Three-role Mode Overview
PolarDB-X supports the three-role mode for database management. In the three-role mode, three roles are created to manage databases. The three roles are database administrator (DBA), database security administrator (DSA), and data audit administrator (DAA). This makes your database more secure because the database management permissions are not granted to one account.
Risks and risk mitigation
Risks In traditional database O\&M mode, the DBA of a database is granted full permissions on the database. In this mode, issues can occur on your business in the following scenarios:
False positives that are identified by the DBA cause system security accidents.
The DBA performs malicious operations.
The DBA, third-party outsourcing personnel, or program developers that are not granted the required permissions can access sensitive data.
Three-role mode
In the three-role mode, the permissions that are granted to the DBA role in the traditional mode are divided among the DBA, DSA and DAA roles. Each role is granted a part of the database management permissions.PolarDB-X The following list describes the operations that each role can perform.
DBA: DBA is authorized to execute DDL statements.
DSA: DSA is authorized to manage roles and users, and grant permissions to standard accounts.
DAA: DAA is authorized to view audit logs.
Permissions for different roles
The following table describes the permissions that are granted to each system account in the default mode and the three-role mode. Note
In the default mode, the DBA account is the privileged account. For more information about the privileged account, see Account types.
After you enable or disable the three-role mode for your instance, only the permissions that are granted to system accounts are changed. The system accounts include the privileged account, DBA account, DSA account, and DAA account. The permissions that are granted to standard accounts are not affected.
After the three-role mode is enabled, all system accounts are not authorized to execute DML statements, Data Query Language (DQL) statements, or Data Administration Language (DAL) statements. You can use the DSA account to grant permissions to standard accounts to execute these types of statements.
In the following table, Yes indicates that the account is granted the permissions for the corresponding operations. No indicates that the account is not granted the permissions for the corresponding operations.
{#concept-2074814-entry-krh-jd3-o8a}{#concept-2074814-entry-6m1-r2x-a6t}
| Permission | Default mode | Three-role mode | |||
|---|---|---|---|---|---|
| Operation type | Description | Privileged account | DBA account | DSA account | DAA account |
| DDL | ALTER TABLE CREATE TABLE CREATE VIEW CREATE INDEX CREATE CCL_RULE DROP VIEW DROP INDEX DROP TABLE * TRUNCATE TABLE | Yes | Yes | No | No |
| DML | DELETE UPDATE * INSERT | Yes | No | No | No |
| DQL | SELECT EXPLAIN | Yes | No | No | No |
| DAL | SHOW CCL_RULE SHOW INDEX | Yes | No | No | No |
| Operations on roles and accounts | Manage accounts and permissions Manage role permissions | Yes | No | Yes | No |
| Operations on audit logs | View audit logs in the following types of tables: information_schema.polardbx_audit_log information_schema.polardbx_ddl_log |
Yes | No | No | Yes |
Limits
Before you use the three-role mode, you must take note of the following limits:
You cannot run GRANT ROLE or REVOKE ROLE commands on the DBA, DSA, and DAA accounts.
You cannot run GRANT PRIVILEGES or REVOKE PRIVILEGES commands on the DBA, DSA, and DAA accounts.
You can change the password of a system account when you use the account to log on to the database. For example, if you want to change the password of the DBA account, you must log on to the database by using the DBA account.
You cannot run the SET DEFAULT ROLE command on the DBA, DSA, and DAA accounts.