After you add a user to a MaxCompute project, you must grant the required permissions to the user. This way, the user can perform operations in the project. This topic describes how to grant permissions to a user and provides examples.

Background information

The following table describes the authorization scenarios that are supported by MaxCompute.

Scenario Method Authorized by Operation platform
Grant the operation permissions on an object to a user ACL-based access control For more information, see the content of the Authorized by column in the Permission list section of Permission list.
Revoke the operation permissions on an object from a user
Grant the operation permissions on an object to a user by assigning a role to the user Grant permissions to a role by using ACL-based access control or policy-based access control and then assign the role to a user.
Revoke the operation permissions on an object from a user that is assigned a specific role
Grant the Download permission to a user Download control
Revoke the Download permission from a user
Grant the Download permission to a user by assigning a role to the user Grant permissions to a role by using download control and then assign the role to a user.
Revoke the Download permission that is granted by assigning a role to a user
Grant the permissions to access highly sensitive data to a user Label-based access control
Revoke the permissions to access highly sensitive data from a user
Grant the permissions to access highly sensitive data to a user by assigning a role to the user Grant permissions to a role by using label-based access control and then assign the role to a user.
Revoke the permissions to access highly sensitive data from a user by assigning a role to the user

After a user is removed from a project, you need to clear the residual permissions of the user. For more information, see Completely clear the residual permission information of a removed user.

Grant the operation permissions on an object to a user

Grant a user the operation permissions on a project, a table, a resource, a function, or an instance by using ACL-based access control.

  • Syntax
    • Grant the operation permissions on a project to a user
      grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
            on project <project_name> 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Grant the operation permissions on a table to a user
      grant Describe|Select|Alter|Update|Drop|ShowHistory|All 
            on table <table_name> [(<column_list>)] 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Grant the operation permissions on a resource to a user
      grant Read|Write|Delete|All 
            on resource <resource_name> 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Grant the operation permissions on a function to a user
      grant Read|Write|Delete|Execute|All 
            on function <function_name> 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Grant the operation permissions on an instance to a user
      grant Read|Write|All 
            on instance <instance_id> 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
  • Parameters

    For more information about the parameters, see ACL-based access control.

  • Examples
    The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. The Alibaba Cloud account Kate@aliyun.com needs to be added to the test_project_a project.
    • Example 1: Grant the Alibaba Cloud account Kate@aliyun.com the permissions to create a table, a function, and an instance and query the list of all types of objects in a project. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Add the Alibaba Cloud account Kate@aliyun.com to the test_project_a project. 
      add user Kate@aliyun.com;
      -- Grant the Alibaba Cloud account Kate@aliyun.com the required permissions on the project. 
      grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user ALIYUN$Kate@aliyun.com;
    • Example 2: Grant the RAM user Allen the permissions to read metadata and table data on a table. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Add the RAM user Allen to the test_project_a project. 
      add user RAM$Bob@aliyun.com:Allen;
      -- Grant the RAM user Allen the required permissions on a table. 
      grant Describe, Select on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
    • Example 3: Grant the RAM user Alice the permissions to read data from a resource and update a resource. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Add the RAM user Alice to the test_project_a project. 
      add user RAM$Bob@aliyun.com:Alice;
      -- Grant the RAM user Alice the required permissions on a resource. 
      grant Read, Write on resource udtf.jar to USER RAM$Bob@aliyun.com:Alice;
    • Example 4: Grant the RAM user Tom the permissions to read data from a function and update a function. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Add the RAM user Tom to the test_project_a project. 
      add user RAM$Bob@aliyun.com:Tom;
      -- Grant the RAM user Tom the required permissions on a function. 
      grant Read, Write on function udf_test to USER RAM$Bob@aliyun.com:Tom;
    • Example 5: Grant the RAM user Tom all permissions on an instance. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Add the RAM user Tom to the test_project_a project. 
      add user RAM$Bob@aliyun.com:Tom;
      -- Grant the RAM user Tom all permissions on an instance. 
      grant All on instance 202112300224**** to USER RAM$Bob@aliyun.com:Tom;

Revoke the operation permissions on an object from a user

Revoke the operation permissions on a project, a table, a resource, a function, or an instance from a user.

  • Syntax
    • Revoke the operation permissions on a project from a user
      revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
            on project <project_name> 
            from USER <user_name>;
    • Revoke the operation permissions on a table from a user
      revoke Describe|Select|Alter|Update|Drop|ShowHistory|All 
            on table <table_name> [(<column_list>)] 
            from USER <user_name>;
    • Revoke the operation permissions on a resource from a user
      revoke Read|Write|Delete|All 
            on resource <resource_name> 
            from USER <user_name>;
    • Revoke the operation permissions on a function from a user
      revoke Read|Write|Delete|Execute|All 
            on function <function_name> 
            from USER <user_name>;
    • Revoke the operation permissions on an instance from a user
      revoke Read|Write|All 
            on instance <instance_id> 
            from USER <user_name>;
  • Parameters

    For more information about the parameters, see ACL-based access control or Policy-based access control.

