Last Updated: Jun 23, 2016

A role is a set of access permissions. You can grant the same privileges to a group of users by using role. Role-based authorization can significantly simplify the authorization process and reduce the cost arising from authorization management. If possible, role authorization shall be preferred when granting user privileges.

When a project is created, an admin role will be automatically created and granted with identified privileges: admin can access all objects in the project, manage the user and role and grant user or role privileges. Compared with the project owner, the admin role cannot grant the admin privileges to a user, cannot set the security configuration of the project or alter the project authentication model. The privileges corresponding to the admin role cannot be altered.

The commands involved in role management are as follows:

  1. create role <rolename> --Create a role.
  2. drop role <rolename> --Drop a role.
  3. grant <rolename> to <username> --Grant a role to a user.
  4. revoke <rolename> from <username> --revoke a role from a user.


  • While dropping a role, MaxCompute will check whether other users exist in this role. If other users exist, then the role fails to be deleted. The role can be dropped only if all users in the role have been revoked.
Thank you! We've received your feedback.