This topic describes all permission management commands in a MaxCompute project. These commands cover user management, role management, user and role authorization, and permission queries.
Role management
Command
create role <role_name> [privilegeproperties("type"="admin|resource")];Examples
Create a resource role named Worker. Sample statement:
create role Worker;Create an administrator role named sale_admin. Sample statement:
create role sale_admin privilegeproperties("type"="admin");
list roles;Command
drop role <role_name>;Example
drop role Worker;
User management
Add a project-level Alibaba Cloud account
Command
Example
Remove a project-level Alibaba Cloud account
Command
Example
Command
Example
Remove a project-level RAM user
Command
Example
Command
Example
Remove a project-level RAM role
Command
remove user `RAM$<account_id>:role/<RAM role name>`;Example
remove user ALIYUN$5527xxxxxxxx5788;
View the project-level user list
list users;
Role authorization
Grant a role operation permissions on an object
Grant a role permissions to operate on a project
Command
ACL-based access control
GRANT Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Example
-- ACL authorization. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker; -- Policy authorization. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant a role permissions to operate on a table
Command
ACL-based access control
GRANT Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Example
-- ACL authorization. grant Describe, Select on table sale_detail to ROLE Worker; -- Policy authorization. grant Describe, Select on table sale_detail to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant a role permissions to operate on a model
Command
ACL authorization
GRANT Describe|Execute|Alter|Drop|All ON MODEL <model_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based authorization using ACL syntax
GRANT Describe|Execute|Alter|Drop|All ON MODEL <model_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Example
-- Enter the test_project_a project. use test_project_a; -- ACL authorization. GRANT All ON MODEL my_model TO ROLE Worker; -- Policy authorization using ACL syntax. GRANT All ON MODEL my_model TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant a role permissions to operate on a resource
Command
ACL-based access control
GRANT Read|Write|Delete|All ON resource <resource_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Read|Write|Delete|All ON resource <resource_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Example
-- ACL authorization. grant Read, Write on resource udtf.jar to ROLE Worker; -- Policy authorization. grant Read, Write on resource udtf.jar to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant a role permissions to operate on a function
Command
GRANT Read|Write|Delete|Execute|All ON FUNCTION <function_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Example
-- ACL authorization. grant Read, Write on function udf_test to ROLE Worker; -- Policy authorization. grant Read, Write on function udf_test to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant a role permissions to operate on an instance
Command
ACL-based access control
GRANT Read|Write|All ON instance <instance_id> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Read|Write|All ON instance <instance_id> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Example
-- ACL authorization. grant All on instance 202112300224**** to ROLE Worker; -- Policy authorization. grant All on instance 202112300224**** to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke operation permissions on an object from a role
Revoke permissions to operate on a project from a role
Command
Revoke permissions that are granted by using ACL-based access control.
REVOKE Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Example
-- Revoke ACL authorization. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker; -- Revoke policy authorization. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke permissions to operate on a table from a role
Command
Revoke permissions that are granted by using ACL-based access control.
REVOKE Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Example
-- Revoke ACL authorization. revoke Describe, Select on table sale_detail to ROLE Worker; -- Revoke policy authorization. revoke Describe, Select on table sale_detail from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke permissions to operate on a model from a role
Command
Revoke ACL authorization
REVOKE Describe|Execute|Alter|Drop|All ON MODEL <model_name> FROM ROLE <role_name>;Revoke policy authorization
REVOKE Describe|Execute|Alter|Drop|All ON MODEL <model_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Example
-- Enter the test_project_a project. use test_project_a; -- Revoke ACL authorization. REVOKE All ON MODEL my_model FROM ROLE Worker; -- Revoke policy authorization. REVOKE All ON MODEL my_model FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke permissions to operate on a resource from a role
Command
Revoke permissions that are granted by using ACL-based access control.
REVOKE Read|Write|Delete|All ON resource <resource_name> FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Read|Write|Delete|All ON resource <resource_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Example
-- Revoke ACL authorization. revoke Read, Write on resource udtf.jar from ROLE Worker; -- Revoke policy authorization. revoke Read, Write on resource udtf.jar from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke permissions to operate on a function from a role
Command
Revoke permissions that are granted by using ACL-based access control.
