If you want to grant the same permissions to multiple users in a MaxCompute project, you can create a role in the project, grant the permissions to the role, and then assign the role to the users. This topic describes the syntaxes of commands that you can use to perform role-based access control. This topic also provides examples on how to perform role-based access control.
Background information
MaxCompute allows you to perform role-based access control in the scenarios described in the following table.
| Scenario | Access control method | Authorized by | Operation platform |
|---|---|---|---|
| Grant the operation permissions on an object to a role |
|
For more information about the identities that can be used to perform access control, see the Authorized by column in the Permissions list section in Permission list. | |
| Revoke the operation permissions on an object from a role | |||
| Grant the Download permission to a role | Download control | ||
| Revoke the Download permission from a role | |||
| Grant the access permissions on data that has a high sensitivity level to a role | Label-based access control | ||
| Revoke the access permissions on data that has a high sensitivity level from a role |
After you grant permissions to a role, you can assign the role to users. If the users no longer require the permissions, you can revoke the role from the users. For more information, see Assign a role to a user and Revoke a role from a user.
Grant the operation permissions on an object to a role
You can grant the operation permissions on projects, tables, resources, functions, or instances to a role.
- Syntaxes
- Grant the operation permissions on a project to a role
- ACL-based access control
grant ReadWriteListCreateTableCreateInstanceCreateFunctionCreateResourceAll on project <project_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")]; - Policy-based access control
grant ReadWriteListCreateTableCreateInstanceCreateFunctionCreateResourceAll on project <project_name> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
- ACL-based access control
- Grant the operation permissions on a table to a role
- ACL-based access control
grant DescribeSelectAlterUpdateDropShowHistoryAll on table <table_name> [(<column_list>)] to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")]; - Policy-based access control
grant DescribeSelectAlterUpdateDropShowHistoryAll on table <table_name> [(<column_list>)] to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
- ACL-based access control
- Grant the operation permissions on a resource to a role
- ACL-based access control
grant ReadWriteDeleteAll on resource <resource_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")]; - Policy-based access control
grant ReadWriteDeleteAll on resource <resource_name> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
- ACL-based access control
- Grant the operation permissions on a function to a role
- ACL-based access control
grant ReadWriteDeleteExecuteAll on function <function_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")]; - Policy-based access control
grant ReadWriteDeleteExecuteAll on function <function_name> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
- ACL-based access control
- Grant the operation permissions on an instance to a role
- ACL-based access control
grant ReadWriteAll on instance <instance_id> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")]; - Policy-based access control
grant ReadWriteAll on instance <instance_id> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
- ACL-based access control
- Grant the operation permissions on a project to a role
- Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
- Examples
For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the project test_project_a, and a role named Worker is created in the project. You need to grant permissions to the role Worker. The following examples provide the commands that you can use to grant different operation permissions to the role Worker.
- Example 1: Grant the CreateTable, CreateFunction, CreateInstance, and List permissions
on the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker; -- Grant the permissions to the role Worker by using the policy-based access control method. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); - Example 2: Grant the Describe and Select permissions on a table in the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant Describe, Select on table sale_detail to ROLE Worker; -- Grant the permissions to the role Worker by using the policy-based access control method. grant Describe, Select on table sale_detail to ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); - Example 3: Grant the Read and Write permissions on a resource in the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant Read, Write on resource udtf.jar to ROLE Worker; -- Grant the permissions to the role Worker by using the policy-based access control method. grant Read, Write on resource udtf.jar to ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); - Example 4: Grant the Read and Write permissions on a function in the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant Read, Write on function udf_test to ROLE Worker; -- Grant the permissions to the role Worker by using the policy-based access control method. grant Read, Write on function udf_test to ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); - Example 5: Grant all operation permissions on an instance in the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant All on instance 202112300224**** to ROLE Worker; -- Grant the permissions to the role Worker by using the policy-based access control method. grant All on instance 202112300224**** to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
- Example 1: Grant the CreateTable, CreateFunction, CreateInstance, and List permissions
on the project test_project_a to the role Worker.
Revoke the operation permissions on an object from a role
You can revoke the operation permissions on projects, tables, resources, functions, or instances from a role.
- Syntaxes
- Revoke the operation permissions on a project from a role
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
revoke ReadWriteListCreateTableCreateInstanceCreateFunctionCreateResourceAll on project <project_name> from ROLE <role_name>; - Revoke the operation permissions that are granted by using the policy-based access
control method from a role
revoke ReadWriteListCreateTableCreateInstanceCreateFunctionCreateResourceAll on project <project_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
- Revoke the operation permissions on a table from a role
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
revoke DescribeSelectAlterUpdateDropShowHistoryAll on table <table_name> [(<column_list>)] from ROLE <role_name>; - Revoke the operation permissions that are granted by using the policy-based access
control method from a role
revoke DescribeSelectAlterUpdateDropShowHistoryAll on table <table_name> [(<column_list>)] from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
- Revoke the operation permissions on a resource from a role
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
revoke ReadWriteDeleteAll on resource <resource_name> from ROLE <role_name>; - Revoke the operation permissions that are granted by using the policy-based access
control method from a role
revoke ReadWriteDeleteAll on resource <resource_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
- Revoke the operation permissions on a function from a role
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
revoke ReadWriteDeleteExecuteAll on function <function_name> from ROLE <role_name>; - Revoke the operation permissions that are granted by using the policy-based access
control method from a role
revoke ReadWriteDeleteExecuteAll on function <function_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
- Revoke the operation permissions on an instance from a role
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
revoke ReadWriteAll on instance <instance_id> from ROLE <role_name>; - Revoke the operation permissions that are granted by using the policy-based access
control method from a role
revoke ReadWriteAll on instance <instance_id> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
- Revoke the operation permissions that are granted by using the ACL-based access control
method from a role
- Revoke the operation permissions on a project from a role
- Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
- Examples
In the following examples, the operation permissions that are granted to the role Worker in the preceding section are revoked.
