SingleStore DB

Account Creation

SingleStore recommends the following roles be used as a starting point for all use of the RBAC functionality. It is strongly suggested that these commands be kept in a separate, version-controlled, file and loaded into SingleStore. Depending on requirements, these scripts should be executed on all nodes where users will connect, typically all aggregators and optionally leaves.

Compliance Officer

GRANT USAGE ON *.* TO 'compliance_user' IDENTIFIED BY 'AVery$ecurePassword123';
GRANT GROUP 'compliance' TO 'compliance_user';

Security Officer

GRANT USAGE ON *.* TO 'security_user' IDENTIFIED BY 'AVery$ecurePassword123';
GRANT GROUP 'security' TO 'security_user';

Database Administrator

GRANT USAGE ON *.* TO 'dba_user' IDENTIFIED BY 'AVery$ecurePassword123';
GRANT GROUP 'dba' TO 'dba_user';

Cluster Administrator

GRANT USAGE ON *.* TO 'cluster_user' IDENTIFIED BY 'AVery$ecurePassword123';
GRANT GROUP 'cluster' TO 'cluster_user';

Backup Operator

GRANT USAGE ON *.* TO 'backup_user' IDENTIFIED BY 'AVery$ecurePassword123';
GRANT GROUP 'backup_admins' TO 'backup_user';

Application Schema Owner Create one for each distinct application.

GRANT USAGE ON *.* TO 'app_<NAME>_schema_user' IDENTIFIED BY 'AVery$ecurePassword123';
GRANT GROUP 'app_<NAME>_schema' TO 'app_<NAME>_schema_user';

Application Service Accounts Create one for each distinct application. For additional release validation, one may consider creating a number of accounts for the same application and rotating them during code releases. They should all have unique names and unique passwords.

GRANT USAGE ON *.* TO 'app_<NAME>_user' IDENTIFIED BY 'AVery$ecurePassword123';
GRANT GROUP 'app_<NAME>_schema' TO 'app_<NAME>_user';