After you add a user to a MaxCompute project, you must grant the required permissions to the user. This way, the user can perform operations in the project. This topic describes how to grant permissions to a user and provides examples.
Background information
The following table describes the authorization scenarios that are supported by MaxCompute.
After a user is removed from a project, you need to clear the residual permissions of the user. For more information, see Completely clear the residual permission information of a removed user.
Grant the operation permissions on an object to a user
Grant a user the operation permissions on a project, a table, a resource, a function, or an instance by using ACL-based access control.
- Syntax
- Grant the operation permissions on a project to a user
grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
- Grant the operation permissions on a table to a user
grant Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
- Grant the operation permissions on a resource to a user
grant Read|Write|Delete|All on resource <resource_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
- Grant the operation permissions on a function to a user
grant Read|Write|Delete|Execute|All on function <function_name> to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
- Grant the operation permissions on an instance to a user
grant Read|Write|All on instance <instance_id> to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
- Grant the operation permissions on a project to a user
- Parameters
For more information about the parameters, see ACL-based access control.
- Examples
The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. The Alibaba Cloud account Kate@aliyun.com needs to be added to the test_project_a project.
- Example 1: Grant the Alibaba Cloud account Kate@aliyun.com the permissions to create
a table, a function, and an instance and query the list of all types of objects in
a project. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Add the Alibaba Cloud account Kate@aliyun.com to the test_project_a project. add user Kate@aliyun.com; -- Grant the Alibaba Cloud account Kate@aliyun.com the required permissions on the project. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user ALIYUN$Kate@aliyun.com;
- Example 2: Grant the RAM user Allen the permissions to read metadata and table data
on a table. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Add the RAM user Allen to the test_project_a project. add user RAM$Bob@aliyun.com:Allen; -- Grant the RAM user Allen the required permissions on a table. grant Describe, Select on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
- Example 3: Grant the RAM user Alice the permissions to read data from a resource and
update a resource. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Add the RAM user Alice to the test_project_a project. add user RAM$Bob@aliyun.com:Alice; -- Grant the RAM user Alice the required permissions on a resource. grant Read, Write on resource udtf.jar to USER RAM$Bob@aliyun.com:Alice;
- Example 4: Grant the RAM user Tom the permissions to read data from a function and
update a function. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Add the RAM user Tom to the test_project_a project. add user RAM$Bob@aliyun.com:Tom; -- Grant the RAM user Tom the required permissions on a function. grant Read, Write on function udf_test to USER RAM$Bob@aliyun.com:Tom;
- Example 5: Grant the RAM user Tom all permissions on an instance. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Add the RAM user Tom to the test_project_a project. add user RAM$Bob@aliyun.com:Tom; -- Grant the RAM user Tom all permissions on an instance. grant All on instance 202112300224**** to USER RAM$Bob@aliyun.com:Tom;
- Example 1: Grant the Alibaba Cloud account Kate@aliyun.com the permissions to create
a table, a function, and an instance and query the list of all types of objects in
a project. Sample commands:
Revoke the operation permissions on an object from a user
Revoke the operation permissions on a project, a table, a resource, a function, or an instance from a user.
