A role is a set of permissions. You can use a role to grant the same set of permissions to multiple users. Role-based authorization helps simplify the authorization process and reduce permission management costs. If you want to grant the same set of permissions to multiple users, we recommend that you use role-based authorization. This topic describes the role types that are supported by MaxCompute and the operations that you can perform on different types of roles.
Background information
MaxCompute provides the following built-in tenant-level roles: Super_Administrator and Admin. MaxCompute also provides the following built-in project-level roles: Project Owner, Super_Administrator, and Admin.
In addition, MaxCompute allows you to create custom roles based on your business requirements, and classify and manage users based on roles.
The following table describes the role types that are supported by MaxCompute.
| Role type | Role name | Description |
|---|---|---|
| Tenant-level roles | Super_Administrator | A built-in administrator role that is provided by MaxCompute. This role has all the permissions that an Alibaba Cloud account has on MaxCompute, except for the permissions to create a project, delete a project, and activate the MaxCompute service. |
| Admin | A built-in administrator role that is provided by MaxCompute. This role has the permissions to manage all objects and network connections. | |
| Project-level roles | Project Owner | The owner of a project. After a user creates a MaxCompute project, the user becomes
the owner of the project and has all permissions on the project.
Only the owner of a project has the permissions to access objects in the project. Other users cannot access the objects in the project unless they are granted the required permissions by the project owner. |
| Super_Administrator | A built-in administrator role that is provided by MaxCompute. This role has the operation
permissions on all resources in a project and all management permissions. For more
information about the permissions of the Super_Administrator role, see Permissions of project-level administrator roles.
The project owner or users that are assigned the Super_Administrator role can assign the Super_Administrator role to other users. |
|
| Admin | A built-in administrator role that is provided by MaxCompute. This role has the operation
permissions on all resources in a project and some basic management permissions. For
more information about the permissions of the Admin role, see Permissions of project-level administrator roles.
The project owner can assign the Admin role to other users. A user that is assigned the Admin role cannot assign the Admin role to other users, configure security policies for the project, modify the authentication models of the project, or modify the permissions of the Admin role. |
|
| Custom role | A custom role of MaxCompute. |
The following table describes the role management operations that are supported by MaxCompute.
| Role type | Operation | Description | Performed by | Operation platform |
|---|---|---|---|---|
| Project-level roles | Create a project-level role | Create a project-level role. | A project owner or a user that is assigned a built-in project-level role | |
| Query the project-level roles | Query the roles in a project. | |||
| Drop a project-level role | Drop a role in a project. |
Permissions of project-level administrator roles
| Permission type | Object | Action | Description | Project Owner | Super_Administrator | Admin |
|---|---|---|---|---|---|---|
| Security configuration | Project | SetSecurityConfiguration | Configure security settings for a project. |  |
|
 |
| Project | GetSecurityConfiguration | Query the security settings of a project. | |
|
|
|
| Management of protected projects | Project | AddTrustedProject | Add a protected project. | |
|
|
| Project | RemoveTrustedProject | Remove a protected project. | |
|
|
|
| Project | ListTrustedProjects | Query protected projects. | |
|
|
|
| User management | Project | AddUser | Add a user. | |
|
|
| Project | RemoveUser | Remove a user. | |
|
|
|
| Project | ListUsers | Query users. | |
|
|
|
| Project | ListUserRoles | Query the roles that are assigned to a user. | |
|
|
|
| Role management | Project | CreateRole | Create a role. | |
|
|
| Project | DescribeRole | View the permissions of a role. | |
|
|
|
| Project | AlterRole | Modify the attributes of a role. | |
|
|
|
| Project | DropRole | Drop a role. | |
|
|
|
| Project | ListRoles | Query roles. | |
|
|
|
| Permission management by using a role | Role | GrantRole | Assign a role to a user. | |
|
|
| Role | RevokeRole | Revoke a role from a user. | |
|
|
|
| Role | ListRolePrincipals | Query the users that are assigned a specific role. | |
|
|
|
| Package management | Project | CreatePackage | Create a package. | |
|
|
| Project | ShowPackages | View packages. | |
|
|
|
| Package | DescribePackage | View the details of a package. | |
|
|
|
| Package | DropPackage | Drop a package. | |
|
|
|
| Package | InstallPackage | Install a package. | |
|
|
|
| Package | UninstallPackage | Uninstall a package. | |
|
|
|
| Package | AllowInstallPackage | Allow a package to be installed and used in other projects. | |
|
|
|
| Package | DisallowInstallPackage | Revoke the permissions for a package to be installed and used in other projects. | |
|
|
|
| Package | AddPackageResource | Add a resource to a package. | |
|
|
|
| Package | RemovePackageResource | Remove a resource from a package. | |
|
|
|
| Label management | Table | GrantLabel | Grant permissions to a role or user by using labels. | |
|
|
| Table | RevokeLabel | Revoke the permissions that are granted by using labels from a role or user. | |
|
|
|
| Table | ShowLabelGrants | Query the permissions that are granted to a role or user by using labels. | |
|
|
|
| Table | SetDataLabel | Configure labels for a role or user. | |
|
|
|
| Clearance of expired permissions | Project | ClearExpiredGrants | Clear permissions that expired. | |
|
|
indicates that the specified role has the permission, and indicates that the specified role does not have the permission.
Create a project-level role
You can create a role in a MaxCompute project.
- Syntax
create role <role_name>; - Parameter
Parameter Required Description role_name Yes The name of the role. The name must be unique within a project. When you specify a name for the role, take note of the following items: - The name must start with a letter.
- The name can contain only letters and digits.
- The name cannot exceed 64 characters in length.
You can run the
list roles;command on the MaxCompute client to query the existing roles in a project. - Example
Create a role named Worker. Sample command:
create role Worker;
Query the project-level roles
You can query the existing roles in a project.
- Syntax
list roles; - Example
Query the existing roles in a project. Sample command:
The following result is returned:list roles;admin super_administrator worker
Drop a project-level role
You can drop a role from a project.
- Syntax
drop role <role_name>; - Precautions
When you drop a role, MaxCompute checks whether the role is assigned to users. If the role is assigned to users, the role cannot be dropped. You can drop the role only after you revoke the role from all users that are assigned the role. For more information about how to revoke a role from a user, see Revoke a role from a user.
- Parameter
Parameter Required Description role_name Yes The name of the role that you want to drop. You can run the
list roles;command on the MaxCompute client to query the existing roles in a project. - Example
Drop the role Worker.
drop role Worker;
What to do next
After you plan and create a role, you can grant the required permissions to the role based on your business requirements. For more information, see Perform role-based access control.