All Products
Search
Document Center

MaxCompute:MaxCompute permissions

Last Updated:Jun 30, 2023

This topic describes the permissions that are supported in MaxCompute.

Background information

MaxCompute supports fine-grained access control on projects, quotas, network connections, tables, functions, resources, and instances. MaxCompute also allows you to control Tunnel downloads, access to sensitive data, and cross-project access. You can grant specific permissions on objects in a project to users based on the operation scope. This ensures object security.

The following table describes the elements that are involved in authorization operations.

Permission element

Description

Subject

The user or role to which you want to grant permissions.

Take note of the following points:

  • Before you grant permissions to a user or role in a MaxCompute project, make sure that the user or role is added to the MaxCompute project.

  • If you use an Alibaba Cloud account to perform authorization operations, you can grant permissions to the RAM users of the Alibaba Cloud account and other Alibaba Cloud accounts.

  • If you use a RAM user to perform authorization operations, you can grant permissions to only the other RAM users that belong to the same Alibaba Cloud account.

Note

A user who performs authorization operations is called an authorizer. An authorizer can perform authorization operations only if the authorizer has the capability to grant permissions on objects and actions.

Object

An object in a MaxCompute tenant.

  • Network link: a network connection. The virtual private cloud (VPC) connection scheme is used to establish network connections in most scenarios. For more information about the VPC connection scheme, see Network connection process.

  • Quota: a computing resource queue.

The objects or behavior in a MaxCompute project.

  • Objects

    • Projects: the MaxCompute projects.

    • Tables: the tables or views in a MaxCompute project.

      In a MaxCompute project, a view is a virtual table, and permission rules of tables also apply to views. If the owner of a view does not have the Select permission on the table referenced by the view, the owner cannot use the view.

    • Functions: the user-defined functions (UDFs) in a MaxCompute project.

    • Resources: the resources that are uploaded to a MaxCompute project, such as JAR and ZIP files.

    • Instances: the instances that are generated when a job is run in a MaxCompute project.

  • Behavior

Actions

The actions vary based on the object type. For example, you can read data from, write data to, and query data from tables.

Permissions on objects in a tenant

The following table describes the permission relationships of objects in a MaxCompute tenant.

Object

Action

Description

Authorized by

Authorization method

Networklink

List

Allows you to view all types of network connections.

  • Project owner

  • Users assigned with the Super_Administrator or Admin role

Grant permissions to roles: Policy-based access control.

CreateNetworklink

Allows you to create a network connection in a MaxCompute tenant.

Describe

Allows you to read the metadata of a network connection in a MaxCompute tenant.

Drop

Allows you to delete a network connection.

All

Allows you to perform all the preceding operations on network connections.

Quota

Usage

Allows you to use quotas.

  • Project owner

  • Users assigned with the Super_Administrator or Admin role

Permissions on projects and objects in projects

This section describes the permissions supported by MaxCompute projects and objects in MaxCompute projects.

  • Objects

    The following table describes the permission relationships of MaxCompute projects and permission relationships of objects in MaxCompute projects.

    Object

    Action

    Description

    Authorized by

    Authorization method

    Project

    Read

    Allows you to view information about a project, excluding objects in the project.

    Project owner

    Not supported

    Write

    Allows you to update information about a project, excluding objects in the project.

    List

    Allows you to query all types of objects in a project. For example, you can run the show tables; or show functions; command to query tables or functions.

    • Project owner

    • Users assigned with the Super_Administrator or Admin role

    CreateTable

    Allows you to create a table in a project. For example, you can run the create table <table_name>...; command to create a table.

    CreateInstance

    Allows you to create an instance in a project. When you run jobs, instances are created.

    CreateFunction

    Allows you to create a function in a project. For example, you can run the create function <function_name> ...; command to create a function.

    CreateResource

    Allows you to add a resource to a project. For example, you can run the add file|archive|py|jar <local_file>... ; or add table <table_name> ...; command to add a resource.

    All

    Allows you to perform all the preceding operations on a project.

    Table

    Describe

    Allows you to read the metadata of a table, including the table structure, creation time, modification time, and table data size. For example, you can run the desc <table_name>; command to read the metadata of a table.

    • Table owner

    • Project owner

    • Users assigned with the Super_Administrator role

    • Users assigned with the Admin role (excluding permissions to change table owners)

    Select

    Allows you to query the data of a table. For example, you can run the select * from <table_name>; command to query the data of a table.

    Alter

    Allows you to modify the metadata of a table. You can change the owner of a table, name of a table, or name of a column, and add or delete partitions. For example, you can run the alter table <table_name> add if not exists partition ...; command to modify the metadata of a table.

    Update

    Allows you to update the data of a table. For example, you can run the insert into|overwrite table <table_name> ...;, update <table_name> set ...;, or delete from <table_name> where ...; command to update the data of a table.

    Drop

    Allows you to drop a table. For example, you can run the drop table <table_name>; command to drop a table.

    ShowHistory

    Allows you to query the backup data of a table. For example, you can run the show history for table <table_name>; command to query the backup data of a table.

    All

    Allows you to perform all the preceding operations on a table.

    Function

    Read

    Allows you to read the program file in which a MaxCompute UDF is called.

    • Function owner

    • Project owner

    • Users with the Super_Administrator or Admin role

    Write

    Allows you to update a UDF.

    Delete

    Allows you to delete a UDF. For example, you can run the drop function <function_name>; command to delete a UDF.

    Execute

    Allows you to call a UDF. For example, you can run the select <function_name> from ...; command to call a UDF.

    All

    Allows you to perform all the preceding operations on a function.

    Resource

    Read

    Allows you to read a resource.

    • Resource owner

    • Project owner

    • Users assigned with the Super_Administrator or Admin role

    Write

    Allows you to update a resource.

    Delete

    Allows you to delete a resource. For example, you can run the drop resource <resource_name>; command to delete a resource.

    All

    Allows you to perform all the preceding operations on a resource.

    External Volume

    CreateVolume

    Allows you to create an external volume.

    • External volume owner

    • Project owner

    • Users assigned with the Super_Administrator or Admin role

    Read

    Allows you to read data from an external volume.

    Write

    Allows you to update data in an external volume.

    Delete

    Allows you to delete an external volume. For example, you can run the vfs -rm -r <volume_path>;command to delete an external volume.

    All

    Allows you to perform all the preceding operations on an external volume.

    Instance

    Read

    Allows you to read an instance.

    • Project owner

    • Users assigned with the Super_Administrator or Admin role

    Write

    Allows you to update an instance.

    All

    Allows you to perform all the preceding operations on an instance.

    Note

    The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in the project must be used together with the CreateInstance permission on the project.

    If you separately use the Select, Alter, Update, or Drop permission on tables in a project and you do not have the CreateInstance permission on the project, the operations on the tables cannot be performed. For example, if you query data of a table in Project B from Project A, you must have the CreateInstance permission on Project A and the Select permission on the table in Project B.

  • Behavior

    The following table describes the permission relationships of behavior on objects in a MaxCompute project.

    Object

    Action

    Description

    Authorized by

    Authorization method

    Tables, functions, resources, and instances

    Download

    Allows you to use Tunnel commands to download table data, resources, functions, or instances.

    • Project owner

    • Users assigned with the Super_Administrator role

    Download control

    Label

    N/A

    Allows you to read sensitive data at the column level.

    • Project owner

    • Users assigned with the Admin role

    Label-based access control

    Package

    Read

    Allows you to package the objects and allowed operation permissions on the objects in a project and use the generated package to support cross-project authorization.

    • Project owner

    • Users assigned with the Admin role

    Cross-project resource access based on packages

Permissions on project management

  • The following table describes the operations that you can perform to configure MaxCompute management permissions.

    Permission type

    Action

    Description

    Project security configurations

    SetSecurityConfiguration

    Allows you to set security configurations for a project.

    GetSecurityConfiguration

    Allows you to view the security configurations of a project.

    SetProperty

    Allows you to configure an IP address whitelist for a project.

    Policy management

    PutPolicy

    Allows you to update a policy.

    GetPolicy

    Allows you to view policy information.

    AddPolicyStatments

    Allows you to add policy statements.

