If you want to grant the same permissions to multiple users in a MaxCompute project, you can create a role in the project, grant the permissions to the role, and then assign the role to the users. This topic describes the syntaxes of commands that you can use to perform role-based access control. This topic also provides examples on how to perform role-based access control.

Background information

MaxCompute allows you to perform role-based access control in the scenarios described in the following table.

Scenario Access control method Authorized by Operation platform
Grant the operation permissions on an object to a role For more information about the identities that can be used to perform access control, see the Authorized by column in the Permissions list section in Permission list.
Revoke the operation permissions on an object from a role
Grant the Download permission to a role Download control
Revoke the Download permission from a role
Grant the access permissions on data that has a high sensitivity level to a role Label-based access control
Revoke the access permissions on data that has a high sensitivity level from a role

After you grant permissions to a role, you can assign the role to users. If the users no longer require the permissions, you can revoke the role from the users. For more information, see Assign a role to a user and Revoke a role from a user.

Grant the operation permissions on an object to a role

You can grant the operation permissions on projects, tables, resources, functions, or instances to a role.

  • Syntaxes
    • Grant the operation permissions on a project to a role
      • ACL-based access control
        grant ReadWriteListCreateTableCreateInstanceCreateFunctionCreateResourceAll 
              on project <project_name> 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control
        grant ReadWriteListCreateTableCreateInstanceCreateFunctionCreateResourceAll 
              on project <project_name> 
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}"[, "conditions"= "<conditions>", "expires"="<days>"]);
    • Grant the operation permissions on a table to a role
      • ACL-based access control
        grant DescribeSelectAlterUpdateDropShowHistoryAll 
              on table <table_name> [(<column_list>)] 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control
        grant DescribeSelectAlterUpdateDropShowHistoryAll 
              on table <table_name> [(<column_list>)] 
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}"[, "conditions"= "<conditions>", "expires"="<days>"]);
    • Grant the operation permissions on a resource to a role
      • ACL-based access control
        grant ReadWriteDeleteAll 
              on resource <resource_name> 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control
        grant ReadWriteDeleteAll 
              on resource <resource_name> 
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}"[, "conditions"= "<conditions>", "expires"="<days>"]);
    • Grant the operation permissions on a function to a role
      • ACL-based access control
        grant ReadWriteDeleteExecuteAll 
              on function <function_name> 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control
        grant ReadWriteDeleteExecuteAll 
              on function <function_name>  
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}"[, "conditions"= "<conditions>", "expires"="<days>"]);
    • Grant the operation permissions on an instance to a role
      • ACL-based access control
        grant ReadWriteAll 
              on instance <instance_id> 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control
        grant ReadWriteAll  
              on instance <instance_id>   
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}"[, "conditions"= "<conditions>", "expires"="<days>"]);
  • Parameters

    For more information about the parameters, see ACL-based access control or Policy-based access control.

  • Examples
    For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the project test_project_a, and a role named Worker is created in the project. You need to grant permissions to the role Worker. The following examples provide the commands that you can use to grant different operation permissions to the role Worker.
    • Example 1: Grant the CreateTable, CreateFunction, CreateInstance, and List permissions on the project test_project_a to the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
      -- Grant the permissions to the role Worker by using the policy-based access control method. 
      grant CreateTable, CreateFunction, CreateInstance, List 
            on project test_project_a  
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 2: Grant the Describe and Select permissions on a table in the project test_project_a to the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant Describe, Select on table sale_detail to ROLE Worker;
      -- Grant the permissions to the role Worker by using the policy-based access control method. 
      grant Describe, Select  
            on table sale_detail   
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 3: Grant the Read and Write permissions on a resource in the project test_project_a to the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant Read, Write on resource udtf.jar to ROLE Worker;
      -- Grant the permissions to the role Worker by using the policy-based access control method. 
      grant Read, Write   
            on resource udtf.jar  
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 4: Grant the Read and Write permissions on a function in the project test_project_a to the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant Read, Write on function udf_test to ROLE Worker;
      -- Grant the permissions to the role Worker by using the policy-based access control method. 
      grant Read, Write   
            on function udf_test  
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 5: Grant all operation permissions on an instance in the project test_project_a to the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant All on instance 202112300224**** to ROLE Worker;
      -- Grant the permissions to the role Worker by using the policy-based access control method. 
      grant All    
            on instance 202112300224****   
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Revoke the operation permissions on an object from a role

You can revoke the operation permissions on projects, tables, resources, functions, or instances from a role.

  • Syntaxes
    • Revoke the operation permissions on a project from a role
      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role
        revoke ReadWriteListCreateTableCreateInstanceCreateFunctionCreateResourceAll 
              on project <project_name> 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role
        revoke ReadWriteListCreateTableCreateInstanceCreateFunctionCreateResourceAll 
              on project <project_name> 
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}");
    • Revoke the operation permissions on a table from a role
      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role
        revoke DescribeSelectAlterUpdateDropShowHistoryAll 
              on table <table_name> [(<column_list>)] 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role
        revoke DescribeSelectAlterUpdateDropShowHistoryAll 
              on table <table_name> [(<column_list>)] 
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}");
    • Revoke the operation permissions on a resource from a role
      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role
        revoke ReadWriteDeleteAll 
              on resource <resource_name> 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role
        revoke ReadWriteDeleteAll 
              on resource <resource_name> 
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}");
    • Revoke the operation permissions on a function from a role
      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role
        revoke ReadWriteDeleteExecuteAll 
              on function <function_name> 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role
        revoke ReadWriteDeleteExecuteAll 
              on function <function_name>  
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}");
    • Revoke the operation permissions on an instance from a role
      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role
        revoke ReadWriteAll 
              on instance <instance_id> 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role
        revoke ReadWriteAll  
              on instance <instance_id>   
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allowdeny}"="{truefalse}");
  • Parameters

    For more information about the parameters, see ACL-based access control or Policy-based access control.