- Example 1: Revoke the CreateTable, CreateFunction, CreateInstance, and List permissions
on the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); - Example 2: Revoke the Describe and Select permissions on the table in the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke Describe, Select on table sale_detail to ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke Describe, Select on table sale_detail from ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); - Example 3: Revoke the Read and Write permissions on the resource in the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke Read, Write on resource udtf.jar from ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke Read, Write on resource udtf.jar from ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); - Example 4: Revoke the Read and Write permissions on the function in the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke Read, Write on function udf_test from ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke Read, Write on function udf_test from ROLE Worker privilegeproperties("policy" = "true", "allow"="true"); - Example 5: Revoke all operation permissions on the instance in the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke All on instance 202112300224**** from ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke All on instance 202112300224**** from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
- Example 1: Revoke the CreateTable, CreateFunction, CreateInstance, and List permissions
on the project test_project_a from the role Worker.
Grant the Download permission to a role
You can grant the Download permission on tables, resources, functions, or instances to a role.
- Syntax
grant Download on {TableResourceFunctionInstance} <object_name> to ROLE <role_name>; - Parameters
For more information about the parameters, see Download control.
- Example
Grant the Download permission on a specific table in the project test_project_a for which download control is enabled to the role Worker. Sample commands:
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to grant the Download permission to the role Worker. grant download on table sale_detail to ROLE Worker;
Revoke the Download permission from a role
You can revoke the Download permission on tables, resources, functions, or instances from a role.
- Syntax
revoke Download on {TableResourceFunctionInstance} <object_name> from ROLE <role_name>; - Parameters
For more information about the parameters, see Download control.
- Example
Revoke the Download permission that is granted to the role Worker in the preceding section. Sample commands:
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the Download permission from the role Worker. revoke download on table sale_detail from ROLE Worker;
Grant the access permissions on data that has a high sensitivity level to a role
If you want to use a role that is classified into a specific data access level by using labels to access data whose sensitivity level is higher than the data access level of the role, you must grant the access permissions on the data to the role. For more information about how to use labels to classify roles into different access levels, see Configure access-level labels for users or roles.
- Syntax
grant Label <number> on table <table_name> [(<column_list>)] to ROLE <role_name> [with exp <days>]; - Parameters
For more information about the parameters, see Enable label-based explicit authorization.
- Example
Grant the access permissions on data whose sensitivity level is 4 in the sale_detail table of the project test_project_a to the role Worker whose data access level is 2. Sample commands:
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to grant the access permissions to the role Worker. grant Label 4 on table sale_detail to ROLE Worker;
Revoke the access permissions on data that has a high sensitivity level from a role
You can revoke the access permissions on data that has a high sensitivity level from a role. After you revoke such access permissions from a role, the data access level of the role is not affected.
- Syntax
revoke Label on table <table_name> [(<column_list>)] from ROLE <role_name>; - Parameters
For more information about the parameters, see Disable label-based explicit authorization.
- Example
Revoke the access permissions that are granted to the role Worker in the preceding section. Sample commands:
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the access permissions from the role Worker. revoke Label 4 on table sale_detail from ROLE Worker;
Assign a role to a user
After you assign a built-in role or custom role in a project to a user, the user is granted the permissions of the role.
- Syntax
grant <role_name> to <user_name>; - Precautions
Multiple users can be assigned the same role, and a user can be assigned multiple roles.
- Parameters
Parameter Required Description role_name Yes The name of the role that you want to assign to the user. You can run the
list roles;command on the MaxCompute client to query the name of the role.user_name Yes The name of the user to which you want to assign the role. You can run the
list users;command on the MaxCompute client to query the name of the user. - Example
Assign the role Worker to the Alibaba Cloud account Kate@aliyun.com and the RAM user Bob@aliyun.com:Allen. Kate@aliyun.com and Bob@aliyun.com:Allen are added to the project test_project_a.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to assign the role Worker to Kate@aliyun.com and Bob@aliyun.com:Allen. grant Worker to ALIYUN$Kate@aliyun.com; grant Worker to RAM$Bob@aliyun.com:Allen;
Revoke a role from a user
After you revoke a role from a user, the user no longer has the permissions of the role.
- Syntax
revoke <role_name> from <user_name>; - Parameters
Parameter Required Description role_name Yes The name of the role that you want to revoke from the user. You can run the
list roles;command on the MaxCompute client to query the name of the role.user_name Yes The name of the user from which you want to revoke the role. You can run the
list users;command on the MaxCompute client to query the name of the user. - Example
Revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen. revoke Worker from ALIYUN$Kate@aliyun.com; revoke Worker from RAM$Bob@aliyun.com:Allen;
What to do next
After you grant permissions to a role, you can perform the following operations based
on your business requirements: