If you want to grant permissions to a user by assigning a role to the user, you must assign a project-level custom role or a built-in administrator role to the user. After you assign a role to a user, the user has the same permissions as the role. This topic describes how to assign a role to a user and revoke a role from a user.

Assign a role to a user

After you assign a built-in role or custom role in a project to a user, the user is granted the permissions of the role.

  • Syntax
    grant <role_name> to <user_name>;
  • Precautions

    Multiple users can be assigned the same role, and a user can be assigned multiple roles.

  • Parameters
    Parameter Required Description
    role_name Yes The name of the role that you want to assign to the user.

    You can run the list roles; command on the MaxCompute client to query the name of the role.

    user_name Yes The name of the user to which you want to assign the role.

    You can run the list users; command on the MaxCompute client to query the name of the user.

  • Example
    Assign the role Worker to the Alibaba Cloud account Kate@aliyun.com and the RAM user Bob@aliyun.com:Allen. Kate@aliyun.com and Bob@aliyun.com:Allen are added to the project test_project_a.
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to assign the role Worker to Kate@aliyun.com and Bob@aliyun.com:Allen. 
    grant Worker to ALIYUN$Kate@aliyun.com;
    grant Worker to RAM$Bob@aliyun.com:Allen;

Revoke a role from a user

After you revoke a role from a user, the user no longer has the permissions of the role.

  • Syntax
    revoke <role_name> from <user_name>;
  • Parameters
    Parameter Required Description
    role_name Yes The name of the role that you want to revoke from the user.

    You can run the list roles; command on the MaxCompute client to query the name of the role.

    user_name Yes The name of the user from which you want to revoke the role.

    You can run the list users; command on the MaxCompute client to query the name of the user.

  • Example
    Revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen.
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen. 
    revoke Worker from ALIYUN$Kate@aliyun.com;
    revoke Worker from RAM$Bob@aliyun.com:Allen;