This topic describes how to use the policy-based access control and download control features.
Policy-based access control by using the GRANT statement
GRANT and REVOKE syntax:
GRANT [privileges] ON <objectType> <objectName> to role <rolename> privilegeproperties("policy" = "true", "allow"="[true|false]", "conditions"= "acs:SourceIp in ('192.168.0.0/16','172.12.0.0/16') and 'odps:InstanceId'='aaaaaa'");
REVOKE [privileges] ON <objectType> <objectName> from role <rolename> privilegeproperties ("policy" = "true", "allow"="[true|false]");
Description:
- You can use policy-based access control to grant permissions only to roles.
- privileges: the type of the action, such as read or write. For more information, see Authorize users.
- objectType: the type of the object, such as a project or table. For more information, see Authorize users.
- objectName: the name of the project.
- rolename: the name of the role.
- The
{"policy" = "true"}
field in the privilegeproperties parameter indicates that policy-based access control is used. - You can specify
allow
ordeny
in the privilegeproperties parameter to allow or deny the specified action. In most cases,deny
has a higher priority. If an action is bothallowed
anddenied
for the same role, the settings ofdeny
takes effect. - The
{"allow"="[true|false]"}
field in the privilegeproperties parameter specifies whether to allow the specified action. The{"deny"="[true|false]"}
field specifies whether to deny the specified action. - You can execute a
REVOKE
statement only when the allow, objectName, and rolename parameters in the statement match the information of a granted permission. - Do not mix up the concepts:
deny
and REVOKE. They are independent of each other. In a statement,deny
specifies whether to deny an action for a role. The REVOKE statement is used to revoke a permission that has been granted to a role. The permission may be about anallowed
or adenied
action.
Examples
- Example 1
Grant the aliyun_test role the read-only permission on the dataworks_test project. After authorization, the aliyun_test role can view information about the dataworks_test project.
GRANT READ ON PROJECT dataworks_test to role aliyun_test privilegeproperties("policy" = "true", "allow"="true");
- Example 2
Grant the aliyun_test role the read-only permission on all tables in a MaxCompute project. After authorization, the aliyun_test role can view all tables in the project.
GRANT Select ON TABLE * to role aliyun_test privilegeproperties("policy" = "true", "allow"="true");
- Example 3
Prohibit the aliyun_test role from deleting tables from a MaxCompute project.
GRANT DROP ON TABLE * to role aliyun_test privilegeproperties("policy" = "true", "allow"="false");
- Example 4
Revoke the preceding prohibition operation to allow the aliyun_test role to delete tables from a MaxCompute project.
REVOKE DROP ON TABLE * from role aliyun_test privilegeproperties ("policy" = "true", "allow"="false");
Download control
To control Tunnel-based data downloads, download control is provided for the permission model. Download permissions are required for you to download data by using Tunnel.
Syntax:
GRANT DOWNLOAD ON <objectType> <objectName> to [role|user] <name>;
Description:
- Only the project owner or a user who is assigned the Super_Administrator role can grant download permissions.
- Download permissions can be granted only on tables.