A role is a set of defined access permissions. It can be used to grant the same set of permissions to a group of users. Role-based authorization greatly simplifies the authorization process and reduces authorization management costs. We recommend that you consider whether to use role-based authorization before you grant permissions to users.
When you create a project, the system automatically creates an Admin role for the project. This role is granted the permissions to access all objects in the project, manage users and roles, and authorize users and roles.
The Admin role cannot grant its Admin permissions to users, set security policies for the project, modify the authentication model of the project, or modify the Admin permissions. Only the project owner can perform these operations.
MaxCompute roles have a one-to-one mapping with the member roles in DataWorks. For more information about the member roles in DataWorks and their permissions, see Manage workspace members.
Create a role
CREATE ROLE <rolename>;
Example
create role player;
Authorize a role
After you authorize a role, all users assigned this role are granted the same permissions. The method to authorize roles is similar to that used to authorize users. For more information, see Authorize users.
Example
Jack is the administrator of the prj1 project. Users Alice, Bob, and Charlie need to be added to the project as data reviewers. Data reviewers require permissions to view table lists, submit jobs, and read data from the userprofile table.
-- Access the prj1 project.
use prj1;
-- Add users Alice, Bob, and Charlie to the project.
add user aliyun$alice@aliyun.com;
add user aliyun$bob@aliyun.com;
add user aliyun$charlie@aliyun.com;
-- Create a role named tableviewer.
create role tableviewer;
-- Grant the required permissions to the role.
grant List, CreateInstance on project prj1 to role tableviewer;
grant Describe, Select on table userprofile to role tableviewer;
-- Assign the role to the added users.
grant tableviewer to aliyun$alice@aliyun.com;
grant tableviewer to aliyun$bob@aliyun.com;
grant tableviewer to aliyun$charlie@aliyun.com;
Assign a role to a user
One user can have multiple roles, and multiple users can belong to the same role.
GRANT <roleName> TO <full_username> ;
Example
grant player to bob@aliyun.com;
Revoke a role from a user
REVOKE <roleName> FROM <full_username>;
Example
revoke player from bob@aliyun.com;
Delete a role
DROP ROLE <roleName>;
Example
drop role player;