A role is a set of permissions. You can use a role to grant the same set of permissions to multiple users. Role-based authorization helps simplify the authorization process and reduce permission management costs. If you want to grant the same set of permissions to multiple users, we recommend that you use role-based authorization. This topic describes the role types that are supported by MaxCompute and the operations that you can perform on different types of roles.

Background

MaxCompute provides the following built-in tenant-level roles: Super_Administrator and Admin. MaxCompute also provides the following built-in project-level roles: Project Owner, Super_Administrator, and Admin.

In addition, MaxCompute allows you to customize administrator roles and resource roles based on your business requirements, and classify and manage users based on roles.
  • Administrator role: You can grant management-related permissions to administrator roles by using policies instead of access control lists (ACLs). You cannot grant resource-related permissions to administrator roles.
  • Resource role: You can grant resource-related permissions but not management-related permissions to resource roles.

The following table describes the role types that are supported by MaxCompute.

Role level Role name Role type Description
Tenant level Super_Administrator Administrator A built-in administrator role that is provided by MaxCompute. This role has all the permissions that an Alibaba Cloud account has on MaxCompute, except for the permissions to create a project, delete a project, and activate the MaxCompute service.
Admin Administrator A built-in administrator role that is provided by MaxCompute. This role has the permissions to manage all objects and network links.
Custom role Resource A custom role of MaxCompute. You can customize a resource role and grant permissions on object resources such as quotas, network links, and projects to this resource role.
Project level Project Owner N/A The owner of a project. After a user creates a MaxCompute project, the user becomes the owner of the project and has all permissions on the project.

Only the owner of a project has the permissions to access objects in the project. Other users cannot access the objects in the project unless they are granted the required permissions by the project owner.

Super_Administrator Administrator A built-in administrator role that is provided by MaxCompute. This role has the operation permissions on all resources in a project and all management permissions. For more information about the permissions of the Super_Administrator role, see Permissions of project-level administrator roles.

The project owner or users that are assigned the Super_Administrator role can assign the Super_Administrator role to other users.

Admin Administrator A built-in administrator role that is provided by MaxCompute. This role has the operation permissions on all resources in a project and some basic management permissions. For more information about the permissions of the Admin role, see Permissions of project-level administrator roles.

The project owner can assign the Admin role to other users. A user that is assigned the Admin role cannot assign the Admin role to other users, configure security policies for the project, modify the authentication models of the project, or modify the permissions of the Admin role.

Custom role Administrator and resource A custom role of MaxCompute. You can customize an administrator role and grant management permissions on a project to this role. You can also customize a resource role and grant permissions on object resources in a project to this role.

The following table describes the role management operations that are supported by MaxCompute.

Role level Operation Description Performed by Platform
Project level Create a project-level role Create a project-level role. A project owner or a user that is assigned a built-in project-level role
Query project-level roles Query the roles in a project.
Drop a project-level role Drop a role in a project.

Permissions of project-level administrator roles

The following table describes the permissions of project-level administrator roles.
Permission type Object Operation Description Project owner Super_Administrator Admin
Project security configuration Project SetSecurityConfiguration Configure security settings for a project. Yes Yes No
Project GetSecurityConfiguration Query the security settings of a project. Yes Yes Yes
Management of protected projects Project AddTrustedProject Add a protected project. Yes Yes No
Project RemoveTrustedProject Remove a protected project. Yes Yes No
Project ListTrustedProjects Query protected projects. Yes Yes Yes
User management Project AddUser Add a user. Yes Yes Yes
Project RemoveUser Remove a user. Yes Yes Yes
Project ListUsers Query users. Yes Yes Yes
Project ListUserRoles Query the roles that are assigned to a user. Yes Yes Yes
Role management Project CreateRole Create a role. Yes Yes Yes
Project DescribeRole View the permissions of a role. Yes Yes Yes
Project AlterRole Modify the attributes of a role. Yes Yes Yes
Project DropRole Drop a role. Yes Yes Yes
Project ListRoles Query roles. Yes Yes Yes
Permission management by using a role Role GrantRole Assign a role to a user. Yes Yes Yes
Role RevokeRole Revoke a role from a user. Yes Yes Yes
Role ListRolePrincipals Query the users that are assigned a specific role. Yes Yes Yes
Package management Project CreatePackage Create a package. Yes Yes No
Project ShowPackages View packages. Yes Yes No
Package DescribePackage View the details of a package. Yes Yes Yes
Package DropPackage Drop a package. Yes Yes No
Package InstallPackage Install a package. Yes Yes Yes
Package UninstallPackage Uninstall a package. Yes Yes Yes
Package AllowInstallPackage Allow a package to be installed and used in other projects. Yes Yes No
Package DisallowInstallPackage Revoke the permissions for a package to be installed and used in other projects. Yes Yes No
Package AddPackageResource Add a resource to a package. Yes Yes No
Package RemovePackageResource Remove a resource from a package. Yes Yes No
Label management Table GrantLabel Grant permissions to a role or user by using labels. Yes Yes Yes
Table RevokeLabel Revoke the permissions that are granted by using labels from a role or user. Yes Yes Yes
Table ShowLabelGrants Query the permissions that are granted to a role or user by using labels. Yes Yes Yes
Table SetDataLabel Configure labels for a role or user. Yes Yes Yes
Clearance of expired permissions Project ClearExpiredGrants Clear permissions that expired. Yes Yes Yes
Note In the preceding table, Yes indicates that the specified role has the permission, and No indicates that the specified role does not have the permission.

Create a project-level role

You can create a role in a MaxCompute project.

  • Syntax
    create role <role_name> [privilegeproperties("type"="admin|resource")];
  • Parameters
    Parameter Required Description
    role_name Yes The name of the role that you want to create. The name must be unique within a project. When you specify a name for the role, take note of the following items:
    • The name must start with a letter.
    • The name can contain only letters and digits.
    • The name must be 1 to 64 characters in length.

    You can run the list roles; command on the MaxCompute client to query the existing roles in a project.

    privilegeproperties No The type of the role that you want to create.
    • "type"="admin": An administrator role is created. You can grant permissions to this type of role only by using policies.
    • "type"="resource": A resource role is created. If you do not specify this parameter, a resource role is created by default. You can grant permissions to resource roles by using ACLs or policies.
  • Examples
    • Create a resource role named Worker. Sample statement:
      create role Worker;
    • Create an administrator role named sale_admin. Sample statement:
       create role sale_admin privilegeproperties("type"="admin");

Query project-level roles

You can query the existing roles in a MaxCompute project.

  • Syntax
    list roles;
  • Example
    Query the existing roles in a MaxCompute project. Sample statement:
    list roles;
    The following result is returned:
    admin
    super_administrator
    worker

Drop a project-level role

You can drop a role from a MaxCompute project.

  • Syntax
    drop role <role_name>;
  • Usage notes

    When you drop a role, MaxCompute checks whether the role is assigned to users. If the role is assigned to users, the role cannot be dropped. You can drop the role only after you revoke the role from all users that are assigned the role. For more information about how to revoke a role from a user, see Revoke a role from a user.

  • Parameters
    Parameter Required Description
    role_name Yes The name of the role that you want to drop.

    You can run the list roles; command on the MaxCompute client to query the existing roles in a project.

  • Example
    Drop the Worker role.
    drop role Worker;

What to do next

After you plan and create a role, you can grant the required permissions to the role based on your business requirements. For more information, see Perform role-based access control.