All Products
Search

This Product

    MaxCompute:Manage user permissions using commands

    Document Center

    MaxCompute:Manage user permissions using commands

    Last Updated:Mar 26, 2026

    After adding a user to a MaxCompute project, grant the user the permissions needed to perform operations. MaxCompute supports two authorization approaches: assigning a project-level role to the user, or granting permissions directly to the user.

    Prerequisites

    Before you begin, ensure that you have added the user to the MaxCompute project. For details, see User planning and management.

    Grant permissions by assigning a role

    Assigning a project-level role is the recommended approach. After you assign a role to a user, the user inherits all permissions of that role. This lets you update or remove permissions for multiple users at once by modifying a single role.

    Assign a role to a user

    Syntax

    grant <role_name> to <user_name>;

    Required parameters

    Parameter Description
    role_name The name of the role to assign. Run list roles; on the MaxCompute client to list available roles.
    user_name The name of the user. The user must already be added to the project. Supported formats: Alibaba Cloud account (ALIYUN$<account_id>), RAM user (RAM$<account_id>:<RAM user ID>), or RAM role (` RAM$<account_id>:role/<RAM role name> ). Run list users;` on the MaxCompute client to list project members.

    Usage notes

    • A role can be assigned to multiple users.

    • A user can hold multiple roles.

    Example

    Assign the Worker role to an Alibaba Cloud account, a RAM user, and a RAM role:

    -- Switch to the project.
use test_project_a;
-- Assign the Worker role to an Alibaba Cloud account.
grant Worker to ALIYUN$5527xxxxxxxx5788;
-- Assign the Worker role to a RAM user.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- Assign the Worker role to a RAM role.
grant Worker to `RAM$5527xxxxxxxx5788:role/ram_role`;

    Revoke a role from a user

    Syntax

    revoke <role_name> from <user_name>;

    Required parameters

    Parameter Description
    role_name The name of the role to revoke. Run list roles; on the MaxCompute client to list available roles.
    user_name The name of the user. Supported formats: Alibaba Cloud account (ALIYUN$<account_id>), RAM user (RAM$<account_id>:<RAM user ID>), or RAM role (` RAM$<account_id>:role/<RAM role name> ). Run list users;` on the MaxCompute client to list project members.

    Usage notes

    • Revoking a role from a user removes all permissions that the user inherited through that role. Other users assigned the same role are not affected.

    Example

    Revoke the Worker role from an Alibaba Cloud account, a RAM user, and a RAM role:

    -- Switch to the project.
use test_project_a;
-- Revoke the Worker role from an Alibaba Cloud account.
revoke Worker from ALIYUN$5527xxxxxxxx5788;
-- Revoke the Worker role from a RAM user.
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- Revoke the Worker role from a RAM role.
revoke Worker from `RAM$5527xxxxxxxx5788:role/ram_role`;

    Common role-based authorization scenarios

    Scenario Approach
    Grant object operation permissions to users via a role Grant permissions to the role using ACL-based access control or policy-based access control, then assign the role to users.
    Grant download permissions to users via a role Grant the Download permission to the role using download control, then assign the role to users.
    Grant access to sensitive data via a role Grant the label permission to the role using label-based access control, then assign the role to users.

    Grant object operation permissions via a role

    Grant permissions to a role using ACL-based access control or policy-based access control, then assign the role to multiple users.

    For details on granting permissions to a role, see Grant operation permissions on an object to a role.

    Example

    The project owner (ALIYUN$5527xxxxxxxx5789) needs to grant RAM users Allen, Alice, and Tom permission to create tables, models, functions, and instances, and to view all object lists in test_project_a:

    -- Switch to the project.
use test_project_a;
-- Add the RAM users to the project.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
-- Create a role.
create role Worker;
-- Grant the role permissions using ACL-based access control (Method 1).
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
-- Grant the role permissions using policy-based access control (Method 2).
grant CreateTable, CreateFunction, CreateInstance, List
      on project test_project_a
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Assign the role to all three users.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;

    Revoke object operation permissions from a role-based user

    Two approaches are available. Choose based on how many users are affected:

    • Revoke permissions from the role — all users assigned to the role lose those permissions immediately.

    • Revoke the role from a specific user — only that user loses the permissions; other users are not affected.

    Example

    Revoke the object operation permissions from Allen, Alice, and Tom (who hold the Worker role):

    Method 1: Revoke permissions from the Worker role (affects all three users):

    --Enter the test_project_a project.
use test_project_a;
--Revoke permissions from the user Allen.
revoke Label 4 on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    --Enter the test_project_a project.
use test_project_a;
--Grant permissions to the user Allen.
grant Label 4 on table sale_detail to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    --Enter the test_project_a project.
use test_project_a;
--Revoke permissions from Allen.
revoke Download on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    --Enter the test_project_a project.
use test_project_a;
--Grant permissions to Allen.
grant Download on table sale_detail to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    --Enter the test_project_a project.
use test_project_a;
--Revoke permissions from Tom.
revoke All on instance 202112300224**** from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
    --Enter the test_project_a project.
use test_project_a;
--Revoke permissions from Tom.
revoke Read, Write on function udf_test from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
    --Enter the test_project_a project.
use test_project_a;
--Revoke permissions from Alice.
revoke Read, Write on resource udtf.jar from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
    --Enter the test_project_a project.
use test_project_a;
--Revoke permissions from Allen.
revoke Describe, Select on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    --Enter the test_project_a project.
use test_project_a;
--Revoke permissions from the Alibaba Cloud user.
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user ALIYUN$5527xxxxxxxx5788;
    --Enter the test_project_a project.
use test_project_a;
--Add Tom to the test_project_a project.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
--Grant permissions to Tom.
grant All on instance 202112300224**** to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;
    --Enter the test_project_a project.
use test_project_a;
--Add Tom to the test_project_a project.
add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;
--Grant permissions to Tom.
grant Read, Write on function udf_test to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;
    --Enter the test_project_a project.
use test_project_a;
--Add Alice to the test_project_a project.
add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1650;
--Grant permissions to Alice.
grant Read, Write on resource udtf.jar to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1650;
    --Enter the test_project_a project.
use test_project_a;
--Add Allen to the test_project_a project.
add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
--Add the RAM role to the test_project_a project.
add user `RAM$5527xxxxxxxx5789:role/ram_role`;
--Grant permissions to the RAM user Allen.
grant CreateTable, List on project test_project_a to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
grant Describe, Select on table sale_detail to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
--Grant permissions to the RAM role.
grant CreateTable, List on project test_project_a to USER `RAM$5527xxxxxxxx5789:role/ram_role`;
grant Describe, Select on table sale_detail to USER `RAM$5527xxxxxxxx5789:role/ram_role`;
    --ALIYUN$5527xxxxxxxx5789 enters the test_project_a project.
use test_project_a;
--Add ALIYUN$5527xxxxxxxx5788 to the MaxCompute project.
add user ALIYUN$5527xxxxxxxx5788;
--ALIYUN$5527xxxxxxxx5789 grants permissions to ALIYUN$5527xxxxxxxx5788.
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user ALIYUN$5527xxxxxxxx5788;
    --Enter the test_project_a project.
use test_project_a;
--Revoke the Worker role from the user. Allen can now only access data with a maximum sensitivity level of 2. Alice and Tom can still access data with a maximum sensitivity level of 4.
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    --Enter the test_project_a project.
use test_project_a;
--Create the Worker role.
create role Worker;
--Grant permissions to the Worker role.
grant Label 4 on table <table_name> to ROLE Worker;  --table_name is the name of the destination table.
--Assign the Worker role to the users.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
    --Enter the test_project_a project.
use test_project_a;
--Revoke the Worker role from the user. Only Allen no longer has the Download permission.
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    --Bob enters the test_project_a project.
use test_project_a;
--Bob adds Allen, Alice, and Tom to the test_project_a project.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
--Bob creates the Worker role.
create role Worker;
--Bob grants permissions to the Worker role.
grant download on table sale_detail to ROLE Worker;
--Assign the Worker role to the users.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
    --Enter the test_project_a project.
use test_project_a;
--Revoke the Worker role from the user. Only Allen no longer has the CreateTable, CreateFunction, CreateInstance, and List permissions.
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    -- Switch to the project.
use test_project_a;
-- Revoke ACL-based permissions from the role.
revoke CreateTable, CreateModel, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
-- Revoke policy-based permissions from the role.
revoke CreateTable, CreateModel, CreateFunction, CreateInstance, List
      on project test_project_a
      from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

    Method 2: Revoke the Worker role from Allen only:

    -- Switch to the project.
use test_project_a;
-- Revoke the role from Allen. Alice and Tom are not affected.
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    Grant download permissions via a role

    Grant the Download permission to a role using the download control mechanism, then assign the role to users.

    For details on granting download permissions to a role, see Grant the Download permission to a role.

    Example

    Grant RAM users Allen, Alice, and Tom permission to download data from a specific table in test_project_a:

    -- Switch to the project.
use test_project_a;
-- Add the RAM users to the project.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
-- Create a role.
create role Worker;
-- Grant the role the Download permission on the table.
grant Download on table sale_detail to ROLE Worker;
-- Assign the role to all three users.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;

    Revoke download permissions from a role-based user

    Two approaches are available:

    • Revoke permissions from the role — all users assigned to the role lose those permissions.

    • Revoke the role from a specific user — only that user loses the permissions.

    Example

    Method 1: Revoke the Download permission from the Worker role (affects Allen, Alice, and Tom):

    -- Switch to the project.
use test_project_a;
revoke Download on table sale_detail from ROLE Worker;

    Method 2: Revoke the Worker role from Allen only:

    -- Switch to the project.
use test_project_a;
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    Grant access to sensitive data via a role

    Grant a role access to labeled data using label-based access control or policy-based access control, then assign the role to users.

    For details on granting label permissions to a role, see Grant permissions to access high-sensitivity data to a role.

    Example

    Allen, Alice, and Tom have a data access level of 2. Grant them access to data at sensitivity level 4 in test_project_a:

    -- Switch to the project.
use test_project_a;
-- Create a role.
create role Worker;
-- Grant the role access to sensitivity level 4 data.
grant Label 4 on table <table_name> to ROLE Worker;
-- Assign the role to the users.
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;

    Revoke access to sensitive data from a role-based user

    Two approaches are available:

    • Revoke permissions from the role — all users assigned to the role lose access.

    • Revoke the role from a specific user — only that user loses access.

    Example

    Method 1: Revoke the label permission from the Worker role (Allen, Alice, and Tom revert to access level 2):

    -- Switch to the project.
use test_project_a;
revoke Label on table <table_name> from ROLE Worker;

    Method 2: Revoke the Worker role from Allen only (Alice and Tom retain access level 4):

    -- Switch to the project.
use test_project_a;
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    Grant permissions directly to a user

    Grant permissions directly to a user when role-based authorization is not applicable.

    After a user is removed from a project, residual permissions remain. Clear them using the purge privs command. For details, see Clear residual permissions from a removed user.

    The following tools support direct authorization:

    Grant object operation permissions to a user

    Grant a user operation permissions on a project, table, model, resource, function, or instance using ACL-based access control.

    For the required privilege per object, see the "Authorized by" column in Permissions on projects and objects in projects.

    All grant commands in this section share the following optional parameters:

    Optional parameters (applicable to all object types)

    Parameter Description Default
    conditions Restricts access by request source or access method. Format: "<var_name> <Operation> constant" and .... For supported values, see Conditions. No condition restrictions
    expires Permission validity period in days. After this period, MaxCompute automatically removes the permission. Permanent

    Grant permissions on a project

    Syntax

    grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All
      on project <project_name>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

    Required parameters

    Parameter Description
    project_name The project name. Find it on the Project management tab of the MaxCompute console after selecting a region.
    user_name The user to grant permissions to. The user must already be added to the project. Supported formats: Alibaba Cloud account (ALIYUN$<account_id>), RAM user (RAM$<account_id>:<RAM user ID>), or RAM role (` RAM$<account_id>:role/<RAM role name> `).

    Grant permissions on a table

    Syntax

    grant Describe|Select|Alter|Update|Drop|ShowHistory|All
      on table <table_name> [(<column_list>)]
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

    Required parameters

    Parameter Description
    table_name The table name. Run show tables; on the MaxCompute client to list tables.
    user_name The user to grant permissions to. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Optional parameters

    Parameter Description Default
    column_list One or more column names, separated by commas. Specify to restrict permissions to specific columns. All columns

    Grant permissions on a model

    Syntax

    grant Describe|Execute|Alter|Drop|All
      on MODEL <model_name>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

    Required parameters

    Parameter Description
    model_name The model name. Run list models; on the MaxCompute client to list models.
    user_name The user to grant permissions to. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Grant permissions on a resource

    Syntax

    grant Read|Write|Delete|All
      on resource <resource_name>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

    Required parameters

    Parameter Description
    resource_name The resource name. Run list resources; on the MaxCompute client to list resources.
    user_name The user to grant permissions to. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Grant permissions on a function

    Syntax

    grant Read|Write|Delete|Execute|All
      on function <function_name>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

    Required parameters

    Parameter Description
    function_name The function name. Run list functions; on the MaxCompute client to list functions.
    user_name The user to grant permissions to. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Grant permissions on an instance

    Syntax

    grant Read|Write|All
      on instance <instance_id>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

    Required parameters

    Parameter Description
    instance_id The instance ID. Run show instances; on the MaxCompute client to list instances.
    user_name The user to grant permissions to. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Examples

    The following examples all use the test_project_a project, where ALIYUN$5527xxxxxxxx5789 is the project owner.

    Example 1: Grant an Alibaba Cloud account permission to create tables, functions, and instances, and view all object lists in the project:

    -- Switch to the project.
use test_project_a;
-- Add the Alibaba Cloud account to the project.
add user ALIYUN$5527xxxxxxxx5788;
-- Grant the required project-level permissions.
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user ALIYUN$5527xxxxxxxx5788;

    Example 2: Grant a RAM user and a RAM role permission to create tables and view all object lists in the project, plus read metadata and data from a specific table:

    -- Switch to the project.
use test_project_a;
-- Add the RAM user and RAM role to the project.
add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
add user `RAM$5527xxxxxxxx5789:role/ram_role`;
-- Grant project-level permissions.
grant CreateTable, List on project test_project_a to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
grant CreateTable, List on project test_project_a to USER `RAM$5527xxxxxxxx5789:role/ram_role`;
-- Grant table-level permissions.
grant Describe, Select on table sale_detail to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
grant Describe, Select on table sale_detail to USER `RAM$5527xxxxxxxx5789:role/ram_role`;

    Example 3: Grant a RAM user read and write access to a resource:

    -- Switch to the project.
use test_project_a;
add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1650;
grant Read, Write on resource udtf.jar to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1650;

    Example 4: Grant a RAM user read and write access to a function:

    -- Switch to the project.
use test_project_a;
add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;
grant Read, Write on function udf_test to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;

    Example 5: Grant a RAM user all permissions on an instance:

    -- Switch to the project.
use test_project_a;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
grant All on instance 202112300224**** to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;

    Revoke object operation permissions from a user

    Revoke a user's operation permissions on a project, table, model, resource, function, or instance.

    For the required privilege per object, see the "Authorized by" column in Permissions on projects and objects in projects.

    Revoke permissions on a project

    Syntax

    revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All
      on project <project_name>
      from USER <user_name>;

    Required parameters

    Parameter Description
    project_name The project name. Find it on the Project management tab of the MaxCompute console after selecting a region.
    user_name The user to revoke permissions from. Supported formats: Alibaba Cloud account (ALIYUN$<account_id>), RAM user (RAM$<account_id>:<RAM user ID>), or RAM role (` RAM$<account_id>:role/<RAM role name> `).

    Revoke permissions on a table

    Syntax

    revoke Describe|Select|Alter|Update|Drop|ShowHistory|All
      on table <table_name> [(<column_list>)]
      from USER <user_name>;

    Required parameters

    Parameter Description
    table_name The table name. Run show tables; on the MaxCompute client to list tables.
    user_name The user to revoke permissions from. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Revoke permissions on a model

    Syntax

    revoke Describe|Execute|Alter|Drop|All
      on MODEL <model_name>
      from USER <user_name>;

    Required parameters

    Parameter Description
    model_name The model name. Run list models; on the MaxCompute client to list models.
    user_name The user to revoke permissions from. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Revoke permissions on a resource

    Syntax

    revoke Read|Write|Delete|All
      on resource <resource_name>
      from USER <user_name>;

    Required parameters

    Parameter Description
    resource_name The resource name. Run list resources; on the MaxCompute client to list resources.
    user_name The user to revoke permissions from. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Revoke permissions on a function

    Syntax

    revoke Read|Write|Delete|Execute|All
      on function <function_name>
      from USER <user_name>;

    Required parameters

    Parameter Description
    function_name The function name. Run list functions; on the MaxCompute client to list functions.
    user_name The user to revoke permissions from. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Revoke permissions on an instance