REVOKE Read|Write|Delete|Execute|All ON FUNCTION <function_name> FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Read|Write|Delete|Execute|All ON FUNCTION <function_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Example
-- Revoke ACL authorization. revoke Read, Write on function udf_test from ROLE Worker; -- Revoke policy authorization. revoke Read, Write on function udf_test from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke permissions to operate on an instance from a role
Command
REVOKE Read|Write|All ON instance <instance_id> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");Example
-- Revoke ACL authorization. revoke All on instance 202112300224**** from ROLE Worker; -- Revoke policy authorization. revoke All on instance 202112300224**** from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant a role the Download permission
Command
GRANT Download ON {Table|Resource|Function|Instance} <object_name> TO ROLE <role_name>;Example
grant download on table sale_detail to ROLE Worker;
Revoke the Download permission from a role
Command
REVOKE Download ON {Table|Resource|Function|Instance} <object_name> FROM ROLE <role_name>;Example
revoke download on table sale_detail from ROLE Worker;
Grant a role permissions to access highly sensitive data
Command
GRANT Label <number> ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> [WITH exp <days>];Example
grant Label 4 on table sale_detail to ROLE Worker;
Revoke permissions to access highly sensitive data from a role
Command
REVOKE Label ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name>;Example
revoke Label on table sale_detail from ROLE Worker;
Command
GRANT <role_name> TO <user_name>;Example
grant Worker to ALIYUN$Ka**@aliyun.com; grant Worker to RAM$Bo*@aliyun.com:Allen;
Command
REVOKE <role_name> FROM <user_name>;Example
revoke Worker from ALIYUN$Ka**@aliyun.com; revoke Worker from RAM$Bo*@aliyun.com:Allen;
User authorization
Grant a user operation permissions on an object
Grant a user permissions to operate on a project
Command
grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>",Example
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user RAM$Ka**@aliyun.com:Lily;
Grant a user permissions to operate on a table
Command
grant Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] to USER <user_name> [privilegeproperties("conditions" = "<conditions>"Example
grant Describe, Select on table sale_detail to USER RAM$Bo*@aliyun.com:Allen;
Grant a user permissions to operate on a resource
Command
grant Read|Write|Delete|All on resource <resource_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>",Example
grant Read, Write on resource udtf.jar to USER RAM$Bo*@aliyun.com:Alice;
Grant a user permissions to operate on a function
Command
grant Read|Write|Delete|Execute|All on function <function_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>"Example
grant Read, Write on function udf_test to USER RAM$Bo*@aliyun.com:Tom;
Grant a user permissions to operate on an instance
Command
grant Read|Write|All on instance <instance_id> to USER <user_name> [privilegeproperties("conditions" = "<conditions>"Example
grant All on instance 202112300224**** to USER RAM$Bo*@aliyun.com:Tom;
Manage user permissions with commands
Revoke permissions to operate on a project from a user
Command
revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> from USER <user_name>;Example
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user RAM$Ka**@aliyun.com:Lily;
Revoke permissions to operate on a table from a user
Command
revoke Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] from USER <user_name>;Example
revoke Describe, Select on table sale_detail from USER RAM$Bo*@aliyun.com:Allen;
Revoke permissions to operate on a resource from a user
Command
revoke Read|Write|Delete|All on resource <resource_name> from USER <user_name>;Example
revoke Read, Write on resource udtf.jar from USER RAM$Bo*@aliyun.com:Alice;
Revoke permissions to operate on a function from a user
Command
revoke Read|Write|Delete|Execute|All on function <function_name> from USER <user_name>;Example
revoke Read, Write on function udf_test from USER RAM$Bo*@aliyun.com:Tom;
Revoke permissions to operate on an instance from a user
Command
revoke Read|Write|All on instance <instance_id> from USER <user_name>;Example
revoke All on instance 202112300224**** from USER RAM$Bo*@aliyun.com:Tom;
Managing user permissions with commands
Command
For more information, see Grant a role operation permissions on an object and Assign a role to a user.
Example
-- Grant permissions to the Worker role. -- ACL authorization. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker; -- Policy authorization. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); -- Assign the Worker role to users. grant Worker to RAM$Bo*@aliyun.com:Allen; grant Worker to RAM$Bo*@aliyun.com:Alice; grant Worker to RAM$Bob@aliyun.com:Tom;
Manage user permissions using commands
Command
For more information, see Revoke operation permissions on an object from a role or Revoke a role from a user.
Example
-- Revoke permissions from the Worker role. -- Revoke ACL authorization. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker; -- Revoke policy authorization. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); -- Or -- Revoke the Worker role from a user. revoke Worker from RAM$Bo*@aliyun.com:Allen;
Managing user permissions with commands
Command
grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;Example
grant Download on table sale_detail to USER RAM$Bo*@aliyun.com:Allen;
Managing user permissions using commands
Command
revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;Example
revoke Download on table sale_detail from USER RAM$Bo*@aliyun.com:Allen;
Manage user permissions with commands
Command
For more information, see Grant a role the Download permission and Assign a role to a user.
Example
-- Create a role named Worker. create role Worker; -- Grant permissions to the Worker role. grant download on table sale_detail to ROLE Worker; -- Assign the Worker role to users. grant Worker to RAM$Bo*@aliyun.com:Allen; grant Worker to RAM$Bo*@aliyun.com:Alice; grant Worker to RAM$Bob@aliyun.com:Tom;
Managing user permissions with commands
Command
For more information, see Revoke the Download permission from a role or Revoke a role from a user.
