This topic describes the permissions that are supported in MaxCompute.
Background information
MaxCompute supports fine-grained access control on projects, quotas, network connections, tables, functions, resources, and instances. MaxCompute also allows you to control Tunnel downloads, access to sensitive data, and cross-project access. You can grant specific permissions on objects in a project to users based on the operation scope. This ensures object security.
The following table describes the elements that are involved in authorization operations.
Permission element | Description |
---|---|
Subject | The user or role to which you want to grant permissions. Take note of the following points:
Note A user who performs authorization operations is called an authorizer. An authorizer can perform authorization operations only if the authorizer has the capability to grant permissions on objects and actions. |
Object | An object in a MaxCompute tenant. The objects or behavior in a MaxCompute project.
|
Actions | The actions vary based on the object type. For example, you can read data from, write data to, and query data from tables. |
Permissions on objects in a tenant
Object | Action | Description | Authorized by | Authorization method |
---|---|---|---|---|
Networklink | List | Allows you to view all types of network connections. |
| Grant permissions to roles: Policy-based access control. |
CreateNetworklink | Allows you to create a network connection in a MaxCompute tenant. | |||
Describe | Allows you to read the metadata of a network connection in a MaxCompute tenant. | |||
Drop | Allows you to delete a network connection. | |||
All | Allows you to perform all the preceding operations on network connections. | |||
Quota | Usage | Allows you to use quotas . |
|
Permissions on projects and objects in projects
- Objects
The following table describes the permission relationships of MaxCompute projects and permission relationships of objects in MaxCompute projects.
Object Action Description Authorized by Authorization method Project Read Allows you to view information about a project, excluding objects in the project. Project owner Not supported Write Allows you to update information about a project, excluding objects in the project. List Allows you to query all types of objects in a project. For example, you can run the show tables;
orshow functions;
command to query tables or functions.- Project owner
- Users assigned with the Super_Administrator or Admin role
- Grant permissions to users or roles: ACL-based access control
- Grant permissions to roles: Policy-based access control
CreateTable Allows you to create a table in a project. For example, you can run the create table <table_name>...;
command to create a table.CreateInstance Allows you to create an instance in a project. When you run jobs, instances are created. CreateFunction Allows you to create a function in a project. For example, you can run the create function <function_name> ...;
command to create a function.CreateResource Allows you to add a resource to a project. For example, you can run the add file|archive|py|jar <local_file>... ;
oradd table <table_name> ...;
command to add a resource.All Allows you to perform all the preceding operations on a project. Table Describe Allows you to read the metadata of a table, including the table structure, creation time, modification time, and table data size. For example, you can run the desc <table_name>;
command to read the metadata of a table.- Table owner
- Project owner
- Users assigned with the Super_Administrator role
- Users assigned with the Admin role (excluding permissions to change table owners)
Select Allows you to query the data of a table. For example, you can run the select * from <table_name>;
command to query the data of a table.Alter Allows you to modify the metadata of a table. You can change the owner of a table, name of a table, or name of a column, and add or delete partitions. For example, you can run the alter table <table_name> add if not exists partition ...;
command to modify the metadata of a table.Update Allows you to update the data of a table. For example, you can run the insert into|overwrite table <table_name> ...;
,update <table_name> set ...;
, ordelete from <table_name> where ...;
command to update the data of a table.Drop Allows you to drop a table. For example, you can run the drop table <table_name>;
command to drop a table.ShowHistory Allows you to query the backup data of a table. For example, you can run the show history for table <table_name>;
command to query the backup data of a table.All Allows you to perform all the preceding operations on a table. Function Read Allows you to read the program file in which a MaxCompute UDF is called. - Function owner
- Project owner
- Users with the Super_Administrator or Admin role
Write Allows you to update a UDF. Delete Allows you to delete a UDF. For example, you can run the drop function <function_name>;
command to delete a UDF.Execute Allows you to call a UDF. For example, you can run the select <function_name> from ...;
command to call a UDF.All Allows you to perform all the preceding operations on a function. Resource Read Allows you to read a resource. - Resource owner
- Project owner
- Users assigned with the Super_Administrator or Admin role
Write Allows you to update a resource. Delete Allows you to delete a resource. For example, you can run the drop resource <resource_name>;
command to delete a resource.All Allows you to perform all the preceding operations on a resource. External Volume CreateVolume Allows you to create an external volume. - External volume owner
- Project owner
- Users assigned with the Super_Administrator or Admin role
Read Allows you to read data from an external volume. Write Allows you to update data in an external volume. Delete Allows you to delete an external volume. For example, you can run the vfs -rm -r <volume_path>;
command to delete an external volume.All Allows you to perform all the preceding operations on an external volume. Instance Read Allows you to read an instance. - Project owner
- Users assigned with the Super_Administrator or Admin role
Write Allows you to update an instance. All Allows you to perform all the preceding operations on an instance. Note The CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in the project must be used together with the CreateInstance permission on the project.If you separately use the Select, Alter, Update, or Drop permission on tables in a project and you do not have the CreateInstance permission on the project, the operations on the tables cannot be performed. For example, if you query data of a table in Project B from Project A, you must have the CreateInstance permission on Project A and the Select permission on the table in Project B.
