A role is a defined set of access permissions. It assigns the same set of permissions to a group of users. Role-based authorization greatly simplifies the authorization process and reduces the authorization management cost. It must be used with priority.
When a project is created, an admin role is automatically created with a definite privilege authorized to the role, including access to all objects within the project, management of users and roles, and authorization to users and roles. In comparison to a project owner, the admin role cannot assign admin permission to any user, set the project security configuration, or change the authentication model for the project. Permissions of the admin role cannot be modified.
create role <rolename> --Create a role drop role <rolename> --Delete a role grant <rolename> to <username> --Grant a role to a user revoke <rolename> from <username> --Revoke a role from a user
- One role can be assigned to multiple users at the same time, and one user can be assigned multiple roles.
- For more information about the mapping between the roles in DataWorks and in MaxCompute, and the platform permissions of these roles, see the project member management module in Manage workspace members.
Create a role
create role player;
Add a user to the role
GRANT <roleName> TO <full_username> ;
grant player to email@example.com;
Jack is the administrator of project prj1. Three new data auditors, Alice, Bob, and Charlie, are added to the project team. They must apply for the following permissions: view the table lists, submit the jobs, and read the table userprofile.
In this scenario, the project administrator can perform authorization by using the object-based ACL Authorization.
use prj1; add user firstname.lastname@example.org; --Add the user add user email@example.com; --Add the user add user firstname.lastname@example.org; create role tableviewer; --Create a role grant List, CreateInstance on project prj1 to role tableviewer; --Grant permissions to the role grant Describe, Select on table userprofile to role tableviewer; grant tableviewer to email@example.com; --Grant the tableviewer role to the user grant tableviewer to firstname.lastname@example.org; grant tableviewer to email@example.com;
Revoke the role from the user
REVOKE <roleName> FROM <full_username>;
revoke player from firstname.lastname@example.org;
Delete a Role
DROP ROLE <roleName>;
drop role player;