The project owner or a user who is assigned the Admin role authorizes users or roles with low access levels to access data with high sensitivity levels.
Usage notes
The labels that are explicitly configured for columns in a table overwrite the label that is explicitly configured for the table.
Syntax
grant Label <number> on table <table_name> [(<column_list>)] to {USER|ROLE} <name> [with exp <days>];Parameters
| Parameter | Required | Description |
| number | Yes | The highest access level of the users or roles. The valid values range from 0 to 9 and correspond to sensitivity-level labels of data. |
| table_name | Yes | The name of the table or view. You can execute the |
| column_list | No | This parameter is required if you want to authorize a user or role to access a specified column in the table or view. You can specify multiple column names for a single authorization operation. Separate column names with commas (,). |
| name | Yes | The name of the user or role. You can execute the |
| days | No | The expiration time of a specified permission. Unit: days. Valid values: 0 to 263 - 1. If you do not specify this parameter, the default expiration time is 180 days. |
Examples
In these examples, the test_project_a project stores a table named sale_detail that contains the shop_name, customer_id, and total_price columns. Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that belongs to Bob@aliyun.com and is added to the test_project_a project.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a.
use test_project_a;
-- Explicitly authorize Allen to access data whose sensitivity level is lower than or equal to 3 in the sale_detail table. The validity period of the granted permissions is 4 days.
grant Label 3 on table sale_detail to USER RAM$Bob@aliyun.com:Allen with exp 4;
-- View the permissions that are granted to Allen.
show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
-- The following result is returned:
User Label: 1
+-------------+--------------+--------------------------+
| Column | GrantedLabel | Expires |
+-------------+--------------+--------------------------+
| total_price | 3 | 2021-12-31T19:56:18+0800 |
+-------------+--------------+--------------------------+
-- Explicitly authorize Allen to access the data whose sensitivity level is lower than or equal to 3 in the shop_name, customer_id, and total_price columns of the sale_detail table. The validity period of the granted permissions is 10 days.
grant Label 4 on table sale_detail(shop_name, customer_id, total_price) to USER RAM$Bob@aliyun.com:Allen with exp 10;
-- View the permissions that are granted to Allen.
show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
-- The following result is returned:
User Label: 1
+-------------+--------------+--------------------------+
| Column | GrantedLabel | Expires |
+-------------+--------------+--------------------------+
| customer_id | 4 | 2022-01-06T19:58:00+0800 |
+-------------+--------------+--------------------------+
| shop_name | 4 | 2022-01-06T19:58:00+0800 |
+-------------+--------------+--------------------------+
| total_price | 4 | 2022-01-06T19:58:00+0800 |
+-------------+--------------+--------------------------+Related statements
- SET LABEL: Configures sensitivity-level labels for data in tables or columns.
- REVOKE: The project owner or a user who is assigned the Admin role revokes an explicitly configured label from a user or role.
- CLEAR EXPIRED GRANTS: Clears expired permissions that are granted by using explicit authorization.