- Behavior
The following table describes the permission relationships of behavior on objects in a MaxCompute project.
Object Action Description Authorized by Authorization method Tables, functions, resources, and instances Download Allows you to use Tunnel commands to download table data, resources, functions, or instances. - Project owner
- Users assigned with the Super_Administrator role
Download control Label N/A Allows you to read sensitive data at the column level. - Project owner
- Users assigned with the Admin role
Label-based access control Package Read Allows you to package the objects and allowed operation permissions on the objects in a project and use the generated package to support cross-project authorization. - Project owner
- Users assigned with the Admin role
Cross-project resource access based on packages
Permissions on project management
- The following table describes the operations that you can perform to configure MaxCompute management permissions.
Permission type Action Description Project security configurations SetSecurityConfiguration Allows you to set security configurations for a project. GetSecurityConfiguration Allows you to view the security configurations of a project. SetProperty Allows you to configure an IP address whitelist for a project. Policy management PutPolicy Allows you to update a policy. GetPolicy Allows you to view policy information. AddPolicyStatments Allows you to add policy statements. RemovePolicyStatments Allows you to remove policy statements. Account provider management AddAccountProviders Allows you to add an account provider. RemoveAccountProviders Allows you to remove an account provider. ListAccountProviders Allows you to view all account providers. Management of trusted projects AddTrustedProjects Allows you to add trusted projects. RemoveTrustedProjects Allows you to remove trusted projects. ListTrustedProjects Allows you to view all trusted projects. Principal management AddUser Allows you to add a user. RemoveUser Allows you to remove a user. ListUsers Allows you to view all users. ListUserRoles Allows you to view the roles assigned to a user. Role management CreateRole Allows you to create a role. DescribeRole Allows you to query information about a role. AlterRole Allows you to modify properties of a role. DropRole Allows you to drop a role. ListRoles Allows you to view all roles. Role authorization GrantRole Allows you to assign a role to a user. RevokeRole Allows you to revoke a role from a user. ListRolePrincipals Allows you to view the users to which a role is assigned. Package management CreatePackage Allows you to create a package. DescribePackage Allows you to view information about a package. DropPackage Allows you to delete a package. ShowPackages Allows you to view all packages. InstallPackage Allows you to install a package. UninstallPackage Allows you to uninstall a package. AllowInstallPackage Allows you to grant the permissions on a package to other projects. DisallowInstallPackage Allows you to revoke the permissions on a package from other projects. AddPackageResource Allows you to add a resource to a package. RemovePackageResource Allows you to remove a resource from a package. Label-based access control GrantLabel Allows you to configure labels. RevokeLabel Allows you to remove labels. ShowLabelGrants Allows you to view label configurations. SetDataLabel Allows you to configure labels for users or roles. ACL-based access control GrantPrivs Allows you to grant permissions based on the access control list (ACL). RevokePrivs Allows you to revoke permissions granted based on the ACL. ShowAclGrants Allows you to view permissions granted based on the ACL. Clearance of expired permissions ClearExpiredGrants Allows you to clear configurations of expired permissions. - The following table describes the resource URIs of management permissions.Note In the following resource URIs, the
acs:odps:*:projects/<project_name>/
part is omitted, and only the part that follows<project_name>/
is provided.
Usage notes:Permission resource category Resouce URI Description Project security configurations authorization/configurations/security_configuration project security_configuration authorization/configurations/policy project policy authorization/configurations/security_policy project security_policy authorization/configurations/protected_exception project protected_exception Project authorization Management objects such as account providers of projects and trusted projects Project Principal authorization/users The user of a project Project role authorization/roles/resource/<role_name> The resource role of a project authorization/roles/administrator/<role_name> The administrator role of a project authorization/roles/super_administrator/super_administrator The super_administrator role that is built in a project Project resource authorization/objecttype/objectname Resources such as tables, volumes, and jobs Package management authorization/packages/<projectname>.<packagename> Package permissions Package resource uthorization/packageresources/projectname.packagename/objecttype/objectname The resources in a package - If you want to identify specific users, usernames are required. You can use URIs to identify only user categories but not specific users.
- You can use URIs to identify specific roles.
- To distinguish semantic differences among all packages and resources in all packages, the URIs of packages are in the format of
packages/projectname.packagename
, and the URIs of resources in all packages are in the format ofpackageresources/projectname.packagename/objecttype/objectname
. This way, you can usepackages/*
to indicate all packages andpackageresources/*
to indicate all resources in packages.
- The following table describes management permissions.
Permission type Permission Action Resource Security configuration permissions on a project Allows you to set security configurations for a project. SetSecurityConfiguration
projects/<project_name>/authorization/configurations/security_configuration
Allows you to view security configurations of a project. GetSecurityConfiguration
Allows you to set a policy. PutPolicy
projects/<project_name>/authorization/configurations/policy
Allows you to view policy information. GetPolicy
Allows you to set protected_exception. PutPolicy
projects/<project_name>/authorization/configurations/protected_exception
Allows you to view protected_exception. GetPolicy
Allows you to set security_policy. PutPolicy
projects/<project_name>/authorization/configurations/security_policy
Allows you to view security_policy. GetPolicy
Management of project account providers Allows you to add an account provider. AddAccountProvider
projects/<project_name>/authorization
Allows you to remove an account provider. RemoveAccountProvider
Allows you to view all account providers. ListAccountProviders
Management of trusted projects Allows you to add trusted projects. AddTrustedProjects
projects/<project_name>/authorization
Allows you to remove trusted projects. RemoveTrustedProjects
Allows you to view all trusted projects. ListTrustedProjects
Management of project principals Allows you to add a user. AddUser
projects/<project_name>/authorization/users
Allows you to remove a user. RemoveUser
Allows you to view all users. ListUsers
Allows you to view all roles that are assigned to a user. ListUserRoles
Management of project roles Allows you to create a resource role. CreateRole
projects/<project_name>/authorization/roles/resource
Allows you to query information about a resource role. DescribeRole
projects/<project_name>/authorization/roles/resource/<role_name>
Allows you to drop a resource role. DropRole
Allows you to create an administrator role. N/A Note Only project owners or users with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.Allows you to drop an administrator role. Allows you to query information about an administrator role. DescribeRole
projects/<project_name>/authorization/roles/administrator/<role_name>
Allows you to view all roles. ListRoles
projects/<project_name>/authorization/roles
Policy management of roles in a project Allows you to set policies about resource roles in a project. PutPolicy
projects/<project_name>/authorization/roles/resource/<role_name>
Allows you to view policies about resource roles in a project. GetPolicy
Allows you to add statements that are used to set resource role policies. AddPolicyStatments
projects/<project_name>/authorization/roles/resource/<role_name>
Allows you to remove statements that are used to set resource role policies. RemovePolicyStatments
Allows you to set policies about administrator roles. N/A Note Only project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.Allows you to view policies about administrator roles. GetPolicy
projects/<project_name>/authorization/roles/administrator/<role_name>
Allows you to add statements that are used to set administrator role policies. N/A Note Only project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.Allows you to remove statements that are used to set administrator role policies. Role assignment and view Allows you to assign a resource role to a user. GrantRole
projects/<project_name>/authorization/roles/resource/<role_name>
Allows you to revoke a resource role from a user. RevokeRole
Allows you to assign an administrator role to a user. GrantRole
projects/<project_name>/authorization/roles/administrator/<role_name>