- Syntax
- Revoke the operation permissions on a project from a user
revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> from USER <user_name>;
- Revoke the operation permissions on a table from a user
revoke Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] from USER <user_name>;
- Revoke the operation permissions on a resource from a user
revoke Read|Write|Delete|All on resource <resource_name> from USER <user_name>;
- Revoke the operation permissions on a function from a user
revoke Read|Write|Delete|Execute|All on function <function_name> from USER <user_name>;
- Revoke the operation permissions on an instance from a user
revoke Read|Write|All on instance <instance_id> from USER <user_name>;
- Revoke the operation permissions on a project from a user
- Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
- Examples
Revoke the operation permissions on an object from the Alibaba Cloud account Kate@aliyun.com and the RAM users Allen, Alice, and Tom. Sample commands:
- Example 1: Revoke the permissions to create a table, a function, and an instance and
query the list of all types of objects in a project from the Alibaba Cloud account Kate@aliyun.com. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the permissions from the Alibaba Cloud account Kate@aliyun.com. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user ALIYUN$Kate@aliyun.com;
- Example 2: Revoke the permissions to read metadata and table data on a table from the RAM user Allen. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the permissions from the RAM user Allen. revoke Describe, Select on table sale_detail from USER RAM$Bob@aliyun.com:Allen;
- Example 3: Revoke the permissions to read data from a resource and update a resource from the RAM user Alice. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the permissions from the RAM user Alice. revoke Read, Write on resource udtf.jar from USER RAM$Bob@aliyun.com:Alice;
- Example 4: Revoke the permissions to read data from a function and update a function from the RAM user Tom. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the permissions from the RAM user Tom. revoke Read, Write on function udf_test from USER RAM$Bob@aliyun.com:Tom;
- Example 5: Revoke all permissions on an instance from the RAM user Tom. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke all permissions from the RAM user Tom. revoke All on instance 202112300224**** from USER RAM$Bob@aliyun.com:Tom;
- Example 1: Revoke the permissions to create a table, a function, and an instance and
query the list of all types of objects in a project from the Alibaba Cloud account Kate@aliyun.com. Sample commands:
Grant the operation permissions on an object to a user by assigning a role to the user
You can grant a role the permissions by using ACL-based access control or policy-based access control and then assign the role to multiple users.
For more information about how to grant permissions to a role, see Grant the operation permissions on an object to a role.
For more information about how to assign a role to a user, see Assign a role to a user.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com.
use test_project_a;
-- Add the RAM users Allen, Alice, and Tom to the test_project_a project.
add user RAM$Bob@aliyun.com:Allen;
add user RAM$Bob@aliyun.com:Alice;
add user RAM$Bob@aliyun.com:Tom;
-- Create a role named Worker.
create role Worker;
-- Grant the Worker role the required permissions.
-- Method 1: Grant the Worker role the permissions by using ACL-based access control.
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
-- Method 2: Grant the Worker role the permissions by using policy-based access control.
grant CreateTable, CreateFunction, CreateInstance, List
on project test_project_a
to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Assign the Worker role to the RAM users.
grant Worker to RAM$Bob@aliyun.com:Allen;
grant Worker to RAM$Bob@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;
Revoke the operation permissions on an object from a user that is assigned a specific role
- Revoke the permissions from a role
All users that are assigned the role no longer have the permissions of this role.
- Revoke the role that is assigned to a user from the user
Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.
- Method 1: Revoke the permissions from the Worker role.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom no longer have the CreateTable, CreateFunction, CreateInstance, and List permissions on the project. -- Revoke permissions that are granted by using ACL-based access control. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker; -- Revoke permissions that are granted by using policy-based access control. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
- Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, only the RAM user Allen no longer has the CreateTable, CreateFunction, CreateInstance, and List permissions on the project. revoke Worker from RAM$Bob@aliyun.com:Allen;
Grant the Download permission to a user
Grant a user the permissions to download table data, resources, functions, or instances.
- Syntax
grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;
- Parameters
For more information about the parameters, see Download control.
- Example
Download control is enabled for the test_project_a project. To grant the RAM user Allen the permissions to download data from a specified table, run the following commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Grant the Download permission to the RAM user Allen. grant Download on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
Revoke the Download permission from a user
Revoke the permissions to download table data, resources, functions, or instances from a user.
- Syntax
revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;
- Parameters
For more information about the parameters, see Download control.
- Example
Revoke the permissions to download data from a specified table from the RAM user Allen. Sample commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the Download permission from the RAM user Allen. revoke Download on table sale_detail from USER RAM$Bob@aliyun.com:Allen;
Grant the Download permission to a user by assigning a role to the user
Grant a role the Download permission by using the download control mechanism and then assign the role to a user.
For more information about how to grant the Download permission to a role, see Grant the Download permission to a role.
