A role is a defined set of access permissions. It can be used to assign the same set of permissions to a group of users. Role-based authorization can greatly simplify the authorization process and reduce the authorization management cost. Role-based authorization can be used with priority when user authorization is performed. Role-based authorization can greatly simplify the authorization procedure and reduce authorization management costs. When a user must be authorized, the owner should consider whether it would be better to use a role to authorize them.
When a project is created, an admin role is automatically created with a defined set of privileges authorized to the role. These privileges include access to all objects within the project, management, and authorization of users and roles. In comparison to a project In comparison to a project owner, the admin role cannot assign admin permission to any user, set the project security configuration, or change the authentication model for the project. Permissions of the admin role cannot be modified.
create role <rolename> --Create a role drop role <rolename> --Delete a role grant <rolename> to <username> --Grant a role to a user revoke <rolename> from <username> --Revoke a role from a user
Create a Role
create role player;
Add a User to Role
GRANT <roleName> TO <full_username> ;
grant player to email@example.com;
|After role authorization is complete, all users under this role have the same permissions.|
suppose Jack is the administrator of project prj1. Three new data auditors, Alice, Bob, and Charlie, are added to the project team. They must apply for the following permissions: view the table lists, submit the jobs, and read the table userprofile.
In this scenario, the project administrator can perform authorization by using the object-based ACL Authorization.
use prj1; add user firstname.lastname@example.org; --Add the user add user email@example.com; add user firstname.lastname@example.org; create role tableviewer; --Create a role grant List, CreateInstance on project prj1 to role tableviewer; --Grant permissions to the role grant Describe, Select on table userprofile to role tableviewer; grant tableviewer to email@example.com; --Grant the tableviewer role to the user grant tableviewer to firstname.lastname@example.org; grant tableviewer to email@example.com;
Revoke the Role from a User
REVOKE <roleName> FROM <full_username>;
revoke player from firstname.lastname@example.org;
Delete a Role
DROP ROLE <roleName>;
drop role player;
|When you delete a role, MaxCompute checks whether other users are in this role. If yes, this role cannot be deleted. The role can be successfully deleted only when all users in the role are revoked from this role. If there are such users, this role cannot be removed. Removing a role succeeds only if all of its users are already revoked from it.|