MaxCompute supports fine-grained access control on projects, tables, functions, resources, and instances. MaxCompute also allows you to control Tunnel downloads, access to sensitive data, and cross-project resource access. You can grant specific permissions on objects in a project to users based on the operation scope. This ensures project and data security. This topic describes the permissions that are supported in MaxCompute.
Background information
The following table describes the elements that are involved in authorization operations.
Permission element | Description |
---|---|
Subject | The user or role to which you want to grant permissions.
Take note of the following points:
Note A user who performs authorization operations is called an authorizer. An authorizer can
perform authorization operations only if the authorizer has the capability to grant
permissions on objects and actions.
|
Object | The objects or behavior in a MaxCompute project.
|
Actions | The actions vary based on the object type. For example, you can read data from, write data to, and query data from tables. |
Permission list
- Objects
The following table describes the permission relationships of MaxCompute objects.
Object Action Description Authorized by Authorization method Project Read Allows you to view information about a project, excluding objects in the project. Project owner Not supported Write Allows you to update information about a project, excluding objects in the project. List Allows you to query all types of objects in a project. For example, you can run the show tables;
orshow functions;
command to query tables or functions.- Project owner
- Users with the Super_Administrator or Admin role
- Grant permissions to users or roles: ACL-based access control
- Grant permissions to a role: Policy-based access control
CreateTable Allows you to create a table in a project. For example, you can run the create table <table_name>...;
command to create a table.CreateInstance Allows you to create an instance in a project. When you run jobs, instances are created. CreateFunction Allows you to create a function in a project. For example, you can run the create function <function_name> ...;
command to create a function.CreateResource Allows you to add a resource to a project. For example, you can run the add file|archive|py|jar <local_file> ...;
oradd table <table_name> ...;
command to add a resource.All Has all of the preceding project permissions. Table Describe Allows you to read the metadata of a table, including the table structure, creation time, modification time, and table data size. For example, you can run the desc <table_name>;
command to read the metadata of a table.- Table owner
- Project owner
- Users with the Super_Administrator role
- Users with the Admin role (No permissions to change table owners)
Select Allows you to query the data of a table. For example, you can run the select * from <table_name>;
command to query the data of a table.Alter Allows you to modify the metadata of a table. You can change the owner of a table, name of a table, or name of a column, and add or delete partitions. For example, you can run the alter table <table_name> add if not exists partition ...;
command to modify the metadata of a table.Update Allows you to update the data of a table. For example, you can run the insert into|overwrite table <table_name> ...;
,update <table_name> set ...;
, ordelete from <table_name> where ...;
command to update the data of a table.Drop Allows you to drop a table. For example, you can run the drop table <table_name>;
command to drop a table.ShowHistory Allows you to query the backup data of a table. For example, you can run the show history for table <table_name>;
command to query the backup data of a table.All Has all of the preceding table permissions. Function Read Allows you to read the program file in which a MaxCompute UDF is called. - Function owner
- Project owner
- Users with the Super_Administrator or Admin role
Write Allows you to update a UDF. Delete Allows you to delete a UDF. For example, you can run the drop function <function_name>;
command to delete a UDF.Execute Allows you to call a UDF. For example, you can run the select <function_name> from ...;
command to call a UDF.All Has all of the preceding function permissions. Resource Read Allows you to read a resource. - Resource owner
- Project owner
- Users with the Super_Administrator or Admin role
Write Allows you to update a resource. Delete Allows you to delete a resource. For example, you can run the drop resource <resource_name>;
command to delete a resource.All Has all of the preceding resource permissions. Instance Read Allows you to read an instance. - Project owner
- Users with the Super_Administrator or Admin role
Write Allows you to update an instance. All Has all of the preceding instance permissions. Note The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in the project must be used together with the CreateInstance permission on the project.If you separately use the Select, Alter, Update, or Drop permission on tables in a project and you do not have the CreateInstance permission on the project, the operations on the tables cannot be performed. For example, if you query data of a table in Project B from Project A, you must have the CreateInstance permission on Project A and the Select permission on the table in Project B.
- Behavior
The following table describes the permission relationships of behavior in MaxCompute.
Object Action Description Authorized by Authorization method Tables, functions, resources, and instances Download Allows you to use Tunnel commands to download table data, resources, functions, or instances. - Project owner
- Users with the Super_Administrator role
Download control Label N/A Allows you to read sensitive data at the column level. - Project owner
- Users with the Admin role
Label-based access control Package Read Allows you to package the objects and allowed operation permissions on the objects in a project and use the generated package to support cross-project authorization. - Project owner
- Users with the Admin role
Cross-project resource access based on packages