A role is a set of access permissions. It can be used to assign the same set of permissions to a group of users. Role-based authorization can greatly simplify the authorization process and reduce the authorization management cost. Role-based authorization can be used with priority when user authorization is performed.
When a project is created, an admin role is automatically created with a definite privilege authorized to the role, including access to all objects within the project, management of users and roles, and authorization to users and roles. Compared with a project owner, the admin role cannot grant the admin privilege to any user, set the project security configuration, or change the authentication model for the project. The privilege of the admin role cannot be modified.
Related commands of Role management are as follows:
create role <rolename> --Create a role
drop role <rolename> --Delete a role
grant <rolename> to <username> --Grant a role to a user
revoke <rolename> from <username> --Revoke a role from a user
When deleting a role, MaxCompute checks whether other users are in this role. If yes, this role cannot be deleted. The role can be successfully deleted only when all users in the role are revoked from this role.
For more information about the mapping between the roles in DataWorks and in MaxCompute, and the platform permissions of these roles, see the project member management module in Project Management.