Permissions - Permission Management| Alibaba Cloud Documentation Center

MaxCompute supports fine-grained access control on projects, tables, functions, resources, and instances. MaxCompute also allows you to control Tunnel downloads, access to sensitive data, and cross-project resource access. You can grant specific permissions on objects in a project to users based on the operation scope. This ensures project and data security. This topic describes the permissions that are supported in MaxCompute.

Background information

The following table describes the elements that are involved in authorization operations.


Permission element	Description
Subject	The user or role to which you want to grant permissions. Take note of the following points: Before you grant permissions to a user or role in a MaxCompute project, make sure that the user or role is added to the MaxCompute project. If you use an Alibaba Cloud account to perform authorization operations, you can grant permissions to the RAM users of the Alibaba Cloud account and other Alibaba Cloud accounts. If you use the credentials of a RAM user to perform authorization operations, you can grant permissions to only the other RAM users that belong to the same Alibaba Cloud account. Note A user who performs authorization operations is called an authorizer. An authorizer can perform authorization operations only if the authorizer has the capability to grant permissions on objects and actions.
Object	The objects or behavior in a MaxCompute project. Objects Projects: the MaxCompute projects. Tables: the tables or views in a MaxCompute project. In a MaxCompute project, a view is a virtual table that provides the same permissions as a common table. Functions: the user-defined functions (UDFs) in a MaxCompute project. Resources: the resources that are uploaded to a MaxCompute project, such as JAR and ZIP files. Instances: the instances that are generated when a job is run in a MaxCompute project. Behavior Tunnel download: Download tables, functions, resources, or instances. Column-level sensitive data access: Access sensitive data in a table or a column of a table. Package-based resource access: Access resources across projects.
Actions	The actions vary based on the object type. For example, you can read data from, write data to, and query data from tables.

Permission list

This section describes the permissions that are supported in MaxCompute.

Objects

The following table describes the permission relationships of MaxCompute objects.


Object	Action	Description	Authorized by	Authorization method
Project	Read	Allows you to view information about a project, excluding objects in the project.	Project owner	Not supported
	Write	Allows you to update information about a project, excluding objects in the project.	Project owner	Not supported
	List	Allows you to query all types of objects in a project. For example, you can run the `show tables;` or `show functions;` command to query tables or functions.	Project owner Users with the Super_Administrator or Admin role	Grant permissions to users or roles: ACL-based access control Grant permissions to a role: Policy-based access control
	CreateTable	Allows you to create a table in a project. For example, you can run the `create table <table_name>...;` command to create a table.
	CreateInstance	Allows you to create an instance in a project. When you run jobs, instances are created.
	CreateFunction	Allows you to create a function in a project. For example, you can run the `create function <function_name> ...;` command to create a function.
	CreateResource	Allows you to add a resource to a project. For example, you can run the `add file\|archive\|py\|jar <local_file> ...;` or `add table <table_name> ...;` command to add a resource.
	All	Has all of the preceding project permissions.
Table	Describe	Allows you to read the metadata of a table, including the table structure, creation time, modification time, and table data size. For example, you can run the `desc <table_name>;` command to read the metadata of a table.	Table owner Project owner Users with the Super_Administrator role Users with the Admin role (No permissions to change table owners)
	Select	Allows you to query the data of a table. For example, you can run the `select * from <table_name>;` command to query the data of a table.
	Alter	Allows you to modify the metadata of a table. You can change the owner of a table, name of a table, or name of a column, and add or delete partitions. For example, you can run the `alter table <table_name> add if not exists partition ...;` command to modify the metadata of a table.
	Update	Allows you to update the data of a table. For example, you can run the `insert into\|overwrite table <table_name> ...;`, `update <table_name> set ...;`, or `delete from <table_name> where ...;` command to update the data of a table.
	Drop	Allows you to drop a table. For example, you can run the `drop table <table_name>;` command to drop a table.
	ShowHistory	Allows you to query the backup data of a table. For example, you can run the `show history for table <table_name>;` command to query the backup data of a table.
	All	Has all of the preceding table permissions.
Function	Read	Allows you to read the program file in which a MaxCompute UDF is called.	Function owner Project owner Users with the Super_Administrator or Admin role
	Write	Allows you to update a UDF.
	Delete	Allows you to delete a UDF. For example, you can run the `drop function <function_name>;` command to delete a UDF.
	Execute	Allows you to call a UDF. For example, you can run the `select <function_name> from ...;` command to call a UDF.
	All	Has all of the preceding function permissions.
Resource	Read	Allows you to read a resource.	Resource owner Project owner Users with the Super_Administrator or Admin role
	Write	Allows you to update a resource.
	Delete	Allows you to delete a resource. For example, you can run the `drop resource <resource_name>;` command to delete a resource.
	All	Has all of the preceding resource permissions.
Instance	Read	Allows you to read an instance.	Project owner Users with the Super_Administrator or Admin role
	Write	Allows you to update an instance.
	All	Has all of the preceding instance permissions.

Note The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in the project must be used together with the CreateInstance permission on the project.

If you separately use the Select, Alter, Update, or Drop permission on tables in a project and you do not have the CreateInstance permission on the project, the operations on the tables cannot be performed. For example, if you query data of a table in Project B from Project A, you must have the CreateInstance permission on Project A and the Select permission on the table in Project B.

Behavior

The following table describes the permission relationships of behavior in MaxCompute.


Object	Action	Description	Authorized by	Authorization method
Tables, functions, resources, and instances	Download	Allows you to use Tunnel commands to download table data, resources, functions, or instances.	Project owner Users with the Super_Administrator role	Download control
Label	N/A	Allows you to read sensitive data at the column level.	Project owner Users with the Admin role	Label-based access control
Package	Read	Allows you to package the objects and allowed operation permissions on the objects in a project and use the generated package to support cross-project authorization.	Project owner Users with the Admin role	Cross-project resource access based on packages