPHER STR_VALUE
    | ISSUER STR_VALUE
    | SUBJECT STR_VALUE

Statement description:

• user_name: the username. If a user with the same username already exists, an error will be returned.

• host_name: the IP address of the host where the user is located, in the format of @xx.xx.xx.xx.

• IDENTIFIED BY: in Oracle mode, you must use IDENTIFIED BY to specify a password for the user.

• REQUIRE: specifies the encryption protocol used by the user. Valid values: NONE, SSL, X509, and tls_option_list.

• PROFILE: specifies the profile used by the user. If not specified, the system default DEFAULT profile is used. All settings in the DEFAULT profile are unrestricted by default.

• DEFAULT TABLESPACE table_space: specifies the default tablespace for the user. This parameter has no practical significance.

• PRIMARY_ZONE: specifies the primary zone for the user.

  For more information about primary zones, see Primary Zone.

The following example creates a user test2 with the minimum database privileges, which is the privilege to connect to the database.

1. Log in to the Oracle tenant of the cluster as the SYS user.

2. Execute the following command to create the test2 user.

   obclient> CREATE USER test2 IDENTIFIED BY ******;
   

   For more information about the CREATE USER statement, see CREATE USER.

3. Execute the following command to grant the test2 user the privilege to connect to the database.

   obclient>GRANT CREATE SESSION TO test2;
   

   For more information about the GRANT statement, see GRANT.

References

After you create a user, you can perform O&M operations such as password rotation. For more information, see Password rotation.