Managing user permissions

Written by

Updated at April 13, 2026

Changing user privileges
Examples
- Creating a user with read-only permissions

You can manage user permissions for the whole cluster or individual databases by changing user privileges. The administrative privileges are set at the cluster level.

Warning

To change user permissions at the cluster or database level, use the Yandex Cloud interfaces. Changes made using SQL commands are not saved.

For more information, see User permissions in Managed Service for MySQL®.

Changing user privileges

Management console

CLI

Terraform

REST API

gRPC API

Navigate to Managed Service for MySQL.
Click the name of your cluster and select the Users tab.
Click and select Configure.
Optionally, add the databases required for the user:
1. Click Add database.
2. Select the database from the drop-down list.
3. Repeat these two steps to select all required databases.
4. To revoke access to a specific database, delete it from the list by clicking to the right of the database name.
Specify the required user privileges for each database individually:
1. In the Roles column, click .
2. In the drop-down list, select the privilege you want to grant the user.
3. Repeat these two steps to add all required privileges.
To revoke a privilege, click to the right of its name.
Optionally, in the Global permissions under Additional settings, configure administrative user privileges at the cluster level.
Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

Granting privileges to a user:
```
yc managed-mysql user grant-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name> \
  --permissions <privileges_separated_by_commas>
```
You can get the cluster name with the list of clusters in the folder, the database name, with the list of databases in the cluster, and the username, with the list of users in the cluster.

Revoking privileges from a user:

yc managed-mysql user revoke-permission <username> \
  --cluster-name <cluster_name> \
  --database <DB_name> \
  --permissions <privileges_separated_by_commas>

To grant or revoke ALL_PRIVILEGES, specify the ALL alias as the privilege name.

Open the current Terraform configuration file describing your infrastructure.

For more on how to create this file, see Creating a cluster.
Find the relevant yandex_mdb_mysql_user resource and change the list of user’s privileges for the appropriate database in the roles parameter:
```
resource "yandex_mdb_mysql_user" "<username>" {
  cluster_id = "<cluster_ID>"
  name       = "<username>"
  permission {
    database_name = "<DB_name>"
    roles         = [<list_of_privileges>]
  }
  ...
}
```
Where:
- database_name: Name of the database the user will have access to.
- roles: List of user privileges for the DB.
Validate your configuration.
1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
2. Run this command:
```
terraform validate
```
  Terraform will show any errors found in your configuration files.
Confirm resource changes.
1. Run this command to view the planned changes:
```
terraform plan
```
  If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
2. If everything looks correct, apply the changes:
  1. Run this command:
```
terraform apply
```
  2. Confirm updating the resources.
  3. Wait for the operation to complete.

For more information, see this Terraform provider article.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Call the User.update method, e.g., via the following cURL request:

Warning

The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the updateMask parameter as a single comma-separated string.
```
curl \
    --request PATCH \
    --header "Authorization: Bearer $IAM_TOKEN" \
    --header "Content-Type: application/json" \
    --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>/users/<username>' \
    --data '{
              "updateMask": "permissions",
              "permissions": [
                {
                  "databaseName": "<DB_name>",
                  "roles": [
                    "<privilege_1>", "<privilege_2>", ..., "<privilege_N>"
                  ]
                }
              ]
            }'
```
Where:
- updateMask: Comma-separated string of settings to update.
  
  Here, we provide only one setting.
- permissions: User permission settings:
  - databaseName: Name of the database to which the user will have access.
  - roles: Array of user privileges, each provided as a separate string in the array. For the list of possible values, see User privileges in a cluster.
  For each database, add a separate element with permission settings to the permissions array.
You can get the cluster ID from the list of clusters in your folder, and the username from the list of cluster users.
Check the server response to make sure your request was successful.

Get an IAM token for API authentication and put it into an environment variable:
```
export IAM_TOKEN="<IAM_token>"
```
Clone the cloudapi repository:
```
cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
```
Below, we assume that the repository contents reside in the ~/cloudapi/ directory.
Call the UserService/Update method, e.g., via the following gRPCurl request:
Warning
The API method will assign default values to all the parameters of the object you are modifying unless you explicitly provide them in your request. To avoid this, list the settings you want to change in the update_mask parameter as an array of paths[] strings.
Format for listing settings
"update_mask": { "paths": [ "<setting_1>", "<setting_2>", ... "<setting_N>" ] }
```
grpcurl \
    -format json \
    -import-path ~/cloudapi/ \
    -import-path ~/cloudapi/third_party/googleapis/ \
    -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/user_service.proto \
    -rpc-header "Authorization: Bearer $IAM_TOKEN" \
    -d '{
          "cluster_id": "<cluster_ID>",
          "user_name": "<username>",
          "update_mask": {
            "paths": [
              "permissions"
            ]
          },
          "permissions": [
            {
              "database_name": "<DB_name>",
              "roles": [
                "<privilege_1>", "<privilege_2>", ..., "<privilege_N>"
              ]
            }
          ]
        }' \
    mdb.api.cloud.yandex.net:443 \
    yandex.cloud.mdb.mysql.v1.UserService.Update
```
Where:
- update_mask: List of settings you want to update as an array of strings (paths[]).
  
  Here, we provide only one setting.
- permissions: User permissions:
  - database_name: Name of the database to which the user will have access.
  - roles: Array of user privileges, each provided as a separate string in the array. For the list of possible values, see User privileges in a cluster.
  For each database, add a separate element with permission settings to the permissions array.
You can get the cluster ID from the list of clusters in your folder, and the username from the list of cluster users.
Check the server response to make sure your request was successful.

Examples

Creating a user with read-only permissions

To create a new user named user2 with the SecretPassword password and read-only access to the db1 database in the existing cluster1:

Management console

CLI

Terraform

Create a user named user2. When creating the user:

Add db1 to the database list.
Add the SELECT role for db1.

Create a user named user2:

yc managed-mysql user create "user2" \
  --cluster-name "cluster1" \
  --password "SecretPassword"

Add the SELECT role for db1:

yc managed-mysql users grant-permission "user2" \
  --cluster-name "cluster1" \
  --database "db1" \
  --permissions "SELECT"

Open the current Terraform configuration file describing your infrastructure.

For more information on how to create this file, see this guide.

Add the yandex_mdb_mysql_user resource:

resource "yandex_mdb_mysql_user" "user2" {
  cluster_id = yandex_mdb_mysql_cluster.cluster1.id
  name       = "user2"
  password   = "SecretPassword"
  permission {
    database_name = "db1"
    roles         = ["SELECT"]
  ...
  }
}

Make sure the settings are correct.
1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
2. Run this command:
```
terraform validate
```
  Terraform will show any errors found in your configuration files.
Confirm updating the resources.
1. Run this command to view the planned changes:
```
terraform plan
```
  If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
2. If everything looks correct, apply the changes:
  1. Run this command:
```
terraform apply
```
  2. Confirm updating the resources.
  3. Wait for the operation to complete.

For more information, see this Terraform provider article.

Managing user permissions

Changing user privilegesChanging user privileges

ExamplesExamples

Creating a user with read-only permissionsCreating a user with read-only permissions

Was the article helpful?

Changing user privileges

Examples

Creating a user with read-only permissions