After you add a user to a MaxCompute project, you must grant the required permissions to the user. This way, the user can perform operations in the project. MaxCompute allows you to directly grant permissions to a user or grant permissions to a user by assigning a role to the user. This topic describes how to grant permissions to a user and provides examples.
Grant permissions to a user by assigning a project-level role to the user
We recommend that you assign a project-level custom role or built-in administrator role to a user. After you assign a role to a user, the user has the same permissions as the role. This helps you modify or remove permissions for multiple users at a time.
For more information about how to add a user to a MaxCompute project, see User planning and management.
After a user is removed from a project, you need to revoke the residual permissions from the user. For more information, see Completely delete the residual permission information from a removed user.
Assign a project-level role to a user
After you assign a project-level built-in role or custom role to a user, the user is granted the permissions of the role.
Syntax
grant <role_name> to <user_name>;Precautions
Multiple users can be assigned the same project-level role, and a user can be assigned multiple project-level roles.
Parameters
Parameter
Required
Description
role_name
Yes
The name of the role that you want to assign to the user.
You can run the
list roles;command on the MaxCompute client to query the name of the role.user_name
Yes
The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.Examples
Assign the project-level role Worker to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788, the RAM user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649, and the RAM role RAM$5527xxxxxxxx5788:role/ram_role.
-- Go to the test_project_a project. use test_project_a; -- Assign the project-level role Worker to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788. grant Worker to ALIYUN$5527xxxxxxxx5788; -- Assign the project-level role Worker to the RAM user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649. grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649; -- Assign the project-level role Worker to the RAM role `RAM$5527xxxxxxxx5788:role/ram_role`. grant Worker to `RAM$5527xxxxxxxx5788:role/ram_role`;
Revoke the project-level role that is assigned to a user from the user
After you revoke a role from a user, the user no longer has the permissions of the role.
Syntax
revoke <role_name> from <user_name>;Parameters
Parameter
Required
Description
role_name
Yes
The name of the role that you want to revoke from the user.
You can run the
list roles;command on the MaxCompute client to query the name of the role.user_name
Yes
The name of the user from which you want to revoke the role. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.Examples
Revoke the project-level role Worker from the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788, the RAM user
RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649, and the RAM role RAM$5527xxxxxxxx5788:role/ram_role.-- Go to the test_project_a project. use test_project_a; -- Revoke the project-level role Worker from the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788. revoke Worker from ALIYUN$5527xxxxxxxx5788; -- Revoke the project-level role Worker from the RAM user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649. revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649; -- Revoke the project-level role Worker from the RAM role `RAM$5527xxxxxxxx5788:role/ram_role`. revoke Worker from `RAM$5527xxxxxxxx5788:role/ram_role`;
Common authorization scenarios
Scenario | Method | Authorized by | Operation platform |
Grant the operation permissions on an object to a user by assigning a role to the user | Grant permissions to a role by using ACL-based access control or policy-based access control and then assign the role to the user. | For more information, see the content of the Authorized by column in the Permission list section of Permissions on projects and objects in projects. | |
Revoke the operation permissions on an object from a user that is assigned a specific role | |||
Grant the Download permission to a user by assigning a role to the user | Grant permissions to a role by using download control and then assign the role to the user. | ||
Revoke the Download permission that is granted by assigning a role to the user | |||
Grant the permissions to access highly sensitive data to a user by assigning a role to the user | Grant permissions to a role by using label-based access control and then assign the role to the user. | ||
Revoke the permissions to access highly sensitive data from a user by assigning a role to the user |
Grant the operation permissions on an object to a user by assigning a role to the user
You can grant a role the permissions by using ACL-based access control or policy-based access control and then assign the role to multiple users.
For more information about how to grant permissions to a role, see Grant the operation permissions on an object to a role.
For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. To grant the RAM users the permissions to create a table, a function, and an instance and query the list of all types of objects in the project, run the following commands:
-- Go to the test_project_a project.
use test_project_a;
-- Add the RAM users Allen, Alice, and Tom to the test_project_a project.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
-- Create a role named Worker.
create role Worker;
-- Grant the Worker role the required permissions.