    RemovePolicyStatments

    Allows you to remove policy statements.

    Account provider management

    AddAccountProviders

    Allows you to add an account provider.

    RemoveAccountProviders

    Allows you to remove an account provider.

    ListAccountProviders

    Allows you to view all account providers.

    Management of trusted projects

    AddTrustedProjects

    Allows you to add trusted projects.

    RemoveTrustedProjects

    Allows you to remove trusted projects.

    ListTrustedProjects

    Allows you to view all trusted projects.

    Principal management

    AddUser

    Allows you to add a user.

    RemoveUser

    Allows you to remove a user.

    ListUsers

    Allows you to view all users.

    ListUserRoles

    Allows you to view the roles assigned to a user.

    Role management

    CreateRole

    Allows you to create a role.

    DescribeRole

    Allows you to query information about a role.

    AlterRole

    Allows you to modify properties of a role.

    DropRole

    Allows you to drop a role.

    ListRoles

    Allows you to view all roles.

    Role authorization

    GrantRole

    Allows you to assign a role to a user.

    RevokeRole

    Allows you to revoke a role from a user.

    ListRolePrincipals

    Allows you to view the users to which a role is assigned.

    Package management

    CreatePackage

    Allows you to create a package.

    DescribePackage

    Allows you to view information about a package.

    DropPackage

    Allows you to delete a package.

    ShowPackages

    Allows you to view all packages.

    InstallPackage

    Allows you to install a package.

    UninstallPackage

    Allows you to uninstall a package.

    AllowInstallPackage

    Allows you to grant the permissions on a package to other projects.

    DisallowInstallPackage

    Allows you to revoke the permissions on a package from other projects.

    AddPackageResource

    Allows you to add a resource to a package.

    RemovePackageResource

    Allows you to remove a resource from a package.

    Label-based access control

    GrantLabel

    Allows you to configure labels.

    RevokeLabel

    Allows you to remove labels.

    ShowLabelGrants

    Allows you to view label configurations.

    SetDataLabel

    Allows you to configure labels for users or roles.

    ACL-based access control

    GrantPrivs

    Allows you to grant permissions based on the access control list (ACL).

    RevokePrivs

    Allows you to revoke permissions granted based on the ACL.

    ShowAclGrants

    Allows you to view permissions granted based on the ACL.

    Clearance of expired permissions

    ClearExpiredGrants

    Allows you to clear configurations of expired permissions.

  • The following table describes the resource URIs of management permissions.

    Note

    In the following resource URIs, the acs:odps:*:projects/<project_name>/ part is omitted, and only the part that follows <project_name>/ is provided.

    Permission resource category

    Resouce URI

    Description

    Project security configurations

    authorization/configurations/security_configuration

    project security_configuration

    authorization/configurations/policy

    project policy

    authorization/configurations/security_policy

    project security_policy

    authorization/configurations/protected_exception

    project protected_exception

    Project

    authorization

    Management objects such as account providers of projects and trusted projects

    Project Principal

    authorization/users

    The user of a project

    Project role

    authorization/roles/resource/<role_name>

    The resource role of a project

    authorization/roles/administrator/<role_name>

    The administrator role of a project

    authorization/roles/super_administrator/super_administrator

    The super_administrator role that is built in a project

    Project resource

    authorization/objecttype/objectname

    Resources such as tables, volumes, and jobs

    Package management

    authorization/packages/<projectname>.<packagename>

    Package permissions

    Package resource

    authorization/packageresources/projectname.packagename/objecttype/objectname

    The resources in a package

    Usage notes:

    • If you want to identify specific users, usernames are required. You can use URIs to identify only user categories but not specific users.

    • You can use URIs to identify specific roles.

    • To distinguish semantic differences among all packages and resources in all packages, the URIs of packages are in the format of packages/projectname.packagename, and the URIs of resources in all packages are in the format of packageresources/projectname.packagename/objecttype/objectname. This way, you can use packages/* to indicate all packages and packageresources/* to indicate all resources in packages.

  • The following table describes management permissions.

    Permission type

    Permission

    Action

    Resource

    Security configuration permissions on a project

    Allows you to set security configurations for a project.

