MaxCompute permissions - MaxCompute - Alibaba Cloud Documentation Center

This topic describes the permissions that are supported in MaxCompute.

Background information

MaxCompute supports fine-grained access control on projects, quotas, network connections, tables, functions, resources, and instances. MaxCompute also allows you to control Tunnel downloads, access to sensitive data, and cross-project access. You can grant specific permissions on objects in a project to users based on the operation scope. This ensures object security.

The following table describes the elements that are involved in authorization operations.


Permission element	Description
Subject	The user or role to which you want to grant permissions. Take note of the following points: Before you grant permissions to a user or role in a MaxCompute project, make sure that the user or role is added to the MaxCompute project. If you use an Alibaba Cloud account to perform authorization operations, you can grant permissions to the RAM users of the Alibaba Cloud account and other Alibaba Cloud accounts. If you use a RAM user to perform authorization operations, you can grant permissions to only the other RAM users that belong to the same Alibaba Cloud account. Note A user who performs authorization operations is called an authorizer. An authorizer can perform authorization operations only if the authorizer has the capability to grant permissions on objects and actions.
Object	An object in a MaxCompute tenant. Network link: a network connection. The virtual private cloud (VPC) connection scheme is used to establish network connections in most scenarios. For more information about the VPC connection scheme, see Network connection process. Quota: a computing resource queue. The objects or behavior in a MaxCompute project. Objects Projects: the MaxCompute projects. Tables: the tables or views in a MaxCompute project. In a MaxCompute project, a view is a virtual table, and permission rules of tables also apply to views. If the owner of a view does not have the Select permission on the table referenced by the view, the owner cannot use the view. Functions: the user-defined functions (UDFs) in a MaxCompute project. Resources: the resources that are uploaded to a MaxCompute project, such as JAR and ZIP files. Instances: the instances that are generated when a job is run in a MaxCompute project. Behavior Tunnel download: Download tables, functions, resources, or instances. Column-level sensitive data access: Access sensitive data in a table or a column of a table. Package-based resource access: Access resources across projects. Management-related permission control: Perform actions on permission-related resources.
Actions	The actions vary based on the object type. For example, you can read data from, write data to, and query data from tables.

Permissions on objects in a tenant

The following table describes the permission relationships of objects in a MaxCompute tenant.


Object	Action	Description	Authorized by	Authorization method
Networklink	List	Allows you to view all types of network connections.	Project owner Users assigned with the Super_Administrator or Admin role	Grant permissions to roles: Policy-based access control.
	CreateNetworklink	Allows you to create a network connection in a MaxCompute tenant.
	Describe	Allows you to read the metadata of a network connection in a MaxCompute tenant.
	Drop	Allows you to delete a network connection.
	All	Allows you to perform all the preceding operations on network connections.
Quota	Usage	Allows you to `use quotas`.	Project owner Users assigned with the Super_Administrator or Admin role

Permissions on projects and objects in projects

This section describes the permissions supported by MaxCompute projects and objects in MaxCompute projects.

Objects

The following table describes the permission relationships of MaxCompute projects and permission relationships of objects in MaxCompute projects.


Object	Action	Description	Authorized by	Authorization method
Project	Read	Allows you to view information about a project, excluding objects in the project.	Project owner	Not supported
	Write	Allows you to update information about a project, excluding objects in the project.	Project owner	Not supported
	List	Allows you to query all types of objects in a project. For example, you can run the `show tables;` or `show functions;` command to query tables or functions.	Project owner Users assigned with the Super_Administrator or Admin role	Grant permissions to users or roles: ACL-based access control Grant permissions to roles: Policy-based access control
	CreateTable	Allows you to create a table in a project. For example, you can run the `create table <table_name>...;` command to create a table.
	CreateInstance	Allows you to create an instance in a project. When you run jobs, instances are created.
	CreateFunction	Allows you to create a function in a project. For example, you can run the `create function <function_name> ...;` command to create a function.
	CreateResource	Allows you to add a resource to a project. For example, you can run the `add file\|archive\|py\|jar <local_file>... ;` or `add table <table_name> ...;` command to add a resource.
	All	Allows you to perform all the preceding operations on a project.
Table	Describe	Allows you to read the metadata of a table, including the table structure, creation time, modification time, and table data size. For example, you can run the `desc <table_name>;` command to read the metadata of a table.	Table owner Project owner Users assigned with the Super_Administrator role Users assigned with the Admin role (excluding permissions to change table owners)
	Select	Allows you to query the data of a table. For example, you can run the `select * from <table_name>;` command to query the data of a table.
	Alter	Allows you to modify the metadata of a table. You can change the owner of a table, name of a table, or name of a column, and add or delete partitions. For example, you can run the `alter table <table_name> add if not exists partition ...;` command to modify the metadata of a table.
	Update	Allows you to update the data of a table. For example, you can run the `insert into\|overwrite table <table_name> ...;`, `update <table_name> set ...;`, or `delete from <table_name> where ...;` command to update the data of a table.
	Drop	Allows you to drop a table. For example, you can run the `drop table <table_name>;` command to drop a table.
	ShowHistory	Allows you to query the backup data of a table. For example, you can run the `show history for table <table_name>;` command to query the backup data of a table.
	All	Allows you to perform all the preceding operations on a table.
Function	Read	Allows you to read the program file in which a MaxCompute UDF is called.	Function owner Project owner Users with the Super_Administrator or Admin role
	Write	Allows you to update a UDF.
	Delete	Allows you to delete a UDF. For example, you can run the `drop function <function_name>;` command to delete a UDF.
	Execute	Allows you to call a UDF. For example, you can run the `select <function_name> from ...;` command to call a UDF.
	All	Allows you to perform all the preceding operations on a function.
Resource	Read	Allows you to read a resource.	Resource owner Project owner Users assigned with the Super_Administrator or Admin role
	Write	Allows you to update a resource.
	Delete	Allows you to delete a resource. For example, you can run the `drop resource <resource_name>;` command to delete a resource.
	All	Allows you to perform all the preceding operations on a resource.
External Volume	CreateVolume	Allows you to create an external volume.	External volume owner Project owner Users assigned with the Super_Administrator or Admin role
	Read	Allows you to read data from an external volume.
	Write	Allows you to update data in an external volume.
	Delete	Allows you to delete an external volume. For example, you can run the `vfs -rm -r <volume_path>;`command to delete an external volume.
	All	Allows you to perform all the preceding operations on an external volume.
Instance	Read	Allows you to read an instance.	Project owner Users assigned with the Super_Administrator or Admin role
	Write	Allows you to update an instance.
	All	Allows you to perform all the preceding operations on an instance.

Note The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in the project must be used together with the CreateInstance permission on the project.

If you separately use the Select, Alter, Update, or Drop permission on tables in a project and you do not have the CreateInstance permission on the project, the operations on the tables cannot be performed. For example, if you query data of a table in Project B from Project A, you must have the CreateInstance permission on Project A and the Select permission on the table in Project B.

Behavior

The following table describes the permission relationships of behavior on objects in a MaxCompute project.


Object	Action	Description	Authorized by	Authorization method
Tables, functions, resources, and instances	Download	Allows you to use Tunnel commands to download table data, resources, functions, or instances.	Project owner Users assigned with the Super_Administrator role	Download control
Label	N/A	Allows you to read sensitive data at the column level.	Project owner Users assigned with the Admin role	Label-based access control
Package	Read	Allows you to package the objects and allowed operation permissions on the objects in a project and use the generated package to support cross-project authorization.	Project owner Users assigned with the Admin role	Cross-project resource access based on packages

Permissions on project management

The following table describes the operations that you can perform to configure MaxCompute management permissions.


