This topic describes how to use policy-based access control and download control features.

Policy-based access control by using the GRANT statement

Syntax for policy-based access control and permission revoking:
GRANT [privileges] ON <objectType> <objectName>  to role <rolename> privilegeproperties("policy" = "true", "allow"="[true|false]", "conditions"= "acs:SourceIp in ('192.168.0.0/16','172.12.0.0/16') and 'odps:InstanceId'='aaaaaa'");
REVOKE  [privileges] ON  <objectType> <objectName>  from role <rolename> privilegeproperties ("policy" = "true", "allow"="[true|false]");
Description:
  • You can use policy-based access control to grant permissions only to roles.
  • The {"policy" = "true"} field in the privilegeproperties parameter indicates that policy-based access control is used.
  • The {"allow"="[true|false]"} field in the privilegeproperties parameter specifies whether to grant permissions. To prohibit permissions, use the {"deny"="[true|false]"} field.
  • You can revoke permissions only when allow, objectName, and rolename in the REVOKE statement are the same as those specified for authorization.
Examples:
  • Example 1
    Grant the aliyun_test role the read-only permission on the dataworks_test project:
    grant Read on project dataworks_test to role aliyun_test privilegeproperties("policy" = "true", "allow"="true");
  • Example 2
    Grant the aliyun_test role the read-only permission on all tables in a MaxCompute project:
    grant Select on table * to role aliyun_test privilegeproperties("policy" = "true", "allow"="true");
  • Example 3
    Disable the aliyun_test role to delete all tables in a MaxCompute project:
    grant Drop on table * to role aliyun_test privilegeproperties("policy" = "true", "allow"="false");

Download control

To control Tunnel-based data downloads, download control is provided for the permission model. The download permission is required for you to download data by using Tunnel.

Syntax:
grant download on <objectType> <objectName> to [role|user] <name>;
Description:
  • Only the project owner or a user who is granted the Super_Administrator role can authorize download permissions.
  • Only download permissions on table resources can be authorized.