Policy-based access control and download control

GRANT [privileges] ON <objectType> <objectName>  to role <rolename> privilegeproperties("policy" = "true", "allow"="[true|false]", "conditions"= "acs:SourceIp in ('192.168.0.0/16','172.12.0.0/16') and 'odps:InstanceId'='aaaaaa'");
REVOKE  [privileges] ON  <objectType> <objectName>  from role <rolename> privilegeproperties ("policy" = "true", "allow"="[true|false]");

• You can use policy-based access control to grant permissions only to roles.
• The {"policy" = "true"} field in the privilegeproperties parameter indicates that policy-based access control is used.
• The {"allow"="[true|false]"} field in the privilegeproperties parameter specifies whether to grant permissions. To prohibit permissions, use the {"deny"="[true|false]"} field.
• You can revoke permissions only when allow, objectName, and rolename in the REVOKE statement are the same as those specified for authorization.

• Example 1
  Grant the aliyun_test role the read-only permission on the dataworks_test project:

  grant Read on project dataworks_test to role aliyun_test privilegeproperties("policy" = "true", "allow"="true");

• Example 2
  Grant the aliyun_test role the read-only permission on all tables in a MaxCompute project:

  grant Select on table * to role aliyun_test privilegeproperties("policy" = "true", "allow"="true");

• Example 3
  Disable the aliyun_test role to delete all tables in a MaxCompute project:

  grant Drop on table * to role aliyun_test privilegeproperties("policy" = "true", "allow"="false");

grant download on <objectType> <objectName> to [role|user] <name>;

• Only the project owner or a user who is granted the Super_Administrator role can authorize download permissions.
• Only download permissions on table resources can be authorized.