MaxCompute supports fine-grained access control on projects, quotas, network connections, tables, functions, resources, and instances. MaxCompute also allows you to control Tunnel downloads, access to sensitive data, and cross-project access. You can grant specific permissions on objects in a project to users based on the operation scope. This ensures object security. This topic describes the permissions that are supported in MaxCompute.

Background information

The following table describes the elements that are involved in authorization operations.

Permission elementDescription
SubjectThe user or role to which you want to grant permissions.
Take note of the following points:
  • Before you grant permissions to a user or role in a MaxCompute project, make sure that the user or role is added to the MaxCompute project.
  • If you use an Alibaba Cloud account to perform authorization operations, you can grant permissions to the RAM users of the Alibaba Cloud account and other Alibaba Cloud accounts.
  • If you use a RAM user to perform authorization operations, you can grant permissions to only the other RAM users that belong to the same Alibaba Cloud account.
Note A user who performs authorization operations is called an authorizer. An authorizer can perform authorization operations only if the authorizer has the capability to grant permissions on objects and actions.
Object
An object in a MaxCompute tenant.
  • Network link: a network connection. The virtual private cloud (VPC) connection scheme is used to establish network connections in most scenarios. For more information about the VPC connection scheme, see VPC connection scheme.
  • Quota: a computing resource queue.
The objects or behavior in a MaxCompute project.
  • Objects
    • Projects: the MaxCompute projects.
    • Tables: the tables or views in a MaxCompute project.

      In a MaxCompute project, a view is a virtual table, and permission rules of tables also apply to views. If a user that creates a view does not have the Select permission on the table referenced by the view, the view cannot be used by the user.

    • Functions: the user-defined functions (UDFs) in a MaxCompute project.
    • Resources: the resources that are uploaded to a MaxCompute project, such as JAR and ZIP files.
    • Instances: the instances that are generated when a job is run in a MaxCompute project.
  • Behavior
ActionsThe actions vary based on the object type. For example, you can read data from, write data to, and query data from tables.

Permissions on objects in a tenant

The following table describes the permission relationships of objects in a MaxCompute tenant.
ObjectActionDescriptionAuthorized byAuthorization method
NetworklinkListAllows you to view all types of network connections.
  • Project owner
  • Users assigned with the Super_Administrator or Admin role
Grant permissions to roles: Policy-based access control.
CreateNetworklinkAllows you to create a network connection in a MaxCompute tenant.
DescribeAllows you to read the metadata of a network connection in a MaxCompute tenant.
DropAllows you to delete a network connection.
AllAllows you to perform all the preceding operations on network connections.
QuotaUsageAllows you to use quotas.
  • Project owner
  • Users assigned with the Super_Administrator or Admin role

Permissions on projects and objects in projects

This section describes the permissions supported by MaxCompute projects and objects in MaxCompute projects.
  • Objects

    The following table describes the permission relationships of MaxCompute projects and permission relationships of objects in MaxCompute projects.