  • Examples
    In the following examples, the operation permissions that are granted to the role Worker in the preceding section are revoked.
    • Example 1: Revoke the CreateTable, CreateFunction, CreateInstance, and List permissions on the project test_project_a from the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke CreateTable, CreateFunction, CreateInstance, List 
            on project test_project_a  
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 2: Revoke the Describe and Select permissions on the table in the project test_project_a from the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke Describe, Select on table sale_detail to ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke Describe, Select  
            on table sale_detail   
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 3: Revoke the Read and Write permissions on the resource in the project test_project_a from the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke Read, Write on resource udtf.jar from ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke Read, Write   
            on resource udtf.jar  
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 4: Revoke the Read and Write permissions on the function in the project test_project_a from the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke Read, Write on function udf_test from ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke Read, Write   
            on function udf_test  
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 5: Revoke all operation permissions on the instance in the project test_project_a from the role Worker.
      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke All on instance 202112300224**** from ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke All    
            on instance 202112300224****   
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Grant the Download permission to a role

You can grant the Download permission on tables, resources, functions, or instances to a role.

  • Syntax
    grant Download on {TableResourceFunctionInstance} <object_name> to ROLE <role_name>;
  • Parameters

    For more information about the parameters, see Download control.

  • Example
    Grant the Download permission on a specific table in the project test_project_a for which download control is enabled to the role Worker. Sample commands:
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to grant the Download permission to the role Worker. 
    grant download on table sale_detail to ROLE Worker;

Revoke the Download permission from a role

You can revoke the Download permission on tables, resources, functions, or instances from a role.

  • Syntax
    revoke Download on {TableResourceFunctionInstance} <object_name> from ROLE <role_name>;
  • Parameters

    For more information about the parameters, see Download control.

  • Example
    Revoke the Download permission that is granted to the role Worker in the preceding section. Sample commands:
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the Download permission from the role Worker. 
    revoke download on table sale_detail from ROLE Worker;

Grant the access permissions on data that has a high sensitivity level to a role

If you want to use a role that is classified into a specific data access level by using labels to access data whose sensitivity level is higher than the data access level of the role, you must grant the access permissions on the data to the role. For more information about how to use labels to classify roles into different access levels, see Configure access-level labels for users or roles.

  • Syntax
    grant Label <number> on table <table_name> [(<column_list>)] to ROLE <role_name> [with exp <days>];
  • Parameters

    For more information about the parameters, see Enable label-based explicit authorization.

  • Example
    Grant the access permissions on data whose sensitivity level is 4 in the sale_detail table of the project test_project_a to the role Worker whose data access level is 2. Sample commands:
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to grant the access permissions to the role Worker. 
    grant Label 4 on table sale_detail to ROLE Worker;

Revoke the access permissions on data that has a high sensitivity level from a role

You can revoke the access permissions on data that has a high sensitivity level from a role. After you revoke such access permissions from a role, the data access level of the role is not affected.

  • Syntax
    revoke Label on table <table_name> [(<column_list>)] from ROLE <role_name>;
  • Parameters

    For more information about the parameters, see Disable label-based explicit authorization.

  • Example
    Revoke the access permissions that are granted to the role Worker in the preceding section. Sample commands:
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the access permissions from the role Worker. 
    revoke Label 4 on table sale_detail from ROLE Worker;

Assign a role to a user

After you assign a built-in role or custom role in a project to a user, the user is granted the permissions of the role.

  • Syntax
    grant <role_name> to <user_name>;
  • Precautions

    Multiple users can be assigned the same role, and a user can be assigned multiple roles.

  • Parameters
    Parameter Required Description
    role_name Yes The name of the role that you want to assign to the user.

    You can run the list roles; command on the MaxCompute client to query the name of the role.

    user_name Yes The name of the user to which you want to assign the role.

    You can run the list users; command on the MaxCompute client to query the name of the user.

  • Example
    Assign the role Worker to the Alibaba Cloud account Kate@aliyun.com and the RAM user Bob@aliyun.com:Allen. Kate@aliyun.com and Bob@aliyun.com:Allen are added to the project test_project_a.
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to assign the role Worker to Kate@aliyun.com and Bob@aliyun.com:Allen. 
    grant Worker to ALIYUN$Kate@aliyun.com;
    grant Worker to RAM$Bob@aliyun.com:Allen;

Revoke a role from a user

After you revoke a role from a user, the user no longer has the permissions of the role.

  • Syntax
    revoke <role_name> from <user_name>;
  • Parameters
    Parameter Required Description
    role_name Yes The name of the role that you want to revoke from the user.

    You can run the list roles; command on the MaxCompute client to query the name of the role.

    user_name Yes The name of the user from which you want to revoke the role.

    You can run the list users; command on the MaxCompute client to query the name of the user.

  • Example
    Revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen.
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen. 
    revoke Worker from ALIYUN$Kate@aliyun.com;
    revoke Worker from RAM$Bob@aliyun.com:Allen;

What to do next

After you grant permissions to a role, you can perform the following operations based on your business requirements: