PDF (US Ltr)
- 218.1Kb
PDF (A4)
- 218.8Kb
Privilege management is an important aspect of managing the security of a MySQL installation. Following the principle of least privilege, a MySQL account should only be granted privileges required to for its legitimate purposes. To facilitate effective privilege management, MySQL 8.0 provides two new privilege-related features: MySQL Roles and Dynamic Privileges.
-
MySQL roles are named collections of privileges. A user account can be granted roles, which grants to the account the privileges associated with each role. This enables assignment of sets of privileges to accounts and provides a convenient alternative to granting individual privileges, both for conceptualizing desired privilege assignments and implementing them.
For more information about using roles to manage account privileges, see Using Roles.
-
Dynamic privileges enable DBAs to begin migrating away from the
SUPERprivilege. Many operations covered bySUPERare associated with a dynamic privilege of more limited scope. Operations that previously required theSUPERprivilege can be permitted to an account by granting the associated dynamic privilege rather thanSUPER. For example, a user who must be able to modify global system variables can be grantedSYSTEM_VARIABLES_ADMINrather thanSUPER.This change improves security by enabling DBAs to avoid granting
SUPERand tailor user privileges more closely to the operations permitted. TheSUPERprivilege is deprecated and will be removed in a future version of MySQL.For more information about this feature, see Static Versus Dynamic Privileges. That discussion includes instructions for migrating accounts away from
SUPERto dynamic privileges.