Add DSN option and expand user/role examples

Introduce a second DSN option in the MCP client guide (Option B) that shows how to build a stable lake:// DSN from a SQL user (steps and example format). Clarify Option A (Use with AI Tools) as the recommended short-lived DSN. Expand the warehouse and create-user docs with concrete role/user examples: full-access (global) role, single-database role, and read-only role, including SQL to create roles, users, and grant role assignments. Reorganize and rename examples in create-user.md for clarity and add a tip that privileges must be granted to roles (then assigned to users).

Author: lilin90

tidb-cloud-lake/guides/mcp-client-integration.md

@@ -21,7 +21,11 @@ For example: "Create a scheduled task that copies parquet files from @my_stage t
 
 ### 1. Get a {{{ .lake }}} Connection
 
-We recommend using **{{{ .lake }}}** for the best experience.
+We recommend using **{{{ .lake }}}** for the best experience. You can obtain the DSN in two ways.
+
+#### Option A: Use **Use with AI Tools** (recommended)
+
+Generates a short-lived DSN with session sandbox safety in one click. Best for getting AI tools connected quickly.
 
 1. Log in to [{{{ .lake }}}](https://app.lake.tidbcloud.com).
 2. Click **Use with AI Tools**.
@@ -31,6 +35,18 @@ We recommend using **{{{ .lake }}}** for the best experience.
 
 ![Use with AI Tools](/media/tidb-cloud-lake/ai-tools.png)
 
+#### Option B: Build the DSN with your own SQL user
+
+Use this when you want a stable account and permission set (for example, CI pipelines, sharing with teammates, or pairing with a least-privilege policy).
+
+1. Create a SQL user in {{{ .lake }}} and grant the required privileges. See [CREATE USER](/tidb-cloud-lake/sql/create-user.md#example-1-full-access-across-all-databases).
+2. Get your `tenant`, `region`, `database`, and `warehouse` values from **Overview → Connect**.
+3. Assemble the DSN using this format:
+
+    ```text
+    lake://<username>:<password>@<tenant>.gw.<region>.default.tidbcloud.com:443/<database>?warehouse=<warehouse_name>
+    ```
+
 ### 2. Configure Your MCP Client
 
 Use `DATABEND_MCP_SAFE_MODE=true` by default. In safe mode, production data remains read-only for AI agents, while write operations are scoped to session sandbox objects.

tidb-cloud-lake/guides/warehouse.md

@@ -223,10 +223,28 @@ Where:
 
 ### Creating SQL Users for Warehouse Access
 
-Besides the default `cloudapp` user, you can create additional SQL users for better security and access control:
+Besides the default `cloudapp` user, you can create additional SQL users for better security and access control.
+
+#### Example 1: Full access across all databases
+
+Grant a user read/write access to all databases — useful for admin accounts or automation pipelines that need cross-database operations:
 
 ```sql
--- Create a role with database access
+-- Create a role with global access
+CREATE ROLE full_access_role;
+GRANT ALL ON *.* TO ROLE full_access_role;
+
+-- Create the user and assign the role
+CREATE USER admin_user IDENTIFIED BY 'SecurePass456!' WITH DEFAULT_ROLE = 'full_access_role';
+GRANT ROLE full_access_role TO admin_user;
+```
+
+#### Example 2: Single-database access
+
+Grant a user access to one specific database only:
+
+```sql
+-- Create a role scoped to one database
 CREATE ROLE warehouse_user1_role;
 GRANT ALL ON my_database.* TO ROLE warehouse_user1_role;
 
@@ -235,6 +253,24 @@ CREATE USER warehouse_user1 IDENTIFIED BY 'StrongPassword123' WITH DEFAULT_ROLE
 GRANT ROLE warehouse_user1_role TO warehouse_user1;
 ```
 
