A role is a set of defined access permissions. It can be used to grant the same set of permissions to a group of users. Role-based authorization greatly simplifies the authorization process and reduces authorization management costs. We recommend that you consider whether to use role-based authorization before you grant permissions to users.
When you create a project, the system automatically creates an Admin role for the project. This role is granted the permissions to access all objects in the project, manage users and roles, and authorize users and roles.
The Admin role cannot grant its Admin permissions to users, set security policies for the project, modify the authentication model of the project, or modify the Admin permissions. Only the project owner can perform these operations.
MaxCompute roles have a one-to-one mapping with the member roles in DataWorks. For more information about the member roles in DataWorks and their permissions, see Manage workspace members.
Create a role
CREATE ROLE <rolename>;
create role player;
Authorize a role
After you authorize a role, all users assigned this role are granted the same permissions. The method to authorize roles is similar to that used to authorize users. For more information, see Authorize users.
Jack is the administrator of the prj1 project. Users Alice, Bob, and Charlie need to be added to the project as data reviewers. Data reviewers require permissions to view table lists, submit jobs, and read data from the userprofile table.
-- Access the prj1 project. use prj1; -- Add users Alice, Bob, and Charlie to the project. add user firstname.lastname@example.org; add user email@example.com; add user firstname.lastname@example.org; -- Create a role named tableviewer. create role tableviewer; -- Grant the required permissions to the role. grant List, CreateInstance on project prj1 to role tableviewer; grant Describe, Select on table userprofile to role tableviewer; -- Assign the role to the added users. grant tableviewer to email@example.com; grant tableviewer to firstname.lastname@example.org; grant tableviewer to email@example.com;
Assign a role to a user
One user can have multiple roles, and multiple users can belong to the same role.
GRANT <roleName> TO <full_username> ;
grant player to firstname.lastname@example.org;
Revoke a role from a user
REVOKE <roleName> FROM <full_username>;
revoke player from email@example.com;
Delete a role
DROP ROLE <roleName>;
drop role player;