If you want to grant permissions to a user by assigning a role to the user, you must assign a project-level custom role or a built-in administrator role to the user. After you assign a role to a user, the user has the same permissions as the role. This topic describes how to assign a role to a user and revoke a role from a user.
Assign a role to a user
After you assign a built-in role or custom role in a project to a user, the user is granted the permissions of the role.
- Syntax
grant <role_name> to <user_name>;
- Precautions
Multiple users can be assigned the same role, and a user can be assigned multiple roles.
- Parameters
Parameter Required Description role_name Yes The name of the role that you want to assign to the user. You can run the
list roles;
command on the MaxCompute client to query the name of the role.user_name Yes The name of the user to which you want to assign the role. You can run the
list users;
command on the MaxCompute client to query the name of the user. - Example
Assign the role Worker to the Alibaba Cloud account Kate@aliyun.com and the RAM user Bob@aliyun.com:Allen. Kate@aliyun.com and Bob@aliyun.com:Allen are added to the project test_project_a.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to assign the role Worker to Kate@aliyun.com and Bob@aliyun.com:Allen. grant Worker to ALIYUN$Kate@aliyun.com; grant Worker to RAM$Bob@aliyun.com:Allen;
Revoke a role from a user
After you revoke a role from a user, the user no longer has the permissions of the role.
- Syntax
revoke <role_name> from <user_name>;
- Parameters
Parameter Required Description role_name Yes The name of the role that you want to revoke from the user. You can run the
list roles;
command on the MaxCompute client to query the name of the role.user_name Yes The name of the user from which you want to revoke the role. You can run the
list users;
command on the MaxCompute client to query the name of the user. - Example
Revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen. revoke Worker from ALIYUN$Kate@aliyun.com; revoke Worker from RAM$Bob@aliyun.com:Allen;