    SetSecurityConfiguration
    projects/<project_name>/authorization/configurations/security_configuration

    Allows you to view security configurations of a project.

    GetSecurityConfiguration

    Allows you to set a policy.

    PutPolicy
    projects/<project_name>/authorization/configurations/policy

    Allows you to view policy information.

    GetPolicy

    Allows you to set protected_exception.

    PutPolicy
    projects/<project_name>/authorization/configurations/protected_exception

    Allows you to view protected_exception.

    GetPolicy

    Allows you to set security_policy.

    PutPolicy
    projects/<project_name>/authorization/configurations/security_policy

    Allows you to view security_policy.

    GetPolicy

    Management of project account providers

    Allows you to add an account provider.

    AddAccountProvider
    projects/<project_name>/authorization

    Allows you to remove an account provider.

    RemoveAccountProvider

    Allows you to view all account providers.

    ListAccountProviders

    Management of trusted projects

    Allows you to add trusted projects.

    AddTrustedProjects
    projects/<project_name>/authorization

    Allows you to remove trusted projects.

    RemoveTrustedProjects

    Allows you to view all trusted projects.

    ListTrustedProjects

    Management of project principals

    Allows you to add a user.

    AddUser
    projects/<project_name>/authorization/users

    Allows you to remove a user.

    RemoveUser

    Allows you to view all users.

    ListUsers

    Allows you to view all roles that are assigned to a user.

    ListUserRoles

    Management of project roles

    Allows you to create a resource role.

    CreateRole
    projects/<project_name>/authorization/roles/resource

    Allows you to query information about a resource role.

    DescribeRole
    projects/<project_name>/authorization/roles/resource/<role_name>

    Allows you to drop a resource role.

    DropRole

    Allows you to create an administrator role.

    N/A

    Note

    Only project owners or users with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.

    Allows you to drop an administrator role.

    Allows you to query information about an administrator role.

    DescribeRole
    projects/<project_name>/authorization/roles/administrator/<role_name>

    Allows you to view all roles.

    ListRoles
    projects/<project_name>/authorization/roles

    Policy management of roles in a project

    Allows you to set policies about resource roles in a project.

    PutPolicy
    projects/<project_name>/authorization/roles/resource/<role_name>

    Allows you to view policies about resource roles in a project.

    GetPolicy

    Allows you to add statements that are used to set resource role policies.

    AddPolicyStatments
    projects/<project_name>/authorization/roles/resource/<role_name>

    Allows you to remove statements that are used to set resource role policies.

    RemovePolicyStatments

    Allows you to set policies about administrator roles.

    N/A

    Note

    Only project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.

    Allows you to view policies about administrator roles.

    GetPolicy
    projects/<project_name>/authorization/roles/administrator/<role_name>

    Allows you to add statements that are used to set administrator role policies.

    N/A

    Note

    Only project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.

    Allows you to remove statements that are used to set administrator role policies.

    Role assignment and view

    Allows you to assign a resource role to a user.

    GrantRole
    projects/<project_name>/authorization/roles/resource/<role_name>

    Allows you to revoke a resource role from a user.

    RevokeRole

    Allows you to assign an administrator role to a user.

    GrantRole
    projects/<project_name>/authorization/roles/administrator/<role_name>

    Allows you to revoke an administrator role from a user.

    RevokeRole

    Allows you to assign the Super_Administrator role to a user.

    N/A

    Note

    Only project owners or users assigned with the Super_Administrator role can assign or revoke the Super_Administrator role to or from a user.

    Allows you to revoke the Super_Administrator role from a user.

    Allows you to view the users to which a resource role is assigned.

    ListRolePrincipals
    projects/<project_name>/authorization/roles/resource/<role_name>

    Allows you to view the users to which an administrator role is assigned.

    ListRolePrincipals
    projects/<project_name>/authorization/roles/administrator/<role_name>

    Allows you to view the users to which the Super_Administrator role is assigned.

    ListRolePrincipals
    projects/<project_name>/authorization/roles/super_administrator/super_administrator

    Allows you to view the roles assigned to a user.

    ListPrincipalRoles
    projects/<project_name>/authorization/principals/users

    Package management

    Allows you to create a package.

    CreatePackage
    projects/<project_name>/authorization/packages

    Allows you to view packages.

    ShowPackages

    Allows you to query information about a package.

    DescribePackage
    projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>

    Allows you to delete a package.

    DropPackage

    Allows you to install a package.

    InstallPackage
    projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>

    Allows you to uninstall a package.

    UninstallPackage

    Allows you to grant the permissions on a package to other projects.

    AllowInstallPackage
    projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>

    Allows you to revoke the permissions on a package from other projects.

    DisallowInstallPackage

    Allows you to add a resource to a package.

    AddPackageResource
    projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>

    Allows you to remove resources from a package.

    RemovePackageResource

    Label-based access control

    Allows you to enable label-based access control on resources in a project.

    GrantLabel
    projects/<project_name>/authorization/label/<resource_relative_id>
    Note
    • In the resource URI, resource_relative_id specifies the resource path in a project. For example, resource_relative_id of table_1 is tables/table_1.

    • You can use an asterisk (*) to specify all resources. For example, you can use tables/* to specify all tables in a project.

    Allows you to disable label-based access control on resources in a project.

    RevokeLabel

    Allows you to view label-based access control on resources in a project.

    ShowLabelGrants

    Allows you to enable label-based access control on packages.

    GrantLabel
    projects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>

    Allows you to disable label-based access control on packages.

    RevokeLabel

    Allows you to view label-based access control on resources in a package.

    ShowLabelGrants

    Allows you to view label-based access control for a user.

    ShowLabelGrants
    projects/<project_name>/authorization/users

    Allows you to view label-based access control for a role.

    ShowLabelGrants
    projects/<project_name>/authorization/roles/resource/<role_name>
    Note

    You cannot enable, set, or view label-based access control for an administrator role.

    Access-level label configuration for users and roles

    Allows you to set an access-level label for a user.

    SetDataLabel
    projects/<project_name>/authorization/users

    Allows you to set an access-level label for a role.

    SetDataLabel
    projects/<project_name>/authorization/roles/resource/<role_name>

    ACL-based access control

    Allows you to grant permissions on resources in a project based on the ACL.

    GrantPrivs
    projects/<project_name>/authorization/<resource_relative_id>
    Note
    • You can use the following string set operators in a policy to manage actions that can be granted or revoked:

      StringIntersectSetEmpty(IgnoreCase), StringIntersectSetNotEmpty(IgnoreCase), StringSubSet(IgnoreCase), and StringNotSubSet(IgnoreCase). You can use acs:Privileges as keywords in the condition.

      For example, you can use the following policy to deny the user odpsxxxx@aliyun.com from granting the Download or Select permission on all tables in the prj1 project:

      {
      "Action":[
      "odps:GrantPrivs"],
      "Effect":"Deny",
      "Principal":"aliyun$odpsxxxx@aliyun.com",
      "Resource":"acs:odps::projects/prj1/authorization/acl/tables/*",
      "Condition":{
      "IntersectionSetNotNull":{
      "acs:Privileges":["Download","Select"]
      }
      }
      }
    • The resource_relative_id of the project is in the projects/<project_name> format.

    Allows you to revoke permissions on resources in a project that are granted based on the ACL.

    RevokePrivs

    Allows you to view permissions on resources in a project that are granted based on the ACL.

    ShowAclGrants

    Allows you to grant permissions on packages based on the ACL.

    GrantPrivs
    projects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>

    Allows you to revoke permissions on packages that are granted based on the ACL.

    RevokePrivs

    Allows you to view permissions on packages that are granted based on the ACL.

    ShowAclGrants

    Allows you to view permissions that are granted to users based on the ACL.

    ShowAclGrants
    projects/<project_name>/authorization/users

    Allows you to view permissions that are granted to resource roles based on the ACL.

    ShowAclGrants
    projects/<project_name>/authorization/roles/resource/<role_name>

    Clearance of expired permissions

    Allows you to clear configurations of expired permissions.

    ClearExpiredGrants
    projects/<project_name>/authorization