Deep Analysis of GRANT USAGE in MySQL: Understanding User Creation and Privilege Management

Basic Architecture of MySQL Privilege System

MySQL's privilege management employs a hierarchical structure, with permissions grantable at global (*.*), database (database.*), table (database.table), and column levels. Global privileges are stored in the mysql.user table, while database, table, and column-level privileges reside in mysql.db, mysql.tables_priv, and mysql.columns_priv tables, respectively. This design enables fine-grained control over user access to database resources.

Nature and Function of USAGE Privilege

In MySQL, the USAGE privilege is defined as "no privileges." According to official documentation, it is primarily used to modify account attributes at the global level, such as resource limits or SSL characteristics, without affecting existing privileges. When a user is granted any privilege for the first time, MySQL automatically generates a GRANT USAGE ON *.* TO user statement, which inserts a record into the mysql.user table to indicate the user's existence without granting operational rights. For example, after executing GRANT SELECT ON mydb.* TO 'user1'@'localhost', the system implicitly creates GRANT USAGE ON *.* TO 'user1'@'localhost' IDENTIFIED BY PASSWORD 'hash', where USAGE merely identifies the user without providing data access.

Functionality of the IDENTIFIED BY Clause

The IDENTIFIED BY clause is used to set or update a user's password, which is central to authentication. When included in a GRANT statement, it stores the password hash in the authentication_string column of the mysql.user table. Passwords, as global account attributes, are independent of specific database privileges, ensuring users can log in with correct credentials. For instance, GRANT USAGE ON *.* TO 'admin'@'%' IDENTIFIED BY 'securepass123' creates an account that can only log in without additional privileges, useful for initial setup or password resets.

Practical Workflow for User Creation and Privilege Granting

In MySQL, user creation and privilege assignment are typically handled via CREATE USER and GRANT statements. The CREATE USER statement implicitly grants USAGE and sets a password, e.g., CREATE USER 'newuser'@'localhost' IDENTIFIED BY 'password'. Subsequently, specific privileges are allocated using GRANT, such as GRANT ALL PRIVILEGES ON mydb.* TO 'newuser'@'localhost'. This process ensures clarity and security in privilege management, preventing unauthorized access.

Case Study: Privilege Behavior in the Q&A Scenario

In the user's query, after executing GRANT ALL PRIVILEGES ON database.* TO admin_user and GRANT SELECT, INSERT, UPDATE, DELETE ON database.* TO user, MySQL automatically generates GRANT USAGE ON *.* statements. This occurs because these GRANT operations create global-level account records for the users for the first time. Even if privileges are specific to a database, the system must maintain user metadata in mysql.user, including password hashes (if set via IDENTIFIED BY). This reflects MySQL's integrity: users must have a global identity before receiving granular permissions.

Conclusion and Best Practice Recommendations

Understanding the USAGE privilege and IDENTIFIED BY clause is crucial for effective MySQL database management. Administrators are advised to use CREATE USER to explicitly create users and set passwords, followed by GRANT to assign the least necessary privileges, adhering to security principles. Regularly reviewing the mysql.user table helps monitor account status and avoid redundant or excessive permissions. By mastering these core concepts, administrators can build more secure and efficient database environments.