If you add a user to a project, you must authorize the user to perform a specific operation on an object in the project. If you add a role to a project, you must grant operation permissions to the role and then grant the role to the user. The user has operation permissions on the object only after authorization. This topic describes how to grant and revoke the permissions of a user or role.

For more information about the objects and related operation types, see Authorize users. The following table describes common statements that are used for authorization operations.
Operation Description Role Operation platform
Grant a role or user Grants a role or user a specific operation permission on a specific type of object. A project owner or a user assigned the Super_Administrator or Admin role You can execute the statements described in this topic on the following platforms:
Revoke role or user permissions Revokes a specific operation permission on a specific type of object from a role or user.

Grant a role or user

Grants a role or user a specific operation permission on a specific type of object.

  • Syntax
    grant <Action> [, <Action>] on <Object> <object_name> to {user|role} {<user_name|role_name>}; 
  • Parameters
    • Action: required. The name of the operation permission that you want to grant. For more information, see Authorize users.
    • Object: required. The object type of the operation permission that you want to grant to the user or role. For more information, see Authorize users.
    • object_name: required. The name of the object.
    • user|role: Select user or role. user indicates that the operation permission is granted to the user. role indicates that the operation permission is granted to the role.
    • user_name|role_name: the name of the user or role to which you grant the operation permission.
  • Examples
    • Example 1: Grant the user test_user@aliyun.com the CREATE TABLE permission on the project prj1.
      grant CreateTable on Project prj1 to user ALIYUN$test_user@aliyun.com;
    • Example 2: Grant the player role the CREATE INSTANCE permission on the project prj1.
    grant CreateInstance on Project prj1 to role player; 

Revoke role or user permissions

Revokes a specific operation permission on a specific type of object from a role or user.

  • Syntax
    revoke <Action> [, <Action>] on <Object> <object_name> from {user|role} {<user_name|role_name>}; 
  • Parameters
    • Action: required. The name of the operation permission that you want to revoke. For more information, see Authorize users.
    • Object: required. The object type of the operation permission that you want to revoke from the user or role. For more information, see Authorize users.
    • object_name: required. The name of the object.
    • user|role: Select user or role for this parameter. user indicates that the operation permission is revoked from the user. role indicates that the operation permission is revoked from the role.
    • user_name|role_name: the name of the user or role from which you revoke the operation permission.
  • Examples
    • Example 1: Revoke the CREATE TABLE permission on the project prj1 from the user test_user@aliyun.com.
      revoke CreateTable on Project prj1 from user ALIYUN$test_user@aliyun.com;
    • Example 2: Revoke the CREATE INSTANCE permission on the project prj1 from the player role.
      revoke CreateInstance on Project prj1 from role player;