+#### Example 3: Read-only access across all databases
+
+For scenarios where the user should only query data (dashboards, BI tools, AI agents in safe mode):
+
+```sql
+-- Create a read-only role
+CREATE ROLE readonly_role;
+GRANT SELECT ON *.* TO ROLE readonly_role;
+
+-- Create the user
+CREATE USER readonly_user IDENTIFIED BY 'ReadOnly789!' WITH DEFAULT_ROLE = 'readonly_role';
+GRANT ROLE readonly_role TO readonly_user;
+```
+
+> **Tip:**
+>
+> In {{{ .lake }}}, privileges like `CREATE DATABASE` can only be granted to roles, not directly to users. Always create a role first, grant privileges to the role, then assign the role to the user.
+
 For more details, see [CREATE USER](/tidb-cloud-lake/sql/create-user.md) and [GRANT](/tidb-cloud-lake/sql/grant.md) documentation.
 
 ### Connection Security

tidb-cloud-lake/sql/create-user.md

@@ -38,7 +38,35 @@ CREATE [ OR REPLACE ] USER <name> IDENTIFIED [ WITH <auth_type> ] BY '<password>
 
 ## Examples
 
-### Example 1: Create User and Grant Database Privileges
+### Example 1: Full Access Across All Databases
+
+Create a user with full read/write access across all databases:
+
+```sql
+-- Create a role with global access
+CREATE ROLE full_access_role;
+GRANT ALL ON *.* TO ROLE full_access_role;
+
+-- Create the user and assign the role
+CREATE USER admin_user IDENTIFIED BY 'SecurePass456!' WITH DEFAULT_ROLE = 'full_access_role';
+GRANT ROLE full_access_role TO admin_user;
+```
+
+### Example 2: Read-Only Access Across All Databases
+
+Create a user that can only query data, suitable for dashboards or BI tools:
+
+```sql
+-- Create a read-only role
+CREATE ROLE readonly_role;
+GRANT SELECT ON *.* TO ROLE readonly_role;
+
+-- Create the user
+CREATE USER readonly_user IDENTIFIED BY 'ReadOnly789!' WITH DEFAULT_ROLE = 'readonly_role';
+GRANT ROLE readonly_role TO readonly_user;
+```
+
+### Example 3: Single-Database Access
 
 Create a role, grant database privileges, and assign the role to a user:
 
@@ -63,33 +91,7 @@ SHOW GRANTS FOR ROLE data_analyst_role;
 +-----------------------------------------------------------------+
 ```
 
-### Example 2: Create User and Grant Role
-
-Create a user and assign a role with specific privileges:
-
-```sql
--- Create a role with specific privileges
-CREATE ROLE analyst_role;
-GRANT SELECT ON *.* TO ROLE analyst_role;
-GRANT INSERT ON default.* TO ROLE analyst_role;
-
--- Create user and grant the role
-CREATE USER john_analyst IDENTIFIED BY 'secure_pass456';
-GRANT ROLE analyst_role TO john_analyst;
-```
-
-Verify the role assignment:
-
-```sql
-SHOW GRANTS FOR john_analyst;
-+------------------------------------------+
-| Grants                                   |
-+------------------------------------------+
-| GRANT ROLE analyst_role TO 'john_analyst'@'%' |
-+------------------------------------------+
-```
-
-### Example 3: Create Users with Different Authentication Types
+### Example 4: Create Users with Different Authentication Types
 
 ```sql
 -- Create user with default authentication
@@ -98,17 +100,3 @@ CREATE USER user1 IDENTIFIED BY 'abc123';
 -- Create user with SHA256 authentication
 CREATE USER user2 IDENTIFIED WITH sha256_password BY 'abc123';
 ```
-
-### Example 4: Create Users with Special Configurations
-
-```sql
--- Create user with password change requirement
-CREATE USER new_employee IDENTIFIED BY 'temp123' WITH MUST_CHANGE_PASSWORD = true;
-
--- Create user in disabled state
-CREATE USER temp_user IDENTIFIED BY 'abc123' WITH DISABLED = true;
-
--- Create user with default role (role must be granted separately)
-CREATE USER manager IDENTIFIED BY 'abc123' WITH DEFAULT_ROLE = 'admin';
-GRANT ROLE admin TO manager;
-```