Configuring permissions for the database user
For MySQL
Create a database user with a master login and grant these permissions:
mysql --protocol=tcp --host=instance_fqdn --user=admin -p --port=3306
CREATE USER dbuser IDENTIFIED BY '<password>';
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, LOCK TABLES, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, SHOW_ROUTINE, EVENT, TRIGGER ON *.* TO `dbuser`@'%' WITH GRANT OPTION;
For Azure MySQL incremental protection add these additional permission:
GRANT SET_USER_ID, REPLICATION CLIENT, SESSION_VARIABLES_ADMIN, REPLICATION_APPLIER ON *.* TO `dbuser`@'%' WITH GRANT OPTION;
For PostgreSQL
Create a database user under the server and grant the following permissions:
psql -h instance_fqdn -U postgres
CREATE USER dbuser WITH PASSWORD '<password>' CREATEDB;
(For AWS RDS PostgreSQL) GRANT rds_superuser TO dbuser;
(For AZURE PostgreSQL) GRANT azure_pg_admin TO dbuser;
(For GCP PostgreSQL) GRANT cloudsqlsuperuser TO dbuser;
For SQL Server
Create a database user under the server and grant the following permission:
Create a login on the server:
CREATE LOGIN dbuser WITH PASSWORD='<password>'
Create a user for the database in the server:
CREATE USER [dbuser] FOR LOGIN [dbuser]
ALTER ROLE [db_owner] ADD MEMBER [dbuser]
Note:
The database user must not be part of any database deny role. For example: db_denydatareader and db_denydatawriter.