    ObjectActionDescriptionAuthorized byAuthorization method
    ProjectReadAllows you to view information about a project, excluding objects in the project. Project ownerNot supported
    WriteAllows you to update information about a project, excluding objects in the project.
    ListAllows you to query all types of objects in a project. For example, you can run the show tables; or show functions; command to query tables or functions.
    • Project owner
    • Users assigned with the Super_Administrator or Admin role
    CreateTableAllows you to create a table in a project. For example, you can run the create table <table_name>...; command to create a table.
    CreateInstanceAllows you to create an instance in a project. When you run jobs, instances are created.
    CreateFunctionAllows you to create a function in a project. For example, you can run the create function <function_name> ...; command to create a function.
    CreateResourceAllows you to add a resource to a project. For example, you can run the add file|archive|py|jar <local_file>... ; or add table <table_name> ...; command to add a resource.
    AllAllows you to perform all the preceding operations on a project.
    TableDescribeAllows you to read the metadata of a table, including the table structure, creation time, modification time, and table data size. For example, you can run the desc <table_name>; command to read the metadata of a table.
    • Table owner
    • Project owner
    • Users assigned with the Super_Administrator role
    • Users assigned with the Admin role (excluding permissions to change table owners)
    SelectAllows you to query the data of a table. For example, you can run the select * from <table_name>; command to query the data of a table.
    AlterAllows you to modify the metadata of a table. You can change the owner of a table, name of a table, or name of a column, and add or delete partitions. For example, you can run the alter table <table_name> add if not exists partition ...; command to modify the metadata of a table.
    UpdateAllows you to update the data of a table. For example, you can run the insert into|overwrite table <table_name> ...;, update <table_name> set ...;, or delete from <table_name> where ...; command to update the data of a table.
    DropAllows you to drop a table. For example, you can run the drop table <table_name>; command to drop a table.
    ShowHistoryAllows you to query the backup data of a table. For example, you can run the show history for table <table_name>; command to query the backup data of a table.
    AllAllows you to perform all the preceding operations on a table.
    FunctionReadAllows you to read the program file in which a MaxCompute UDF is called.
    • Function owner
    • Project owner
    • Users with the Super_Administrator or Admin role
    WriteAllows you to update a UDF.
    DeleteAllows you to delete a UDF. For example, you can run the drop function <function_name>; command to delete a UDF.
    ExecuteAllows you to call a UDF. For example, you can run the select <function_name> from ...; command to call a UDF.
    AllAllows you to perform all the preceding operations on a function.
    ResourceReadAllows you to read a resource.
    • Resource owner
    • Project owner
    • Users assigned with the Super_Administrator or Admin role
    WriteAllows you to update a resource.
    DeleteAllows you to delete a resource. For example, you can run the drop resource <resource_name>; command to delete a resource.
    AllAllows you to perform all the preceding operations on a resource.
    InstanceReadAllows you to read an instance.
    • Project owner
    • Users assigned with the Super_Administrator or Admin role
    WriteAllows you to update an instance.
    AllAllows you to perform all the preceding operations on an instance.
    Note The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in the project must be used together with the CreateInstance permission on the project.

    If you separately use the Select, Alter, Update, or Drop permission on tables in a project and you do not have the CreateInstance permission on the project, the operations on the tables cannot be performed. For example, if you query data of a table in Project B from Project A, you must have the CreateInstance permission on Project A and the Select permission on the table in Project B.

  • Behavior

    The following table describes the permission relationships of behavior on objects in a MaxCompute project.

    ObjectActionDescriptionAuthorized byAuthorization method
    Tables, functions, resources, and instancesDownloadAllows you to use Tunnel commands to download table data, resources, functions, or instances.
    • Project owner
    • Users assigned with the Super_Administrator role
    Download control
    LabelN/AAllows you to read sensitive data at the column level.
    • Project owner
    • Users assigned with the Admin role
    Label-based access control
    PackageReadAllows you to package the objects and allowed operation permissions on the objects in a project and use the generated package to support cross-project authorization.
    • Project owner
    • Users assigned with the Admin role
    Cross-project resource access based on packages