For more information about how to assign a role to a user, see Assign a role to a user.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com.
use test_project_a;
-- Add the RAM users Allen, Alice, and Tom to the test_project_a project.
add user RAM$Bob@aliyun.com:Allen;
add user RAM$Bob@aliyun.com:Alice;
add user RAM$Bob@aliyun.com:Tom;
-- Create a role named Worker.
create role Worker;
-- Grant the Worker role the required permissions.
grant download on table sale_detail to ROLE Worker;
-- Assign the Worker role to the RAM users.
grant Worker to RAM$Bob@aliyun.com:Allen;
grant Worker to RAM$Bob@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;
Revoke the Download permission that is granted by assigning a role to a user
- Revoke the permissions from a role
All users that are assigned the role no longer have the permissions of this role.
- Revoke the role that is assigned to a user from the user
Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.
- Method 1: Revoke the Download permission from the Worker role.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the Download permission from the Worker role. In this case, the RAM users Allen, Alice, and Tom no longer have the Download permission. revoke Download on table sale_detail from ROLE Worker;
- Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, only the RAM user Allen no longer has the Download permission. revoke Worker from RAM$Bob@aliyun.com:Allen;
Grant the permissions to access highly sensitive data to a user
Grant the permissions to access highly sensitive data to a user by using label-based access control.
- Syntax
grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];
- Parameters
For more information about the parameters, see Enable label-based explicit authorization.
- Example
The data access level of the RAM user Allen is 2 in the test_project_a project. To grant the permissions to access data with a sensitivity level of 4 in the sale_detail table to the RAM user Allen, run the following commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Grant the permissions to the RAM user Allen. grant Label 4 on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
Revoke the permissions to access highly sensitive data from a user
Revoke the permissions to access highly sensitive data from a user.
- Syntax
revoke Label on table <table_name> [(<column_list>)] from USER <user_name>;
- Parameters
For more information about the parameters, see Disable label-based explicit authorization.
- Example
To revoke the permissions to access data with a sensitivity level of 4 in the sale_detail table from the RAM user Allen, run the following commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the permissions from the RAM user Allen. revoke Label 4 on table sale_detail from USER RAM$Bob@aliyun.com:Allen;
Grant the permissions to access highly sensitive data to a user by assigning a role to the user
Grant the permissions to a role by using label-based access control or policy-based access control and then assign the role to multiple users.
For more information about how to grant permissions to a role, see Grant the access permissions on data that has a high sensitivity level to a role.
For more information about how to assign a role to a user, see Assign a role to a user.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com.
use test_project_a;
-- Create a role named Worker.
create role Worker;
-- Grant the Worker role the required permissions.
grant Label 4 on table * to ROLE Worker;
-- Assign the Worker role to the RAM users.
grant Worker to RAM$Bob@aliyun.com:Allen;
grant Worker to RAM$Bob@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;
Revoke the permissions to access highly sensitive data from a user by assigning a role to the user
- Revoke the permissions from a role
All users that are assigned the role no longer have the permissions of this role.
- Revoke the role that is assigned to a user from the user
Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.
- Method 1: Revoke the permissions from the Worker role.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom can access only data with a sensitivity level of 2. revoke Label 4 on table * from ROLE Worker;
- Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. use test_project_a; -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, the RAM user Allen can access only data with a sensitivity level of 2 and the RAM users Alice and Tom can still access data with a sensitivity level of 4. revoke Worker from RAM$Bob@aliyun.com:Allen;
Completely clear the residual permission information of a removed user
After a user is removed from a project, the permissions, such as ACL-based, label-based, and policy-based permissions, are retained in the project. If the removed user is added back to the project again, the user will have the original ACL-based, label-based, and policy-based permissions. If the user is removed by mistake and added back to the project, the user still has the original permissions. However, if the user is added back to the original project with a different role, the potential risk of data security may occur.
To prevent the potential risk, MaxCompute allows you to clear all permissions that are granted to a user. If a user is no longer in the project but still has ACL-based, label-based, and policy-based permissions, the project owner or a user that is assigned the Admin or Super_Administrator role can clear the residual permission information of the removed user. Sample command:
purge privs from user <user_name>;
user_name indicates the Alibaba Cloud account or RAM user whose residual permission information you want to clear.
"Principal <username> still exist in the project"
is returned.
Additional information
After user authorization is complete, you can query permissions that are granted to users. For more information, see Query permissions.