-- Method 1: Grant the Worker role the permissions by using ACL-based access control.
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
-- Method 2: Grant the Worker role the permissions by using policy-based access control.
grant CreateTable, CreateFunction, CreateInstance, List
on project test_project_a
to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Assign the Worker role to the RAM users.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;Revoke the operation permissions on an object from a user that is assigned a specific role
You can revoke the permissions from a user in one of the following ways:
Revoke the permissions from a role
All users that are assigned the role no longer have the permissions of this role.
Revoke the role that is assigned to a user from the user
Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.
For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. You have granted the RAM users the permissions to create a table, a function, and an instance and query the list of all types of objects in the project by assigning the Worker role to the RAM users. To revoke the operation permissions from the RAM users, you can use the following methods:
Method 1: Revoke the permissions from the Worker role.
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom no longer have the CreateTable, CreateFunction, CreateInstance, and List permissions on the project. -- Revoke permissions that are granted by using ACL-based access control. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker; -- Revoke permissions that are granted by using policy-based access control. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
-- Go to the test_project_a project. use test_project_a; -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, only the RAM user Allen no longer has the CreateTable, CreateFunction, CreateInstance, and List permissions on the project. revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
Grant the Download permission to a user by assigning a role to the user
Grant a role the Download permission by using the download control mechanism and then assign the role to a user.
For more information about how to grant the Download permission to a role, see Grant the Download permission to a role.
For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. To grant the RAM users Allen, Alice, and Tom the permissions to download data from a specified table, run the following commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com.
use test_project_a;
-- Add the RAM users Allen, Alice, and Tom to the test_project_a project.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
-- Create a role named Worker.
create role Worker;
-- Grant the Worker role the required permissions.
grant download on table sale_detail to ROLE Worker;
-- Assign the Worker role to the RAM users.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;Revoke the Download permission that is granted by assigning a role to a user
You can revoke the permissions from a user in one of the following ways:
Revoke the permissions from a role
All users that are assigned the role no longer have the permissions of this role.
Revoke the role that is assigned to a user from the user
Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.
For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. You have granted the RAM users the permissions to download all table data by assigning the Worker role to the RAM users. To revoke the Download permission from the RAM users, you can use one of the following methods:
Method 1: Revoke the permissions from the Worker role.
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom no longer have the Download permission. revoke Download on table sale_detail from ROLE Worker;Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
-- Go to the test_project_a project. use test_project_a; -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, only the RAM user Allen no longer has the Download permission. revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
Grant the permissions to access highly sensitive data to a user by assigning a role to the user
Grant the permissions to a role by using label-based access control or policy-based access control and then assign the role to multiple users.
For more information about how to grant permissions to a role, see Grant the access permissions on data that has a high sensitivity level to a role.
For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. The data access level of the RAM users Allen, Alice, and Tom is 2. To grant the permissions to access data whose sensitivity level is 4 in the destination table in the project to the RAM users, run the following commands:
-- Go to the test_project_a project.
use test_project_a;
-- Create a role named Worker.
create role Worker;
-- Grant the Worker role the required permissions.
grant Label 4 on table <table_name> to ROLE Worker; -- table_name is the name of the destination table.
-- Assign the Worker role to the RAM users.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;Revoke the permissions to access highly sensitive data from a user by assigning a role to the user
You can revoke the permissions from a user in one of the following ways:
Revoke the permissions from a role
All users that are assigned the role no longer have the permissions of this role.
Revoke the role that is assigned to a user from the user
Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.
For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. You have granted the RAM users the permissions to access data whose sensitivity level is 4 in all tables in the project. To revoke the permissions to access highly sensitive data from a user, you can use one of the following methods:
Method 1: Revoke the permissions from the Worker role.
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom can access only data whose sensitivity level is 2. revoke Label 4 on table * from ROLE Worker;Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
-- Go to the test_project_a project. use test_project_a; -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, the RAM user Allen can access only data whose sensitivity level is 2 and the RAM users Alice and Tom can still access data whose sensitivity level is 4. revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
Directly grant permissions to a user
MaxCompute allows you to directly grant permissions to a user. The following table describes the common authorization scenarios.
For more information about how to add a user to a MaxCompute project, see User planning and management.