Permissions on project management

  • The following table describes the operations that you can perform to configure MaxCompute management permissions.
    Permission typeActionDescription
    Project security configurationsSetSecurityConfigurationAllows you to set security configurations for a project.
    GetSecurityConfigurationAllows you to view the security configurations of a project.
    SetPropertyAllows you to configure an IP address whitelist for a project.
    Policy managementPutPolicyAllows you to update a policy.
    GetPolicyAllows you to view policy information.
    AddPolicyStatmentsAllows you to add policy statements.
    RemovePolicyStatmentsAllows you to remove policy statements.
    Account provider managementAddAccountProvidersAllows you to add an account provider.
    RemoveAccountProvidersAllows you to remove an account provider.
    ListAccountProvidersAllows you to view all account providers.
    Management of trusted projectsAddTrustedProjectsAllows you to add trusted projects.
    RemoveTrustedProjectsAllows you to remove trusted projects.
    ListTrustedProjectsAllows you to view all trusted projects.
    Principal managementAddUserAllows you to add a user.
    RemoveUserAllows you to remove a user.
    ListUsersAllows you to view all users.
    ListUserRolesAllows you to view the roles assigned to a user.
    AddGroupAllows you to add a group.
    RemoveGroupAllows you to remove a group.
    ListGroupsAllows you to view all groups.
    ListGroupRolesAllows you to view roles in a group.
    Role managementCreateRoleAllows you to create a role.
    DescribeRoleAllows you to query information about a role.
    AlterRoleAllows you to modify properties of a role.
    DropRoleAllows you to drop a role.
    ListRolesAllows you to view all roles.
    Role authorizationGrantRoleAllows you to assign a role to a user.
    RevokeRoleAllows you to revoke a role from a user.
    ListRolePrincipalsAllows you to view the users to which a role is assigned.
    Package managementCreatePackageAllows you to create a package.
    DescribePackageAllows you to view information about a package.
    DropPackageAllows you to delete a package.
    ShowPackagesAllows you to view all packages.
    InstallPackageAllows you to install a package.
    UninstallPackageAllows you to uninstall a package.
    AllowInstallPackageAllows you to grant the permissions on a package to other projects.
    DisallowInstallPackageAllows you to revoke the permissions on a package from other projects.
    AddPackageResourceAllows you to add a resource to a package.
    RemovePackageResourceAllows you to remove a resource from a package.
    Label-based access controlGrantLabelAllows you to enable label-based authorization.
    RevokeLabelAllows you to disable label-based authorization.
    ShowLabelGrantsAllows you to view the information about the access level of a user or role.
    SetDataLabelAllows you to set access levels for users, user groups, or roles.
    ACL-based access controlGrantPrivsAllows you to grant permissions based on the access control list (ACL).
    RevokePrivsAllows you to revoke permissions granted based on the ACL.
    ShowAclGrantsAllows you to view permissions granted based on the ACL.
    Clearance of expired permissionsClearExpiredGrantsAllows you to clear configurations of expired permissions.
  • The following table describes the resource URIs of management permissions.
    Note In the following resource URIs, the acs:odps:*:projects/<project_name>/ part is omitted, and only the part that follows <project_name>/ is provided.
    Permission resource categoryResouce URIDescription
    Project security configurationsauthorization/configurations/security_configurationproject security_configuration
    authorization/configurations/policyproject policy
    authorization/configurations/security_policyproject security_policy
    authorization/configurations/protected_exceptionproject protected_exception
    ProjectauthorizationManagement objects such as account providers of projects and trusted projects
    Project Principalauthorization/usersThe user of a project
    authorization/groupsThe user group of a project
    Project roleauthorization/roles/resource/<role_name>The resource role of a project
    authorization/roles/administrator/<role_name>The administrator role of a project
    authorization/roles/super_administrator/super_administratorThe super_administrator role that is built in a project
    Project resourceauthorization/objecttype/objectnameResources such as tables, volumes, and jobs
    Package managementauthorization/packages/<projectname>.<packagename>Package permissions
    Package resourceuthorization/packageresources/projectname.packagename/objecttype/objectnameThe resources in a package
    Usage notes:
    • Usernames and user group names may contain special characters for encoding. You can use URIs of users or user groups to identify only their categories but not the specific users or user groups.
    • You can use URIs to identify specific roles.
    • To distinguish semantic differences among all packages and resources in all packages, the URIs of packages are in the format of packages/projectname.packagename, and the URIs of resources in all packages are in the format of packageresources/projectname.packagename/objecttype/objectname. This way, you can use packages/* to indicate all packages and packageresources/* to indicate all resources in packages.
  • The following table describes management permissions.
    Permission typePermissionActionResource
    Security configuration permissions on a projectAllows you to set security configurations for a project.
    SetSecurityConfiguration
    projects/<project_name>/authorization/configurations/security_configuration
    Allows you to view security configurations of a project.
    GetSecurityConfiguration
    Allows you to set a policy.
    PutPolicy
    projects/<project_name>/authorization/configurations/policy
    Allows you to view policy information.
    GetPolicy
    Allows you to set protected_exception.
    PutPolicy
    projects/<project_name>/authorization/configurations/protected_exception
    Allows you to view protected_exception.
    GetPolicy
    Allows you to set security_policy.
    PutPolicy
    projects/<project_name>/authorization/configurations/security_policy
    Allows you to view security_policy.
    GetPolicy
    Management of project account providersAllows you to add an account provider.
    AddAccountProvider
    projects/<project_name>/authorization
    Allows you to remove an account provider.
    RemoveAccountProvider
    Allows you to view all account providers.
    ListAccountProviders
    Management of trusted projectsAllows you to add trusted projects.
    AddTrustedProjects
    projects/<project_name>/authorization
    Allows you to remove trusted projects.
    RemoveTrustedProjects
    Allows you to view all trusted projects.
    ListTrustedProjects
    Management of project principalsAllows you to add a user.
