MaxCompute provides the ability to view multiple permissions, including the permissions of certain users or roles, and authorization lists of specified objects.

MaxCompute uses the markup characters A, C, D, and G when showing the permissions of users or roles. The meanings of these markup characters are as follows:
  • A: Access allowed.
  • D: Access denied.
  • C: Access granted with conditions. It appears only in a policy authorization system.
  • G: Access granted with conditions. Permission can be granted to objects.
An example of viewing permissions is as follows:
    odps@test_project> show grants for aliyun$;
    Authorization Type: ACL
    A projects/test_project/tables/t1: Select
    A projects/test_project: CreateTable | CreateInstance | CreateFunction | List
    A projects/test_project/tables/t1: Describe | Select
    Authorization Type: Policy
    AC projects/test_project/tables/test_*: Describe
    DC projects/test_project/tables/alifinance_*: Select
    A projects/test_project: Create* | List
    AC projects/test_project/tables/alipay_*: Describe | Select
    Authorization Type: ObjectCreator
    AG projects/test_project/tables/t6: All
    AG projects/test_project/tables/t7: All
Note Currently, desc role only displays ACL information of project and table authorization types, while ACL of other objects (function, resource, instance, job) does not support display.

View permissions of a specified user

    show grants; --View permissions of the current user.
    show grants for <username>; --View access permissions of a specified user. The operation can be executed by project owners and administrators.


To view the user Alibaba Cloud account permissions in the current project, run the following command on the client:
show grants for ALIYUN$;
To view RAM sub-account permissions:
show grants for RAM$account:sub-account;
show grants for RAM$;

View permissions of a specified role:

describe role --View access permissions granted to a specified role
Note In the public cloud environment, description role currently only displays ACL information of the object authorization type of project and table, while ACL information of other objects (such as function, resource, instance, job) is not displayed.

View the authorization list of a specified object:

show acl for <objectName> [on type <objectType>];--View the user and role authorization list of a specified object
Note When [on type <objectType>] is excluded, the default type is Table.