After a user is removed from a project, you need to revoke the residual permissions from the user. For more information, see Completely delete the residual permission information from a removed user.
Scenario | Method | Authorized by | Operation platform |
Grant the operation permissions on an object to a user | For more information, see the content of the Authorized by column in the Permission list section of Permissions on projects and objects in projects. | ||
Revoke the operation permissions on an object from a user | |||
Grant the Download permission to a user | |||
Revoke the Download permission from a user | |||
Grant the permissions to access highly sensitive data to a user | |||
Revoke the permissions to access highly sensitive data from a user |
Grant the operation permissions on an object to a user
Grant a user the operation permissions on a project, a table, a resource, a function, or an instance by using ACL-based access control.
Grant permissions on a specified project to a user
Syntax
grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Parameters
Parameter
Required
Description
project_name
Yes
The name of the project. To view the name of a MaxCompute project, log on to the MaxCompute console. In the top navigation bar, select a region. Then, view the name of the MaxCompute project on the Project management tab.
user_name
Yes
The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Grant permissions on a table to a user
Syntax
grant Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Parameters
Parameter
Required
Description
table_name
Yes
The name of the table or view. You can run the
show tables;command on the MaxCompute client to obtain the table or view name.user_name
Yes
The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Grant permissions on a resource to a user
Syntax
grant Read|Write|Delete|All on resource <resource_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Parameters
Parameter
Required
Description
resource_name
Yes
Resource name: You can run the
list resources;command on the MaxCompute client to obtain the name of the resource.user_name
Yes
The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Grant permissions on a function to a user
Syntax
grant Read|Write|Delete|Execute|All on function <function_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Parameters
Parameter
Required
Description
function_name
Yes
The name of the function. You can run the
list functions;command on the MaxCompute client to obtain the function name.user_name
Yes
The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Grant permissions on an instance to a user
Syntax
grant Read|Write|All on instance <instance_id> to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Parameters
Parameter
Required
Description
instance_id
Yes
The ID of the instance. You can run the
show instances;command on the MaxCompute client to obtain the ID of an instance.user_name
Yes
The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Examples
For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. RAM$5527xxxxxxxx5789:role/ram_role is the RAM role that belongs to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. The Alibaba Cloud account ALIYUN$5527xxxxxxxx5788 needs to be added to the test_project_a project.
Example 1: Grant the Alibaba Cloud account Kate@aliyun.com the permissions to create a table, a function, and an instance and query the list of all types of objects in a project. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. use test_project_a; -- Add the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788 to the test_project_a project. add user ALIYUN$5527xxxxxxxx5788; -- Use the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 to grant the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788 the required permissions on the project. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user ALIYUN$5527xxxxxxxx5788;Example 2: Grant the RAM user Allen and the RAM role BI_Analyst the permissions to create a table, query the list of all types of objects in a project, and read metadata and table data on a table. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Add the RAM user Allen to the test_project_a project. add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649; -- Add the RAM role BI_Analyst to the test_project_a project. add user `RAM$5527xxxxxxxx5789:role/ram_role`; -- Grant the RAM user Allen the required permissions. grant CreateTable, List on project test_project_a to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649; grant Describe, Select on table sale_detail to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649; -- Grant the RAM role RAM$5527xxxxxxxx5789:role/ram_role the required permissions. grant CreateTable, List on project test_project_a to USER `RAM$5527xxxxxxxx5789:role/ram_role`; grant Describe, Select on table sale_detail to USER `RAM$5527xxxxxxxx5789:role/ram_role`;Example 3: Grant the RAM user Alice the permissions to read data from a resource and update a resource. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Add the RAM user Alice to the test_project_a project. add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1650; -- Grant the RAM user Alice the required permissions on a resource. grant Read, Write on resource udtf.jar to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1650;Example 4: Grant the RAM user Tom the permissions to read data from a function and update a function. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Add the RAM user Tom to the test_project_a project. add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651; -- Grant the RAM user Tom the required permissions on a function. grant Read, Write on function udf_test to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;Example 5: Grant the RAM user Tom all permissions on an instance. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Add the RAM user Tom to the test_project_a project. add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651; -- Grant the RAM user Tom the required permissions on a function. grant All on instance 202112300224**** to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;
Revoke the operation permissions on an object from a user
Revoke the operation permissions on a project, a table, a resource, a function, or an instance from a user.
Revoke permissions on a project from a user
Syntax
revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> from USER <user_name>;Parameters
Parameter
Required
Description
project_name
Yes
The name of the project. To view the name of a MaxCompute project, log on to the MaxCompute console. In the top navigation bar, select a region. Then, view the name of the MaxCompute project on the Project management tab.
user_name
Yes
The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Revoke permissions on a table from a user
Syntax
revoke Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] from USER <user_name>;Parameters
Parameter
Required
Description
table_name
Yes
The name of the table or view. You can run the
show tables;command on the MaxCompute client to obtain the table or view name.user_name
Yes
The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Revoke permissions on a resource from a user
Syntax
revoke Read|Write|Delete|All on resource <resource_name> from USER <user_name>;Parameters
Parameter
Required
Description
resource_name
Yes
The name of the resource. You can run the
list resources;command on the MaxCompute client to obtain the name of the resource.user_name
Yes
The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Revoke permissions on a specified function from a user
Syntax
revoke Read|Write|Delete|Execute|All on function <function_name> from USER <user_name>;Parameters
Parameter
Required
Description
function_name
Yes
The name of the function. You can run the
list functions;command on the MaxCompute client to obtain the function name.user_name
Yes
The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Revoke permissions on an instance from a user
Syntax
revoke Read|Write|All on instance <instance_id> from USER <user_name>;Parameters
Parameter
Required
Description
instance_id
Yes
The ID of the instance. You can run the
show instances;command on the MaxCompute client to obtain the ID of an instance.user_name
Yes
The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.privilegeproperties
conditions
No
The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the
"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...format. For more information about the valid values of the var_name and Operation parameters, see Conditions.days
No
The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.
Examples
Revoke the operation permissions on an object from an Alibaba Cloud account and RAM users. Sample commands:
Example 1: Revoke the permissions to create a table, a function, and an instance and query the list of all types of objects in a project from the Alibaba Cloud account Kate@aliyun.com. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions on the project from the Alibaba Cloud account Kate@aliyun.com. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user ALIYUN$5527xxxxxxxx5788;Example 2: Revoke the permissions to read metadata and table data on a table from the RAM user Allen. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions on the table from the RAM user Allen. revoke Describe, Select on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;Example 3: Revoke the permissions to read data from a resource and update a resource from the RAM user Alice. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions on the resource from the RAM user Alice. revoke Read, Write on resource udtf.jar from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;Example 4: Revoke the permissions to read data from a function and update a function from the RAM user Tom. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions on the instance from the RAM user Tom. revoke Read, Write on function udf_test from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;Example 5: Revoke all permissions on an instance from the RAM user Tom. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions on the instance from the RAM user Tom. revoke All on instance 202112300224**** from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
Grant the Download permission to a user
Grant a user the permissions to download table data, resources, functions, or instances.
Syntax
grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;Parameters
Parameter
Required
Description
object_name
Yes
The name of the object whose permissions are granted. You can obtain the object name by using one of the following methods:
The name of the table or view. You can run the
show tables;command on the MaxCompute client to obtain the table or view name.The name of the resource. You can run the
list resources;command on the MaxCompute client to obtain the name of the resource.The name of the function. You can run the
list functions;command on the MaxCompute client to obtain the function name.The name of the instance. You can run the
show instances;command on the MaxCompute client to obtain the ID of an instance. Instance names are the same as instance IDs in MaxCompute.
user_name
Yes
The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.Examples
Download control is enabled for the test_project_a project. To grant the RAM user Allen the permissions to download data from a specified table, run the following commands:
-- Go to the test_project_a project. use test_project_a; -- Grant the Download permission to the RAM user Allen. grant Download on table sale_detail to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
Revoke the Download permission from a user
Revoke the permissions to download table data, resources, functions, or instances from a user.
Syntax
revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;Parameters
Parameter
Required
Description
object_name
Yes
The name of the object on which the permissions you want to revoke from a user. You can obtain the object name by using one of the following methods:
The name of the table or view. You can run the
show tables;command on the MaxCompute client to obtain the table or view name.The name of the resource. You can run the
list resources;command on the MaxCompute client to obtain the name of the resource.The name of the function. You can run the
list functions;command on the MaxCompute client to obtain the function name.The name of the instance. You can run the
show instances;command on the MaxCompute client to obtain the ID of an instance. Instance names are the same as instance IDs in MaxCompute.
user_name
Yes
The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.Examples
Revoke the permissions to download data from a specified table from the RAM user Allen. Sample commands:
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions on the table from the RAM user Allen. revoke Download on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
Grant the permissions to access highly sensitive data to a user
Grant the permissions to access highly sensitive data to a user by using label-based access control.
Syntax
grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];Parameters
Parameter
Required
Description
number
Yes
The highest sensitivity level of data that the users or roles can access.
The valid values range from 0 to 9 and correspond to sensitivity-level labels of data.
table_name
Yes
The name of the table or view.
You can run the
show tables;command on the MaxCompute client to obtain the name of the table or view.column_list
No
This parameter is required if you want to grant or revoke the permissions on a specific column in the table or view. You can specify multiple column names for a single authorization operation. Separate column names with commas (,).
user_name
Yes
The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.days
No
The duration in which permissions are valid. Unit: days. Valid values: 0 to 263 - 1. If you do not specify this parameter, the default expiration time is 180 days.
Examples
The data access level of the RAM user Allen is 2 in the test_project_a project. To grant the permissions to access data whose sensitivity level is 4 in the sale_detail table to the RAM user Allen, run the following commands:
-- Go to the test_project_a project. use test_project_a; -- Grant the RAM user Allen the required permissions. grant Label 4 on table sale_detail to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
Revoke the permissions to access highly sensitive data from a user
Syntax
revoke Label <number> on table <table_name> [(<column_list>)] from USER <user_name>;Parameters
Parameter
Required
Description
number
Yes
The highest sensitivity level of data on which the access permissions you want to revoke from the users or roles.
The valid values range from 0 to 9 and correspond to sensitivity-level labels of data.
table_name
Yes
The name of the table or view on which the access permissions you want to revoke from the user.
You can run the
show tables;command on the MaxCompute client to obtain the name of the table or view.column_list
No
This parameter is required if you want to revoke the access permissions on a specified column in the table or view from a user or role. You can specify multiple column names for a single authorization operation. Separate column names with commas (,).
user_name
Yes
The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
You can run the
list users;command on the MaxCompute client to query the name of the user.Examples
To revoke the permissions to access data whose sensitivity level is 4 in the sale_detail table from the RAM user Allen, run the following commands:
-- Go to the test_project_a project. use test_project_a; -- Revoke the permissions from the RAM user Allen. revoke Label 4 on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
Completely clear the residual permission information of a removed user
After a user is removed from a project, the permissions, such as ACL-based, label-based, and policy-based permissions, are retained in the project. If the removed user is added back to the project again, the user will have the original ACL-based, label-based, and policy-based permissions. If the user is removed by mistake and added back to the project, the user still has the original permissions. However, if the user is added back to the original project with a different role, the potential risk of data security may occur.
To prevent the potential risk, MaxCompute allows you to clear all permissions that are granted to a user. If a user is no longer in the project but still has ACL-based, label-based, and policy-based permissions, the project owner or a user that is assigned the Admin or Super_Administrator role can clear the residual permission information of the removed user. Sample command:
Syntax
purge privs from user <user_name>;Parameters
Parameter
Required
Description
user_name
Yes
The name of the user of which you want to completely delete the residual permission information. The user is removed from the MaxCompute project. The name of the user can be in one of the following formats:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user: RAM$<account_id >:<RAM user ID>
RAM role: `RAM$<account_id>:role/<RAM role name>`
If the user is not removed from the project and you run the preceding command, the error message "Principal <username> still exist in the project" is returned. Therefore, you need to run the remove user <user_name> command to remove the user from the project before you completely clear the residual permission information of the user.
What to do next
After user authorization is complete, you can query permissions that are granted to users. For more information, see Query permissions.