    Syntax

    revoke Read|Write|All
      on instance <instance_id>
      from USER <user_name>;

    Required parameters

    Parameter Description
    instance_id The instance ID. Run show instances; on the MaxCompute client to list instances.
    user_name The user to revoke permissions from. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Examples

    Example 1: Revoke an Alibaba Cloud account's permission to create tables, functions, and instances and view all object lists in the project:

    use test_project_a;
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user ALIYUN$5527xxxxxxxx5788;

    Example 2: Revoke a RAM user's read and metadata access to a table:

    use test_project_a;
revoke Describe, Select on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    Example 3: Revoke a RAM user's read and write access to a resource:

    use test_project_a;
revoke Read, Write on resource udtf.jar from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;

    Example 4: Revoke a RAM user's read and write access to a function:

    use test_project_a;
revoke Read, Write on function udf_test from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;

    Example 5: Revoke all permissions on an instance from a RAM user:

    use test_project_a;
revoke All on instance 202112300224**** from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;

    Grant the Download permission to a user

    Download control must be enabled for the project before granting download permissions.

    Syntax

    grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;

    Required parameters

    Parameter Description
    object_name The name of the object. Run show tables;, list resources;, list functions;, or show instances; on the MaxCompute client to find the name.
    user_name The user to grant the permission to. Supported formats: Alibaba Cloud account (ALIYUN$<account_id>), RAM user (RAM$<account_id>:<RAM user ID>), or RAM role (` RAM$<account_id>:role/<RAM role name> `).

    Example

    Grant a RAM user permission to download data from a specific table (download control must be enabled for the project):

    use test_project_a;
grant Download on table sale_detail to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    Revoke the Download permission from a user

    Syntax

    revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;

    Required parameters

    Parameter Description
    object_name The name of the object. Run show tables;, list resources;, list functions;, or show instances; on the MaxCompute client to find the name.
    user_name The user to revoke the permission from. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Example

    use test_project_a;
revoke Download on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    Grant access to sensitive data to a user

    Grant a user access to labeled data using label-based access control.

    Syntax

    grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];

    Required parameters

    Parameter Description
    number The highest sensitivity level the user can access. Valid values: 0–9.
    table_name The table or view name. Run show tables; on the MaxCompute client to list tables.
    user_name The user to grant access to. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Optional parameters

    Parameter Description Default
    column_list One or more column names, separated by commas. Specify to restrict access to specific columns. All columns
    days Permission validity period in days. Valid values: 0–2<sup>63</sup>–1. 180 days

    Example

    RAM user Allen has a data access level of 2. Grant Allen access to data at sensitivity level 4 in the sale_detail table:

    use test_project_a;
grant Label 4 on table sale_detail to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    Revoke access to sensitive data from a user

    Syntax

    revoke Label <number> on table <table_name> [(<column_list>)] from USER <user_name>;

    Required parameters

    Parameter Description
    number The sensitivity level to revoke. Valid values: 0–9.
    table_name The table or view name.
    user_name The user to revoke access from. Supported formats: Alibaba Cloud account, RAM user, or RAM role.

    Optional parameters

    Parameter Description Default
    column_list One or more column names, separated by commas. Specify to revoke access for specific columns only. All columns

    Example

    Revoke Allen's access to sensitivity level 4 data in the sale_detail table:

    use test_project_a;
revoke Label 4 on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    Clear residual permissions from a removed user

    When a user is removed from a project, their ACL-based, label-based, and policy-based permissions remain in the project. If the user is re-added later, they regain those permissions — which may create a data security risk if the user is re-added with a different intended role.

    The project owner, or a user that is assigned the Admin or Super_Administrator role, can purge all residual permissions for a removed user.

    Syntax

    purge privs from user <user_name>;

    Required parameters

    Parameter Description
    user_name The name of the removed user whose permissions to clear. Supported formats: Alibaba Cloud account (ALIYUN$<account_id>), RAM user (RAM$<account_id>:<RAM user ID>), or RAM role (` RAM$<account_id>:role/<RAM role name> `).
    Running purge privs on a user who is still in the project returns the error "Principal <username> still exist in the project". First run remove user <user_name> to remove the user, then run purge privs.

    What's next

    After granting permissions, verify what permissions a user holds. For details, see Query permissions.