Permission type	Action	Description
Project security configurations	SetSecurityConfiguration	Allows you to set security configurations for a project.
	GetSecurityConfiguration	Allows you to view the security configurations of a project.
	SetProperty	Allows you to configure an IP address whitelist for a project.
Policy management	PutPolicy	Allows you to update a policy.
	GetPolicy	Allows you to view policy information.
	AddPolicyStatments	Allows you to add policy statements.
	RemovePolicyStatments	Allows you to remove policy statements.
Account provider management	AddAccountProviders	Allows you to add an account provider.
	RemoveAccountProviders	Allows you to remove an account provider.
	ListAccountProviders	Allows you to view all account providers.
Management of trusted projects	AddTrustedProjects	Allows you to add trusted projects.
	RemoveTrustedProjects	Allows you to remove trusted projects.
	ListTrustedProjects	Allows you to view all trusted projects.
Principal management	AddUser	Allows you to add a user.
	RemoveUser	Allows you to remove a user.
	ListUsers	Allows you to view all users.
	ListUserRoles	Allows you to view the roles assigned to a user.
Role management	CreateRole	Allows you to create a role.
	DescribeRole	Allows you to query information about a role.
	AlterRole	Allows you to modify properties of a role.
	DropRole	Allows you to drop a role.
	ListRoles	Allows you to view all roles.
Role authorization	GrantRole	Allows you to assign a role to a user.
	RevokeRole	Allows you to revoke a role from a user.
	ListRolePrincipals	Allows you to view the users to which a role is assigned.
Package management	CreatePackage	Allows you to create a package.
	DescribePackage	Allows you to view information about a package.
	DropPackage	Allows you to delete a package.
	ShowPackages	Allows you to view all packages.
	InstallPackage	Allows you to install a package.
	UninstallPackage	Allows you to uninstall a package.
	AllowInstallPackage	Allows you to grant the permissions on a package to other projects.
	DisallowInstallPackage	Allows you to revoke the permissions on a package from other projects.
	AddPackageResource	Allows you to add a resource to a package.
	RemovePackageResource	Allows you to remove a resource from a package.
Label-based access control	GrantLabel	Allows you to configure labels.
	RevokeLabel	Allows you to remove labels.
	ShowLabelGrants	Allows you to view label configurations.
	SetDataLabel	Allows you to configure labels for users or roles.
ACL-based access control	GrantPrivs	Allows you to grant permissions based on the access control list (ACL).
	RevokePrivs	Allows you to revoke permissions granted based on the ACL.
	ShowAclGrants	Allows you to view permissions granted based on the ACL.
Clearance of expired permissions	ClearExpiredGrants	Allows you to clear configurations of expired permissions.

The following table describes the resource URIs of management permissions.

Note In the following resource URIs, the acs:odps:*:projects/<project_name>/ part is omitted, and only the part that follows <project_name>/ is provided.


Permission resource category	Resouce URI	Description
Project security configurations	authorization/configurations/security_configuration	project security_configuration
	authorization/configurations/policy	project policy
	authorization/configurations/security_policy	project security_policy
	authorization/configurations/protected_exception	project protected_exception
Project	authorization	Management objects such as account providers of projects and trusted projects
Project Principal	authorization/users	The user of a project
Project role	authorization/roles/resource/<role_name>	The resource role of a project
	authorization/roles/administrator/<role_name>	The administrator role of a project
	authorization/roles/super_administrator/super_administrator	The super_administrator role that is built in a project
Project resource	authorization/objecttype/objectname	Resources such as tables, volumes, and jobs
Package management	authorization/packages/<projectname>.<packagename>	Package permissions
Package resource	uthorization/packageresources/projectname.packagename/objecttype/objectname	The resources in a package

Usage notes:

If you want to identify specific users, usernames are required. You can use URIs to identify only user categories but not specific users.
You can use URIs to identify specific roles.
To distinguish semantic differences among all packages and resources in all packages, the URIs of packages are in the format of packages/projectname.packagename, and the URIs of resources in all packages are in the format of packageresources/projectname.packagename/objecttype/objectname. This way, you can use packages/* to indicate all packages and packageresources/* to indicate all resources in packages.

The following table describes management permissions.


Permission type	Permission	Action	Resource
Security configuration permissions on a project	Allows you to set security configurations for a project.	`SetSecurityConfiguration`	`projects/<project_name>/authorization/configurations/security_configuration`
	Allows you to view security configurations of a project.	`GetSecurityConfiguration`
	Allows you to set a policy.	`PutPolicy`	`projects/<project_name>/authorization/configurations/policy`
	Allows you to view policy information.	`GetPolicy`
	Allows you to set protected_exception.	`PutPolicy`	`projects/<project_name>/authorization/configurations/protected_exception`
	Allows you to view protected_exception.	`GetPolicy`
	Allows you to set security_policy.	`PutPolicy`	`projects/<project_name>/authorization/configurations/security_policy`
	Allows you to view security_policy.	`GetPolicy`
Management of project account providers	Allows you to add an account provider.	`AddAccountProvider`	`projects/<project_name>/authorization`
	Allows you to remove an account provider.	`RemoveAccountProvider`
	Allows you to view all account providers.	`ListAccountProviders`
Management of trusted projects	Allows you to add trusted projects.	`AddTrustedProjects`	`projects/<project_name>/authorization`
	Allows you to remove trusted projects.	`RemoveTrustedProjects`
	Allows you to view all trusted projects.	`ListTrustedProjects`
Management of project principals	Allows you to add a user.	`AddUser`	`projects/<project_name>/authorization/users`
	Allows you to remove a user.	`RemoveUser`
	Allows you to view all users.	`ListUsers`
	Allows you to view all roles that are assigned to a user.	`ListUserRoles`
Management of project roles	Allows you to create a resource role.	`CreateRole`	`projects/<project_name>/authorization/roles/resource`
	Allows you to query information about a resource role.	`DescribeRole`	`projects/<project_name>/authorization/roles/resource/<role_name>`
	Allows you to drop a resource role.	`DropRole`
	Allows you to create an administrator role.	N/A	Note Only project owners or users with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
	Allows you to drop an administrator role.	N/A
	Allows you to query information about an administrator role.	`DescribeRole`	`projects/<project_name>/authorization/roles/administrator/<role_name>`
	Allows you to view all roles.	`ListRoles`	`projects/<project_name>/authorization/roles`
Policy management of roles in a project	Allows you to set policies about resource roles in a project.	`PutPolicy`	`projects/<project_name>/authorization/roles/resource/<role_name>`
	Allows you to view policies about resource roles in a project.	`GetPolicy`
	Allows you to add statements that are used to set resource role policies.	`AddPolicyStatments`	`projects/<project_name>/authorization/roles/resource/<role_name>`
	Allows you to remove statements that are used to set resource role policies.	`RemovePolicyStatments`
	Allows you to set policies about administrator roles.	N/A	Note Only project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
	Allows you to view policies about administrator roles.	`GetPolicy`	`projects/<project_name>/authorization/roles/administrator/<role_name>`
	Allows you to add statements that are used to set administrator role policies.	N/A	Note Only project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
	Allows you to remove statements that are used to set administrator role policies.	N/A
Role assignment and view	Allows you to assign a resource role to a user.	`GrantRole`	`projects/<project_name>/authorization/roles/resource/<role_name>`
	Allows you to revoke a resource role from a user.	`RevokeRole`
	Allows you to assign an administrator role to a user.	`GrantRole`	`projects/<project_name>/authorization/roles/administrator/<role_name>`
	Allows you to revoke an administrator role from a user.	`RevokeRole`
	Allows you to assign the Super_Administrator role to a user.	N/A	Note Only project owners or users assigned with the Super_Administrator role can assign or revoke the Super_Administrator role to or from a user.
	Allows you to revoke the Super_Administrator role from a user.	N/A
	Allows you to view the users to which a resource role is assigned.	`ListRolePrincipals`	`projects/<project_name>/authorization/roles/resource/<role_name>`
	Allows you to view the users to which an administrator role is assigned.	`ListRolePrincipals`	`projects/<project_name>/authorization/roles/administrator/<role_name>`
	Allows you to view the users to which the Super_Administrator role is assigned.	`ListRolePrincipals`	`projects/<project_name>/authorization/roles/super_administrator/super_administrator`
	Allows you to view the roles assigned to a user.	`ListPrincipalRoles`	`projects/<project_name>/authorization/principals/users`
Package management	Allows you to create a package.	`CreatePackage`	`projects/<project_name>/authorization/packages`
	Allows you to view packages.	`ShowPackages`	`projects/<project_name>/authorization/packages`
	Allows you to query information about a package.	`DescribePackage`	`projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>`
	Allows you to delete a package.	`DropPackage`
	Allows you to install a package.	`InstallPackage`	`projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>`
	Allows you to uninstall a package.	`UninstallPackage`
	Allows you to grant the permissions on a package to other projects.	`AllowInstallPackage`	`projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>`
	Allows you to revoke the permissions on a package from other projects.	`DisallowInstallPackage`
	Allows you to add a resource to a package.	`AddPackageResource`	`projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>`
	Allows you to remove resources from a package.	`RemovePackageResource`
Label-based access control	Allows you to enable label-based access control on resources in a project.	`GrantLabel`	`projects/<project_name>/authorization/label/<resource_relative_id>` Note In the resource URI, `resource_relative_id` specifies the resource path in a project. For example, `resource_relative_id` of `table_1` is `tables/table_1`. You can use an asterisk () to specify all resources. For example, you can use `tables/` to specify all tables in a project.
	Allows you to disable label-based access control on resources in a project.	`RevokeLabel`
	Allows you to view label-based access control on resources in a project.	`ShowLabelGrants`
	Allows you to enable label-based access control on packages.	`GrantLabel`	`projects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>`
	Allows you to disable label-based access control on packages.	`RevokeLabel`
	Allows you to view label-based access control on resources in a package.	`ShowLabelGrants`
	Allows you to view label-based access control for a user.	`ShowLabelGrants`	`projects/<project_name>/authorization/users`
	Allows you to view label-based access control for a role.	`ShowLabelGrants`	`projects/<project_name>/authorization/roles/resource/<role_name>` Note You cannot enable, set, or view label-based access control for an administrator role.
Access-level label configuration for users and roles	Allows you to set an access-level label for a user.	`SetDataLabel`	`projects/<project_name>/authorization/users`
Access-level label configuration for users and roles	Allows you to set an access-level label for a role.	`SetDataLabel`	`projects/<project_name>/authorization/roles/resource/<role_name>`
ACL-based access control	Allows you to grant permissions on resources in a project based on the ACL.	`GrantPrivs`	`projects/<project_name>/authorization/<resource_relative_id>` Note You can use the following string set operators in a policy to manage `actions` that can be granted or revoked: `StringIntersectSetEmpty(IgnoreCase), StringIntersectSetNotEmpty(IgnoreCase), StringSubSet(IgnoreCase), and StringNotSubSet(IgnoreCase)`. You can use `acs:Privileges` as keywords in the condition. For example, you can use the following policy to deny the user `odpsxxxx@aliyun.com` from granting the Download or Select permission on all tables in the `prj1` project: `{ "Action":[ "odps:GrantPrivs" ], "Effect":"Deny", "Principal":"aliyun$odpsxxxx@aliyun.com", "Resource":"acs:odps::projects/prj1/authorization/acl/tables/*", "Condition":{ "IntersectionSetNotNull":{ "acs:Privileges":["Download","Select"] } } }` The `resource_relative_id` of the project is in the `projects/<project_name>` format.
	Allows you to revoke permissions on resources in a project that are granted based on the ACL.	`RevokePrivs`
	Allows you to view permissions on resources in a project that are granted based on the ACL.	`ShowAclGrants`
	Allows you grant permissions on packages based on the ACL.	`GrantPrivs`	`projects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>`
	Allows you to revoke permissions on packages that are granted based on the ACL.	`RevokePrivs`
	Allows you to view permissions on packages that are granted based on the ACL.	`ShowAclGrants`
	Allows you to view permissions that are granted to users based on the ACL.	`ShowAclGrants`	`projects/<project_name>/authorization/users`
	Allows you to view permissions that are granted to resource roles based on the ACL.	`ShowAclGrants`	`projects/<project_name>/authorization/roles/resource/<role_name>`
Clearance of expired permissions	Allows you to clear configurations of expired permissions.	`ClearExpiredGrants`	`projects/<project_name>/authorization`