A role is a set of defined access permissions. It can be used to grant the same set of permissions to a group of users. Role-based authorization greatly simplifies the authorization process and reduces authorization management costs. We recommend that you use role-based authorization to grant permissions to users.

For more information about the permissions of roles specified by MaxCompute, see View permissions of a specified role.

MaxCompute roles have a one-to-one mapping with the member roles in DataWorks. For more information about the member roles in DataWorks and their permissions, see Manage members and roles.

Create a RAM role

When you create a project, the system automatically creates an Admin role for the project and grants the default permissions to the role. The default permissions include access to all objects in the project and management of all users or roles and their permissions in this project.

The Admin role cannot assign its permissions to users, configure security policies for the project, modify the authentication model of the project, or modify its permissions.

  • Syntax
    create role <role_name>;
  • Parameter

    role_name: required. The name of the role that you want to create.

  • Example
    -- Create a role named player.
    create role player;

Grant permissions to a role

After you grant permissions to a role, all users who are assigned this role are granted the same permissions. The authorization method of roles is similar to that of users. For more information about the syntax and parameter descriptions, see Authorize users.


Jack is the administrator of the prj1 project. Users Alice, Bob, and Charlie need to be added to the project as data reviewers. Data reviewers require the permissions to view table lists, submit jobs, and read data from the userprofile table. The administrator can execute the following statements to add the users to the project and grant them the required permissions:
-- Access the prj1 project. 
use prj1;
-- Add the users to the project. 
add user aliyun$alice@aliyun.com; 
add user aliyun$bob@aliyun.com;
add user aliyun$charlie@aliyun.com;
-- Create a role named tableviewer. 
create role tableviewer;
-- Grant the required permissions to the role.  
grant List, CreateInstance on project prj1 to role tableviewer; 
grant Describe, Select on table userprofile to role tableviewer;
-- Assign the role tableviewer to the added users. 
grant tableviewer to aliyun$alice@aliyun.com; 
grant tableviewer to aliyun$bob@aliyun.com;
grant tableviewer to aliyun$charlie@aliyun.com;

Assign a role to a user

One user can have multiple roles, and multiple users can belong to the same role.

  • Syntax
    grant <role_name> to <full_username>;
  • Parameters
    • role_name: required. The name of the RAM role.
    • full_username: required. The name of the user to which the RAM role is assigned.
  • Example
    Assign the player role to bob@aliyun.com.
    grant player to bob@aliyun.com;

Revoke the role granted to a user

  • Syntax
    revoke <role_name> from <full_username>;
  • Parameters
    • role_name: required. The name of the RAM role.
    • full_username: required. The name of the user from which you want to revoke the RAM role.
  • Example
    Revoke the player role from bob@aliyun.com.
    revoke player from bob@aliyun.com;

Delete a role

  • Syntax
    drop role <role_name>;
  • Parameter

    role_name: the name of the role that you want to delete.

  • Example
    Delete the player role.
    drop role player;
    Note When you delete a role, MaxCompute checks whether the role is assigned to users. If the role is assigned to users, it cannot be deleted. To delete the role, you must first revoke the role from the users.