  • Examples
    Revoke the operation permissions on an object from the Alibaba Cloud account Kate@aliyun.com and the RAM users Allen, Alice, and Tom. Sample commands:
    • Example 1: Revoke the permissions to create a table, a function, and an instance and query the list of all types of objects in a project from the Alibaba Cloud account Kate@aliyun.com. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Revoke the permissions from the Alibaba Cloud account Kate@aliyun.com. 
      revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user ALIYUN$Kate@aliyun.com;
    • Example 2: Revoke the permissions to read metadata and table data on a table from the RAM user Allen. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Revoke the permissions from the RAM user Allen. 
      revoke Describe, Select on table sale_detail from USER RAM$Bob@aliyun.com:Allen;
    • Example 3: Revoke the permissions to read data from a resource and update a resource from the RAM user Alice. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Revoke the permissions from the RAM user Alice. 
      revoke Read, Write on resource udtf.jar from USER RAM$Bob@aliyun.com:Alice;
    • Example 4: Revoke the permissions to read data from a function and update a function from the RAM user Tom. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Revoke the permissions from the RAM user Tom. 
      revoke Read, Write on function udf_test from USER RAM$Bob@aliyun.com:Tom;
    • Example 5: Revoke all permissions on an instance from the RAM user Tom. Sample commands:
      -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
      use test_project_a;
      -- Revoke all permissions from the RAM user Tom. 
      revoke All on instance 202112300224**** from USER RAM$Bob@aliyun.com:Tom;

Grant the operation permissions on an object to a user by assigning a role to the user

You can grant a role the permissions by using ACL-based access control or policy-based access control and then assign the role to multiple users.

For more information about how to grant permissions to a role, see Grant the operation permissions on an object to a role.

For more information about how to assign a role to a user, see Assign a role to a user.

For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. To grant the RAM users the permissions to create a table, a function, and an instance and query the list of all types of objects in the project, run the following commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a;
-- Add the RAM users Allen, Alice, and Tom to the test_project_a project. 
add user RAM$Bob@aliyun.com:Allen;
add user RAM$Bob@aliyun.com:Alice;
add user RAM$Bob@aliyun.com:Tom;
-- Create a role named Worker. 
create role Worker;
-- Grant the Worker role the required permissions. 
   -- Method 1: Grant the Worker role the permissions by using ACL-based access control. 
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
   -- Method 2: Grant the Worker role the permissions by using policy-based access control. 
grant CreateTable, CreateFunction, CreateInstance, List 
      on project test_project_a  
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Assign the Worker role to the RAM users. 
grant Worker to RAM$Bob@aliyun.com:Allen;
grant Worker to RAM$Bob@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;

Revoke the operation permissions on an object from a user that is assigned a specific role

You can revoke the permissions from a user in one of the following ways:
  • Revoke the permissions from a role

    All users that are assigned the role no longer have the permissions of this role.

  • Revoke the role that is assigned to a user from the user

    Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.

For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. You have granted the RAM users the permissions to create a table, a function, and an instance and query the list of all types of objects in the project by assigning the Worker role to the RAM users. To revoke the operation permissions from the RAM users, you can use the following methods:
  • Method 1: Revoke the permissions from the Worker role.
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom no longer have the CreateTable, CreateFunction, CreateInstance, and List permissions on the project. 
       -- Revoke permissions that are granted by using ACL-based access control. 
    revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
       -- Revoke permissions that are granted by using policy-based access control. 
    revoke CreateTable, CreateFunction, CreateInstance, List 
          on project test_project_a  
          from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
  • Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, only the RAM user Allen no longer has the CreateTable, CreateFunction, CreateInstance, and List permissions on the project. 
    revoke Worker from RAM$Bob@aliyun.com:Allen;

Grant the Download permission to a user

Grant a user the permissions to download table data, resources, functions, or instances.

  • Syntax
    grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;
  • Parameters

    For more information about the parameters, see Download control.

  • Example
    Download control is enabled for the test_project_a project. To grant the RAM user Allen the permissions to download data from a specified table, run the following commands:
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Grant the Download permission to the RAM user Allen. 
    grant Download on table sale_detail to USER RAM$Bob@aliyun.com:Allen;

Revoke the Download permission from a user

Revoke the permissions to download table data, resources, functions, or instances from a user.

  • Syntax
    revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;
  • Parameters

    For more information about the parameters, see Download control.

  • Example
    Revoke the permissions to download data from a specified table from the RAM user Allen. Sample commands:
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Revoke the Download permission from the RAM user Allen. 
    revoke Download on table sale_detail from USER RAM$Bob@aliyun.com:Allen;

Grant the Download permission to a user by assigning a role to the user

Grant a role the Download permission by using the download control mechanism and then assign the role to a user.

For more information about how to grant the Download permission to a role, see Grant the Download permission to a role.

For more information about how to assign a role to a user, see Assign a role to a user.

For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. To grant the RAM users Allen, Alice, and Tom the permissions to download data from a specified table, run the following commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a;
-- Add the RAM users Allen, Alice, and Tom to the test_project_a project. 
add user RAM$Bob@aliyun.com:Allen;
add user RAM$Bob@aliyun.com:Alice;
add user RAM$Bob@aliyun.com:Tom;
-- Create a role named Worker. 
create role Worker;
-- Grant the Worker role the required permissions. 
grant download on table sale_detail to ROLE Worker;
-- Assign the Worker role to the RAM users. 
grant Worker to RAM$Bob@aliyun.com:Allen;
grant Worker to RAM$Bob@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;

Revoke the Download permission that is granted by assigning a role to a user

You can revoke the permissions from a user in one of the following ways:
  • Revoke the permissions from a role

    All users that are assigned the role no longer have the permissions of this role.

  • Revoke the role that is assigned to a user from the user

    Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.

For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. You have granted the RAM users the permissions to download all table data by assigning the Worker role to the RAM users. To revoke the Download permission from the RAM users, you can use one of the following methods:
  • Method 1: Revoke the Download permission from the Worker role.
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Revoke the Download permission from the Worker role. In this case, the RAM users Allen, Alice, and Tom no longer have the Download permission. 
    revoke Download on table sale_detail from ROLE Worker;
  • Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, only the RAM user Allen no longer has the Download permission. 
    revoke Worker from RAM$Bob@aliyun.com:Allen;

Grant the permissions to access highly sensitive data to a user

Grant the permissions to access highly sensitive data to a user by using label-based access control.

  • Syntax
    grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];
  • Parameters

    For more information about the parameters, see Enable label-based explicit authorization.

  • Example
    The data access level of the RAM user Allen is 2 in the test_project_a project. To grant the permissions to access data with a sensitivity level of 4 in the sale_detail table to the RAM user Allen, run the following commands:
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Grant the permissions to the RAM user Allen. 
    grant Label 4 on table sale_detail to USER RAM$Bob@aliyun.com:Allen;

Revoke the permissions to access highly sensitive data from a user

Revoke the permissions to access highly sensitive data from a user.

  • Syntax
    revoke Label on table <table_name> [(<column_list>)] from USER <user_name>;
  • Parameters

    For more information about the parameters, see Disable label-based explicit authorization.

  • Example
    To revoke the permissions to access data with a sensitivity level of 4 in the sale_detail table from the RAM user Allen, run the following commands:
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Revoke the permissions from the RAM user Allen. 
    revoke Label 4 on table sale_detail from USER RAM$Bob@aliyun.com:Allen;

Grant the permissions to access highly sensitive data to a user by assigning a role to the user

Grant the permissions to a role by using label-based access control or policy-based access control and then assign the role to multiple users.

For more information about how to grant permissions to a role, see Grant the access permissions on data that has a high sensitivity level to a role.

For more information about how to assign a role to a user, see Assign a role to a user.

For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. The data access level of the RAM users Allen, Alice, and Tom is 2. To grant the permissions to access data with a sensitivity level of 4 in all tables in the project to the RAM users, run the following commands:
-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a;
-- Create a role named Worker. 
create role Worker;
-- Grant the Worker role the required permissions. 
grant Label 4 on table * to ROLE Worker;
-- Assign the Worker role to the RAM users. 
grant Worker to RAM$Bob@aliyun.com:Allen;
grant Worker to RAM$Bob@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;

Revoke the permissions to access highly sensitive data from a user by assigning a role to the user

You can revoke the permissions from a user in one of the following ways:
  • Revoke the permissions from a role

    All users that are assigned the role no longer have the permissions of this role.

  • Revoke the role that is assigned to a user from the user

    Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.

For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to Bob@aliyun.com. You have granted the RAM users the permissions to access data with a sensitivity level of 4 in all tables in the project. To revoke the permissions to access highly sensitive data from a user, you can use one of the following methods:
  • Method 1: Revoke the permissions from the Worker role.
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom can access only data with a sensitivity level of 2. 
    revoke Label 4 on table * from ROLE Worker;
  • Method 2: Revoke the Worker role that is assigned to the RAM user Allen.
    -- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
    use test_project_a;
    -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, the RAM user Allen can access only data with a sensitivity level of 2 and the RAM users Alice and Tom can still access data with a sensitivity level of 4. 
    revoke Worker from RAM$Bob@aliyun.com:Allen;

Completely clear the residual permission information of a removed user

After a user is removed from a project, the permissions, such as ACL-based, label-based, and policy-based permissions, are retained in the project. If the removed user is added back to the project again, the user will have the original ACL-based, label-based, and policy-based permissions. If the user is removed by mistake and added back to the project, the user still has the original permissions. However, if the user is added back to the original project with a different role, the potential risk of data security may occur.

To prevent the potential risk, MaxCompute allows you to clear all permissions that are granted to a user. If a user is no longer in the project but still has ACL-based, label-based, and policy-based permissions, the project owner or a user that is assigned the Admin or Super_Administrator role can clear the residual permission information of the removed user. Sample command:

purge privs from user <user_name>;

user_name indicates the Alibaba Cloud account or RAM user whose residual permission information you want to clear.

Note If the user is not removed from the project and you run the preceding command, the error message "Principal <username> still exist in the project" is returned.

Additional information

After user authorization is complete, you can query permissions that are granted to users. For more information, see Query permissions.