Example
-- Revoke permissions from the Worker role. revoke download on table sale_detail from ROLE Worker; -- Or -- Revoke the Worker role from a user. revoke Worker from RAM$Bo*@aliyun.com:Allen;
Managing user permissions using commands
Command
grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];Example
grant Label 4 on table sale_detail to USER RAM$Bo*@aliyun.com:Allen;
Manage user permissions with commands
Command
revoke Label on table <table_name> [(<column_list>)] from USER <user_name>;Example
revoke Label on table sale_detail from ROLE Worker;
Managing user permissions with commands
Command
For more information, see Grant a role permissions to access highly sensitive data and Assign a role to a user.
Example
-- Create a role named Worker. create role Worker; -- Grant permissions to the Worker role. grant Label 4 on table * to ROLE Worker; -- Assign the Worker role to users. grant Worker to RAM$Bo*@aliyun.com:Allen; grant Worker to RAM$Bo*@aliyun.com:Alice; grant Worker to RAM$Bob@aliyun.com:Tom;
Managing user permissions using commands
Command
For more information, see Revoke permissions to access highly sensitive data from a role or Revoke a role from a user.
Example
-- Revoke permissions from the Worker role. revoke Label on table * from ROLE Worker; -- Or -- Revoke the Worker role from a user. revoke Worker from RAM$Bo*@aliyun.com:Allen;
Purge the residual permissions of a deleted user
Command
purge privs from user <user_name>;Example
purge privs from user RAM$Bo*@aliyun.com:Allen;
Query permission information
Query the permissions of a specified role and information about the users that are attached the role
For more information about how to query the permissions of a specified role and the users to which the role is attached, see Query the permissions of a specified role and information about the users that are attached the role.
Command
describe role <role_name>;Example
describe role Worker;
Query the permission information of a user
Query the permissions of the current user and the role that is attached to the user
show grants;Query the permissions of a specified user and the role that is attached to the user
Command
show grants for <user_name>;Example
show grants for ALIYUN$Bo*@aliyun.com; show grants for RAM$Bo*@aliyun.com:Allen;
Query the ACL authorization information of an object
For more information about how to query the ACL authorization of an object, see Query the ACL authorization information of a specified object.
Command
show acl for <object_name> [on type <object_type>];Example
show acl for test_project_a on type project;
Query label-based permission information
Query all highly sensitive data tables that the current user can access
show label grants;Query highly sensitive data tables of a specified level that the current user can access
Command
show label <level> grants;Example
show label 2 grants;
Query highly sensitive data tables that a specified user can access
Command
show label grants for user <user_name>;Example
show label grants for user RAM$Bob@aliyun.com:Allen;
Query highly sensitive data tables of a specified level that a specified user can access
Command
show label <level> grants for user <user_name>;Example
show label 3 grants for user RAM$Bob@aliyun.com:Allen;
Query users who can access a specified sensitive data table
Command
show label grants on table <table_name>;Example
show label grants on table sale_detail;
Query users of a specified level who can access a specified sensitive data table
Command
show label <level> grants on table <table_name>;Example
show label 4 grants on table sale_detail;
Query the permissions of a specified user on a specified sensitive data table
Command
show label [<label>] grants on table <table_name> for user <user_name>;Example
show label grants on table sale_detail for user RAM$Bob@aliyun.com:Allen;
Query the sensitivity levels of all columns in a specified table
Command
describe <table_name>;Example
describe sale_detail;
Query package authorization information
Query the authorizations of a specified package
Command
show acl for <project_name>.<package_name> on type package;Example
show acl for test_project_b.datashare on type package;
Query the authorizations of a resource in a specified package
Command
show grants on <object_type> <object_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package _name>");Example
show grants on Table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");
Query the label-based authorizations of a table in a specified package
Command
show label grants on table <table_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Example
show label grants on table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");
View the security configurations of a project
Project data protection
Enable or disable the data protection mechanism for a project
set ProjectProtection=true|false;View the security configurations of the project
show SecurityConfiguration;The returned result contains
ProjectProtection=true|false, which indicates that project data protection is enabled or disabled, respectively.
View added trusted projects
list trustedprojects;LabelSecurity access control policy
Enable or disable the LabelSecurity access control policy
set LabelSecurity=true|false;View the security configurations of the project
show SecurityConfiguration;The returned result contains
LabelSecurity=true|false. A value of true indicates that label-based access control is enabled for the project, and a value of false indicates that it is disabled.
Download permission control feature
Enable or disable the Download permission control feature
setproject odps.security.enabledownloadprivilege=true|false;View project properties
setproject;The returned result contains
odps.security.enabledownloadprivilege = true|false, wheretrueindicates that the download control feature for the project is enabled andfalseindicates that it is disabled.