MaxCompute supports fine-grained access control on projects, tables, functions, resources, and instances. MaxCompute also allows you to control Tunnel downloads, access to sensitive data, and cross-project resource access. You can grant specific permissions on objects in a project to users based on the operation scope. This ensures project and data security. This topic describes the permissions that are supported in MaxCompute.

Background information

The following table describes the elements that are involved in authorization operations.

Permission element Description
Subject The user or role to which you want to grant permissions.
Take note of the following points:
  • Before you grant permissions to a user or role in a MaxCompute project, make sure that the user or role is added to the MaxCompute project.
  • If you use an Alibaba Cloud account to perform authorization operations, you can grant permissions to the RAM users of the Alibaba Cloud account and other Alibaba Cloud accounts.
  • If you use the credentials of a RAM user to perform authorization operations, you can grant permissions to only the other RAM users that belong to the same Alibaba Cloud account.
Note A user who performs authorization operations is called an authorizer. An authorizer can perform authorization operations only if the authorizer has the capability to grant permissions on objects and actions.
Object The objects or behavior in a MaxCompute project.
  • Objects
    • Projects: the MaxCompute projects.
    • Tables: the tables or views in a MaxCompute project.

      In a MaxCompute project, a view is a virtual table that provides the same permissions as a common table.

    • Functions: the user-defined functions (UDFs) in a MaxCompute project.
    • Resources: the resources that are uploaded to a MaxCompute project, such as JAR and ZIP files.
    • Instances: the instances that are generated when a job is run in a MaxCompute project.
  • Behavior
Actions The actions vary based on the object type. For example, you can read data from, write data to, and query data from tables.

Permission list

This section describes the permissions that are supported in MaxCompute.
  • Objects

    The following table describes the permission relationships of MaxCompute objects.

    Object Action Description Authorized by Authorization method
    Project Read Allows you to view information about a project, excluding objects in the project. Project owner Not supported
    Write Allows you to update information about a project, excluding objects in the project.
    List Allows you to query all types of objects in a project. For example, you can run the show tables; or show functions; command to query tables or functions.
    • Project owner
    • Users with the Super_Administrator or Admin role
    CreateTable Allows you to create a table in a project. For example, you can run the create table <table_name>...; command to create a table.
    CreateInstance Allows you to create an instance in a project. When you run jobs, instances are created.
    CreateFunction Allows you to create a function in a project. For example, you can run the create function <function_name> ...; command to create a function.
    CreateResource Allows you to add a resource to a project. For example, you can run the add file|archive|py|jar <local_file> ...; or add table <table_name> ...; command to add a resource.
    All Has all of the preceding project permissions.
    Table Describe Allows you to read the metadata of a table, including the table structure, creation time, modification time, and table data size. For example, you can run the desc <table_name>; command to read the metadata of a table.
    • Table owner
    • Project owner
    • Users with the Super_Administrator role
    • Users with the Admin role (No permissions to change table owners)
    Select Allows you to query the data of a table. For example, you can run the select * from <table_name>; command to query the data of a table.
    Alter Allows you to modify the metadata of a table. You can change the owner of a table, name of a table, or name of a column, and add or delete partitions. For example, you can run the alter table <table_name> add if not exists partition ...; command to modify the metadata of a table.
    Update Allows you to update the data of a table. For example, you can run the insert into|overwrite table <table_name> ...;, update <table_name> set ...;, or delete from <table_name> where ...; command to update the data of a table.
    Drop Allows you to drop a table. For example, you can run the drop table <table_name>; command to drop a table.
    ShowHistory Allows you to query the backup data of a table. For example, you can run the show history for table <table_name>; command to query the backup data of a table.
    All Has all of the preceding table permissions.
    Function Read Allows you to read the program file in which a MaxCompute UDF is called.
    • Function owner
    • Project owner
    • Users with the Super_Administrator or Admin role
    Write Allows you to update a UDF.
    Delete Allows you to delete a UDF. For example, you can run the drop function <function_name>; command to delete a UDF.
    Execute Allows you to call a UDF. For example, you can run the select <function_name> from ...; command to call a UDF.
    All Has all of the preceding function permissions.
    Resource Read Allows you to read a resource.
    • Resource owner
    • Project owner
    • Users with the Super_Administrator or Admin role
    Write Allows you to update a resource.
    Delete Allows you to delete a resource. For example, you can run the drop resource <resource_name>; command to delete a resource.
    All Has all of the preceding resource permissions.
    Instance Read Allows you to read an instance.
    • Project owner
    • Users with the Super_Administrator or Admin role
    Write Allows you to update an instance.
    All Has all of the preceding instance permissions.
    Note The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in the project must be used together with the CreateInstance permission on the project.

    If you separately use the Select, Alter, Update, or Drop permission on tables in a project and you do not have the CreateInstance permission on the project, the operations on the tables cannot be performed. For example, if you query data of a table in Project B from Project A, you must have the CreateInstance permission on Project A and the Select permission on the table in Project B.

  • Behavior

    The following table describes the permission relationships of behavior in MaxCompute.

    Object Action Description Authorized by Authorization method
    Tables, functions, resources, and instances Download Allows you to use Tunnel commands to download table data, resources, functions, or instances.
    • Project owner
    • Users with the Super_Administrator role
    Download control
    Label N/A Allows you to read sensitive data at the column level.
    • Project owner
    • Users with the Admin role
    Label-based access control
    Package Read Allows you to package the objects and allowed operation permissions on the objects in a project and use the generated package to support cross-project authorization.
    • Project owner
    • Users with the Admin role
    Cross-project resource access based on packages