Allows you to revoke an administrator role from a user. RevokeRole
Allows you to assign the Super_Administrator role to a user. N/A Note Only project owners or users assigned with the Super_Administrator role can assign or revoke the Super_Administrator role to or from a user.Allows you to revoke the Super_Administrator role from a user. Allows you to view the users to which a resource role is assigned. ListRolePrincipals
projects/<project_name>/authorization/roles/resource/<role_name>
Allows you to view the users to which an administrator role is assigned. ListRolePrincipals
projects/<project_name>/authorization/roles/administrator/<role_name>
Allows you to view the users to which the Super_Administrator role is assigned. ListRolePrincipals
projects/<project_name>/authorization/roles/super_administrator/super_administrator
Allows you to view the roles assigned to a user. ListPrincipalRoles
projects/<project_name>/authorization/principals/users
Package management Allows you to create a package. CreatePackage
projects/<project_name>/authorization/packages
Allows you to view packages. ShowPackages
Allows you to query information about a package. DescribePackage
projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>
Allows you to delete a package. DropPackage
Allows you to install a package. InstallPackage
projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>
Allows you to uninstall a package. UninstallPackage
Allows you to grant the permissions on a package to other projects. AllowInstallPackage
projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>
Allows you to revoke the permissions on a package from other projects. DisallowInstallPackage
Allows you to add a resource to a package. AddPackageResource
projects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>
Allows you to remove resources from a package. RemovePackageResource
Label-based access control Allows you to enable label-based access control on resources in a project. GrantLabel
projects/<project_name>/authorization/label/<resource_relative_id>
Note- In the resource URI,
resource_relative_id
specifies the resource path in a project. For example,resource_relative_id
oftable_1
istables/table_1
. - You can use an asterisk (*) to specify all resources. For example, you can use
tables/*
to specify all tables in a project.
Allows you to disable label-based access control on resources in a project. RevokeLabel
Allows you to view label-based access control on resources in a project. ShowLabelGrants
Allows you to enable label-based access control on packages. GrantLabel
projects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>
Allows you to disable label-based access control on packages. RevokeLabel
Allows you to view label-based access control on resources in a package. ShowLabelGrants
Allows you to view label-based access control for a user. ShowLabelGrants
projects/<project_name>/authorization/users
Allows you to view label-based access control for a role. ShowLabelGrants
projects/<project_name>/authorization/roles/resource/<role_name>
Note You cannot enable, set, or view label-based access control for an administrator role.Access-level label configuration for users and roles Allows you to set an access-level label for a user. SetDataLabel
projects/<project_name>/authorization/users
Allows you to set an access-level label for a role. SetDataLabel
projects/<project_name>/authorization/roles/resource/<role_name>
ACL-based access control Allows you to grant permissions on resources in a project based on the ACL. GrantPrivs
projects/<project_name>/authorization/<resource_relative_id>
Note- You can use the following string set operators in a policy to manage
actions
that can be granted or revoked:
For example, you can use the following policy to deny the userStringIntersectSetEmpty(IgnoreCase), StringIntersectSetNotEmpty(IgnoreCase), StringSubSet(IgnoreCase), and StringNotSubSet(IgnoreCase)
. You can useacs:Privileges
as keywords in the condition.odpsxxxx@aliyun.com
from granting the Download or Select permission on all tables in theprj1
project:{ "Action":[ "odps:GrantPrivs" ], "Effect":"Deny", "Principal":"aliyun$odpsxxxx@aliyun.com", "Resource":"acs:odps::projects/prj1/authorization/acl/tables/*", "Condition":{ "IntersectionSetNotNull":{ "acs:Privileges":["Download","Select"] } } }
- The
resource_relative_id
of the project is in theprojects/<project_name>
format.
Allows you to revoke permissions on resources in a project that are granted based on the ACL. RevokePrivs
Allows you to view permissions on resources in a project that are granted based on the ACL. ShowAclGrants
Allows you grant permissions on packages based on the ACL. GrantPrivs
projects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>
Allows you to revoke permissions on packages that are granted based on the ACL. RevokePrivs
Allows you to view permissions on packages that are granted based on the ACL. ShowAclGrants
Allows you to view permissions that are granted to users based on the ACL. ShowAclGrants
projects/<project_name>/authorization/users
Allows you to view permissions that are granted to resource roles based on the ACL. ShowAclGrants
projects/<project_name>/authorization/roles/resource/<role_name>
Clearance of expired permissions Allows you to clear configurations of expired permissions. ClearExpiredGrants
projects/<project_name>/authorization
- In the resource URI,