This topic describes how to use the policy-based access control and download control features.

Policy-based access control by using the GRANT statement

GRANT and REVOKE syntax:
GRANT [privileges] ON <objectType> <objectName> to role <rolename> privilegeproperties("policy" = "true", "allow"="[true|false]", "conditions"= "acs:SourceIp in ('192.168.0.0/16','172.12.0.0/16') and 'odps:InstanceId'='aaaaaa'");
REVOKE  [privileges] ON <objectType> <objectName> from role <rolename> privilegeproperties ("policy" = "true", "allow"="[true|false]");
Description:
  • You can use policy-based access control to grant permissions only to roles.
  • privileges: the type of the action, such as read or write. For more information, see Authorize users.
  • objectType: the type of the object, such as a project or table. For more information, see Authorize users.
  • objectName: the name of the project.
  • rolename: the name of the role.
  • The {"policy" = "true"} field in the privilegeproperties parameter indicates that policy-based access control is used.
  • You can specify allow or deny in the privilegeproperties parameter to allow or deny the specified action. In most cases, deny has a higher priority. If an action is both allowed and denied for the same role, the settings of deny takes effect.
  • The {"allow"="[true|false]"} field in the privilegeproperties parameter specifies whether to allow the specified action. The {"deny"="[true|false]"} field specifies whether to deny the specified action.
  • You can execute a REVOKE statement only when the allow, objectName, and rolename parameters in the statement match the information of a granted permission.
  • Do not mix up the concepts: deny and REVOKE. They are independent of each other. In a statement, deny specifies whether to deny an action for a role. The REVOKE statement is used to revoke a permission that has been granted to a role. The permission may be about an allowed or a denied action.
Examples
  • Example 1
    Grant the aliyun_test role the read-only permission on the dataworks_test project. After authorization, the aliyun_test role can view information about the dataworks_test project.
    GRANT READ ON PROJECT dataworks_test to role aliyun_test privilegeproperties("policy" = "true", "allow"="true");
  • Example 2
    Grant the aliyun_test role the read-only permission on all tables in a MaxCompute project. After authorization, the aliyun_test role can view all tables in the project.
    GRANT Select ON TABLE * to role aliyun_test privilegeproperties("policy" = "true", "allow"="true");
  • Example 3
    Prohibit the aliyun_test role from deleting tables from a MaxCompute project.
    GRANT DROP ON TABLE * to role aliyun_test privilegeproperties("policy" = "true", "allow"="false");
  • Example 4
    Revoke the preceding prohibition operation to allow the aliyun_test role to delete tables from a MaxCompute project.
    REVOKE DROP ON TABLE * from role aliyun_test privilegeproperties ("policy" = "true", "allow"="false");

Download control

To control Tunnel-based data downloads, download control is provided for the permission model. Download permissions are required for you to download data by using Tunnel.

Syntax:
GRANT DOWNLOAD ON <objectType> <objectName> to [role|user] <name>;
Description:
  • Only the project owner or a user who is assigned the Super_Administrator role can grant download permissions.
  • Download permissions can be granted only on tables.