DaaS / Products / Automated employee database provisioning

Automated employee database provisioning

When a new employee is onboarded in HR systems, EventBridge captures the event and triggers automated creation of RDS database accounts with role-appropriate permissions, eliminating manual database user setup.

Products involved

Scenario

When HR systems emit employee onboarding events, developers can automate RDS account provisioning by routing these events through EventBridge. This eliminates manual SQL execution or console clicks, ensuring new hires instantly receive role-scoped database access upon onboarding.

Integration steps

Create a custom EventBridge bus to isolate HR traffic: aliyun eventbridge CreateEventBus --EventBusName hr-onboarding-bus
Configure an HTTP API event source to accept HR webhooks at https://<region>.eventbridge.aliyuncs.com/api/v1/events.
Define a routing rule with pattern: {"source": ["hr.system"], "detail-type": ["Employee.Onboarded"]}.
Create an API Destination targeting https://rds.aliyuncs.com. Attach a RAM role with AliyunRDSFullAccess.
Map the rule target to the destination. Set HTTP method to POST and path to /?Action=CreateAccount&Version=2014-08-15.
Configure input transformation to map HR payload fields to RDS API parameters:

``json {"DBInstanceId":"rm-uf6wjk5xxxx","AccountName":"$.detail.employee_id","AccountPassword":"$.detail.temp_pw","AccountType":"Normal"} ``

Add a second target calling GrantAccountPrivilege with AccountPrivilege mapped to $.detail.db_role (e.g., ReadWrite or ReadOnly).
Validate the pipeline: curl -X POST <eb_endpoint> -d '{"source":"hr.system","detail-type":"Employee.Onboarded","detail":{"employee_id":"dev_01","temp_pw":"P@ssw0rd!","db_role":"ReadOnly"}}'

Architecture

The HR system pushes a JSON payload to EventBridge’s HTTP API endpoint. EventBridge evaluates the payload against a pattern-matching rule, transforms the event into RDS OpenAPI parameters, and invokes the CreateAccount action via API Destination. RDS provisions the account, applies the mapped privileges, and returns a success status to EventBridge, which logs the execution for audit.

Prerequisites

Active ApsaraDB RDS instance with network access reachable from EventBridge.
RAM role with AliyunEventBridgeFullAccess and AliyunRDSFullAccess policies.
HR system capable of sending authenticated HTTPS POST requests.
EventBridge API Destination configured with VPC connector if RDS uses private networking.

Common pitfalls

Password policy violations: RDS enforces 8-32 chars with mixed case/symbols. Non-compliant HR payloads trigger InvalidPassword.
API QPS throttling: Bulk onboarding spikes exceed RDS API limits. Configure EventBridge retry policies with exponential backoff.
VPC isolation failures: API Destinations cannot reach private RDS endpoints without a VPC connector or NAT gateway.
Duplicate account errors: Reusing employee_id without idempotency checks causes AccountAlreadyExists. Append unique suffixes or pre-check existence.

Typical questions

automate database account creation for new employees
auto-provision db users when employee joins
新员工自动创建数据库账号
EventBridge触发RDS账号管理
integrate HR system with database provisioning
employee onboarding automation
自动配置数据库权限

FAQ

Q: How does the system automatically provision database accounts for new employees? A: The system automatically creates RDS database accounts with role-appropriate permissions when a new employee is onboarded in an HR system. EventBridge captures the onboarding event to trigger this workflow, eliminating manual database user setup by integrating with ApsaraDB RDS account management.