    AddUser
    projects/<project_name>/authorization/users
    Allows you to remove a user.
    RemoveUser
    Allows you to view all users.
    ListUsers
    Allows you to view all roles that are assigned to a user.
    ListUserRoles
    Allows you to add a user group.
    AddGroup
    projects/<project_name>/authorization/principals/groups
    Allows you to remove a user group.
    RemoveGroup
    Allows you to view all user groups.
    ListGroups
    Allows you to view all roles in a user group.
    ListGroupRoles
    Management of project rolesAllows you to create a resource role.
    CreateRole
    projects/<project_name>/authorization/roles/resource
    Allows you to query information about a resource role.
    DescribeRole
    projects/<project_name>/authorization/roles/resource/<role_name>
    Allows you to drop a resource role.
    DropRole
    Allows you to create an administrator role. N/A
    Note Only project owners or users with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
    Allows you to drop an administrator role.
    Allows you to query information about an administrator role.
    DescribeRole
    projects/<project_name>/authorization/roles/administrator/<role_name>
    Allows you to view all roles.
    ListRoles
    projects/<project_name>/authorization/roles
    Policy management of roles in a projectAllows you to set policies about resource roles in a project.
    PutPolicy
    projects/<project_name>/authorization/roles/resource/<role_name>
    Allows you to view policies about resource roles in a project.
    GetPolicy
    Allows you to add statements that are used to set resource role policies.
    AddPolicyStatments
    projects/<project_name>/authorization/roles/resource/<role_name>
    Allows you to remove statements that are used to set resource role policies.
    RemovePolicyStatments
    Allows you to set policies about administrator roles. N/A
    Note Only project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
    Allows you to view policies about administrator roles.
    GetPolicy
    projects/<project_name>/authorization/roles/administrator/<role_name>
    Allows you to add statements that are used to set administrator role policies. N/A
    Note Only project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
    Allows you to remove statements that are used to set administrator role policies.
    Role assignment and viewAllows you to assign a resource role to a user.
    GrantRole
    projects/<project_name>/authorization/roles/resource/<role_name>
    Allows you to revoke a resource role from a user.
    RevokeRole
    Allows you to assign an administrator role to a user.
    GrantRole
    projects/<project_name>/authorization/roles/administrator/<role_name>
    Allows you to revoke an administrator role from a user.
    RevokeRole
    Allows you to assign the Super_Administrator role to a user. N/A
    Note Only project owners or users assigned with the Super_Administrator role can assign or revoke the Super_Administrator role to or from a user.
    Allows you to revoke the Super_Administrator role from a user.
    Allows you to view the users to which a resource role is assigned.
    ListRolePrincipals
    projects/<project_name>/authorization/roles/resource/<role_name>
    Allows you to view the users to which an administrator role is assigned.
    ListRolePrincipals
    projects/<project_name>/authorization/roles/administrator/<role_name>
    Allows you to view the users to which the Super_Administrator role is assigned.
    ListRolePrincipals
    projects/<project_name>/authorization/roles/super_administrator/super_administrator
    Allows you to view the roles assigned to a user.
    ListPrincipalRoles
    projects/<project_name>/authorization/principals/users
    Package managementAllows you to create a package.
    CreatePackage
    projects/<project_name>/authorization/packages
    Allows you to view packages.
    ShowPackages
    Allows you to query information about a package.
    DescribePackage
    projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>
    Allows you to delete a package.
    DropPackage
    Allows you to install a package.
    InstallPackage
    projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>
    Allows you to uninstall a package.
    UninstallPackage
    Allows you to grant the permissions on a package to other projects.
    AllowInstallPackage
    projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>
    Allows you to revoke the permissions on a package from other projects.
    DisallowInstallPackage
    Allows you to add a resource to a package.
    AddPackageResource
    projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>
    Allows you to remove resources from a package.
    RemovePackageResource
    Label-based access controlAllows you to enable label-based access control on resources in a project.
    GrantLabel
    projects/<project_name>/authorization/label/<resource_relative_id>
    Note
    • In the resource URI, resource_relative_id specifies the resource path in a project. For example, resource_relative_id of table_1 is tables/table_1.
    • You can use an asterisk (*) to specify all resources. For example, you can use tables/* to specify all tables in a project.
    Allows you to disable label-based access control on resources in a project.
    RevokeLabel
    Allows you to view label-based access control on resources in a project.
    ShowLabelGrants
    Allows you to enable label-based access control on packages.
    GrantLabel
    projects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>
    Allows you to disable label-based access control on packages.
    RevokeLabel
    Allows you to view label-based access control on resources in a package.
    ShowLabelGrants
    Allows you to view label-based access control for a user.
    ShowLabelGrants
    projects/<project_name>/authorization/users
    Allows you to view label-based access control for a user group.
    ShowLabelGrants
    projects/<project_name>/authorization/groups
    Allows you to view label-based access control for a role.
    ShowLabelGrants
    projects/<project_name>/authorization/roles/resource/<role_name>
    Note You cannot enable, set, or view label-based access control for an administrator role.
    Label setting for users, user groups, or rolesAllows you to set an access-level label for a user.
    SetDataLabel
    projects/<project_name>/authorization/users
    Allows you to set an access-level label for a user group.
    SetDataLabel
    projects/<project_name>/authorization/groups
    Allows you to set an access-level label for a role.
    SetDataLabel
    projects/<project_name>/authorization/roles/resource/<role_name>
    ACL-based access controlAllows you to enable ACL-based access control on resources in a project.
    GrantPrivs
    projects/<project_name>/authorization/<resource_relative_id>
    Note
    • You can use the following string set operators in a policy to manage actions that can be granted or revoked:

      StringIntersectSetEmpty(IgnoreCase), StringIntersectSetNotEmpty(IgnoreCase), StringSubSet(IgnoreCase), and StringNotSubSet(IgnoreCase). You can use acs:Privileges as keywords in the condition.

      For example, you can use the following policy to deny the user odpsxxxx@aliyun.com from granting the Download or Select permission on all tables in the prj1 project:
      {
          "Action":[
              "odps:GrantPrivs"    ],
          "Effect":"Deny",
          "Principal":"aliyun$odpsxxxx@aliyun.com",
          "Resource":"acs:odps::projects/prj1/authorization/acl/tables/*",
          "Condition":{
              "IntersectionSetNotNull":{
                  "acs:Privileges":["Download","Select"]
              }
          }
      }
    • The resource_relative_id of the project is in the projects/<project_name> format.
    Allows you to disable ACL-based access control on resources in a project.
    RevokePrivs
    Allows you to view ACL-based access control on resources in a project.
    ShowAclGrants
    Allows you to enable ACL-based access control on packages.
    GrantPrivs
    projects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>
    Allows you to disable ACL-based access control on packages.
    RevokePrivs
    Allows you to view ACL-based access control on packages.
    ShowAclGrants
    Allows you to view ACL-based permissions granted to users.
    ShowAclGrants
    projects/<project_name>/authorization/users
    Allows you to view ACL-based permissions granted to user groups.
    ShowAclGrants
    projects/<project_name>/authorization/groups
    Allows you to view ACL-based permissions granted to resource roles.
    ShowAclGrants
    projects/<project_name>/authorization/roles/resource/<role_name>
    Clearance of expired permissionsAllows you to clear configurations of expired permissions.
    ClearExpiredGrants
    projects/<project_name>/authorization