create users

create user if not exists ‘anan’@‘localhost’ identified with mysql_native_passwd by ‘Zja1540774503_’ with max_queries_per_hour 500 max_updates_per_hour 100;

Granting and revoking access to users

grant select on company.* to 'company_read_only'@'localhost';

GRANT INSERT, DELETE, UPDATE ON company.* TO 'company_write'@'%' IDENTIFIED WITH mysql_native_password AS '*EBD9E3BFD1489CA1EB0D2B4F29F6665F321E8C18';

GRANT SELECT(first_name,last_name) ON employees.employees TO 'employees_ro'@'%' IDENTIFIED WITH mysql_native_password AS '*EBD9E3BFD1489CA1EB0D2B4F29F6665F321E8C18';

GRANT ALL ON *.* TO 'dbadmin'@'%';
GRANT GRANT OPTION ON *.* TO 'dbadmin'@'%';

CREATE USER 'u1', 'u2';
CREATE ROLE 'r1', 'r2';

GRANT 'u1' TO 'u1';   -- simple loop: u1 => u1
GRANT 'r1' TO 'r1';   -- simple loop: r1 => r1

GRANT 'r2' TO 'u2';
GRANT 'u2' TO 'r2';   -- mixed user/role loop: u2 => r2 => u2
 

revoke select on . from ‘anan’@‘localhost’;
revoke select on . from ‘anan’@‘localhost’;

All the user information, along with privileges, is
stored in the  mysql.user table. If you have the privilege
to access the  mysql.user table, you can directly modify
the  mysql.user table to create users and grant privileges.
 

重新整理許可權：
flush privileges;

設定某使用者只能本地訪問：
update mysql.user set host='localhost' where user='anan';
flush privileges;

建立使用者並設定使用者登入後立即修改密碼：

create user 'developer'@'%' identified with mysql_native_password as '*98F1E207D17ED074CF0C4B7F79DC7F6F6035E291' password expire;

使用者修改密碼:
alter user 'developer'@'%' identified with mysql_native_password as 'new_company_pass';

Manually expire the existing user;
alter user 'developer'@'%'password expire;

Require the password to be changed every 180 days:要求每90天修改一次密碼
alter user 'developer'@'%'password expire interval 90 day;

Locking users

Alter user 'developer'@'%' account lock;

You can unlock the account after confirming:

alter user 'developer'@'%' account unlock;

Creating roles for users

A MySQL role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. A user account can be granted roles, which grants to the account the role privileges. Earlier, you created separate users for reads, writes, and administration. For write privilege, you have granted INSERT , DELETE , and UPDATE to the user. Instead, you can grant those privileges to a role and then assign the user to that role. By this way, you can avoid granting privileges individually to possibly many user accounts.

create roles：
create role 'app_read_only','app_writes','app_developer';

grant select on employees.* to 'app_read_only';
grant insert ,update,delete on employees.* to 'app_writes';
grant all on employees.* to 'app_developer';

such as

create user emp_read_only identified by 'Abce#asfd_3re';

create user emp_writes identified by 'Abce#asfd_3re';
create user emp_developer identified by 'Abce#asfd_3re';

grant 'app_read_only' to 'emp_read_only'@'%';
grant 'app_wirtes' to 'emp_wirtes'@'%';
grant 'app_developer' to 'emp_developer'@'%';
grant 'app_read_only','app_writes' to 'emp_read_wirte'@'%';

釋出 因為使用的有道雲筆記會員markdown格式，故圖片顯示不出，這裡附上筆記連結：
http://note.youdao.com/noteshare?id=c109e307813fff8baa48bfc9c4904d39&sub=0D00DFD88C0E4AF2A9DF30C30F8401EE