Grant & Restrict MaxCompute Built-in Role Permissions with PBAC - MaxCompute

Built-in roles in MaxCompute come with broad permissions. For example, the Development role grants operation permissions on all tables and resources in a project. When you need to restrict a specific built-in-role user from performing certain operations — such as preventing them from deleting critical tables — use the policy-based permission management mechanism to layer deny rules on top of the existing role.

All operations in this topic require the MaxCompute client. Console-based permission management for policy-based deny rules is not supported.

Prerequisites

Before you begin, ensure that you have:

The MaxCompute client installed. For more information, see Install and configure the MaxCompute client.
The project owner role, or the Super_Administrator or Admin built-in role in the target project

Background

For users already assigned a built-in role, the policy-based mechanism is more effective than the access control list (ACL) mechanism for fine-grained permission control. The table below shows when to use each.

Mechanism	How it works	Use when
Policy	Grants or revokes specific operations on project objects (such as tables) for a role. Permissions applied to the role take effect for all users assigned to that role.	A user has a built-in role and you need to restrict specific operations, such as preventing them from deleting certain tables.
ACL	Grants or revokes object-level permissions directly to users or groups.	Policy-based permission management is not required.

For more information, see Users and roles and Policy-based access control and download control.

Grant permissions using the policy-based mechanism

The following example shows how to prevent RAM user Alice (assigned to the Development role) from deleting tables whose names start with tb_. Alice belongs to the Alibaba Cloud account bo*@aliyun.com.

The approach creates a separate deny role (delete_test) rather than modifying the built-in role directly. This keeps the deny rule isolated and easy to revoke — you can remove it from a user without affecting others who share the built-in role.

Important

Only the project owner or users with the Super_Administrator or Admin role can perform this operation.

Install and start the MaxCompute client.
Run CREATE ROLE to create a role named delete_test.
```
CREATE ROLE delete_test;
```
For more information, see Role planning.
Run GRANT to configure the delete_test role to deny DROP operations on all tables whose names start with tb_.
```
GRANT DROP ON TABLE tb_* TO ROLE delete_test privilegeproperties("policy" = "true", "allow"="false");
```
The "policy" = "true" flag activates the policy-based mechanism. The "allow"="false" flag sets the rule as a deny. For more information about the GRANT syntax, see the "Policy-based access control by using the GRANT statement" section in Policy-based access control and download control.
Run GRANT to assign the delete_test role to Alice.
```
GRANT delete_test TO ram$bo*@aliyun.com:Alice;
```
If you don't know the Alibaba Cloud account Alice belongs to, run LIST USERS; on the MaxCompute client to look it up. For more information, see Role planning.

Run SHOW GRANTS to verify Alice's permissions.

SHOW GRANTS FOR ram$bo*@aliyun.com:Alice;

Confirm that the output includes a [role/delete_test] block under Authorization Type: Policy with a D (Deny) prefix on the tb_*: Drop entry.

[roles]
role_project_admin, delete_test

Authorization Type: Policy
[role/delete_test]
D       projects/mcproject_name/tables/tb_*: Drop
[role/role_project_admin]
A       projects/mcproject_name: *
A       projects/mcproject_name/instances/*: *
A       projects/mcproject_name/jobs/*: *
A       projects/mcproject_name/offlinemodels/*: *
A       projects/mcproject_name/packages/*: *
A       projects/mcproject_name/registration/functions/*: *
A       projects/mcproject_name/resources/*: *
A       projects/mcproject_name/tables/*: *
A       projects/mcproject_name/volumes/*: *

Authorization Type: ObjectCreator
AG      projects/mcproject_name/tables/local_test: All
AG      projects/mcproject_name/tables/mr_multiinout_out1: All
AG      projects/mcproject_name/tables/mr_multiinout_out2: All
AG      projects/mcproject_name/tables/ramtest: All
AG      projects/mcproject_name/tables/wc_in: All
AG      projects/mcproject_name/tables/wc_in1: All
AG      projects/mcproject_name/tables/wc_in2: All
AG      projects/mcproject_name/tables/wc_out: All

For more information, see Query permissions by using MaxCompute SQL.

Log in to the MaxCompute client as Alice and run DROP TABLE to test the restriction.
```
DROP TABLE tb_test;
```
If the deny rule is active, the command fails with an error similar to:
```
FAILED: Catalog Service Failed, ErrorCode: 50, Error Message: ODPS-0130013:Authorization exception - Authorization Failed [4011],
You have NO privilege 'odps:Drop' on {acs:odps:*:projects/mcproject_name/tables/tb_test}.
Explicitly denied by policy.
Context ID:85efa8e9-40da-4660-bbfd-b503dfa64c0a. --->Tips: Pricipal:RAM$bo*@aliyun.com:Alice; Deny by policy
```
Two phrases confirm the policy-based deny rule is in effect: Explicitly denied by policy in the middle of the error, and Deny by policy at the end. If neither phrase appears, or if the table is deleted instead, check that all preceding steps were completed correctly.

Revoke permissions using the policy-based mechanism

If the tables with the tb_ prefix are no longer critical and you want to allow Alice to delete them, revoke the deny permission using one of the two methods below.

Important

Only the project owner or users with the Super_Administrator or Admin role can perform this operation.

Method 1: Remove the deny rule from the role

Use this method to remove the deny restriction while keeping the delete_test role assigned to Alice.

Install and start the MaxCompute client.
Run REVOKE to remove the deny rule from the delete_test role.
```
REVOKE DROP ON TABLE tb_* FROM ROLE delete_test privilegeproperties("policy" = "true", "allow"="false");
```
For more information about the REVOKE syntax, see the "Policy-based access control by using the GRANT statement" section in Policy-based access control and download control.

Run SHOW GRANTS to verify that the deny rule is removed.

SHOW GRANTS FOR ram$bo*@aliyun.com:Alice;

The [role/delete_test] block should no longer appear under Authorization Type: Policy, confirming the restriction is lifted.

[roles]
role_project_admin, delete_test

Authorization Type: Policy
[role/role_project_admin]
A       projects/mcproject_name: *
A       projects/mcproject_name/instances/*: *
A       projects/mcproject_name/jobs/*: *
A       projects/mcproject_name/offlinemodels/*: *
A       projects/mcproject_name/packages/*: *
A       projects/mcproject_name/registration/functions/*: *
A       projects/mcproject_name/resources/*: *
A       projects/mcproject_name/tables/*: *
A       projects/mcproject_name/volumes/*: *

Authorization Type: ObjectCreator
AG      projects/mcproject_name/tables/local_test: All
AG      projects/mcproject_name/tables/mr_multiinout_out1: All
AG      projects/mcproject_name/tables/mr_multiinout_out2: All
AG      projects/mcproject_name/tables/ramtest: All
AG      projects/mcproject_name/tables/tb_test: All
AG      projects/mcproject_name/tables/wc_in: All
AG      projects/mcproject_name/tables/wc_in1: All
AG      projects/mcproject_name/tables/wc_in2: All
AG      projects/mcproject_name/tables/wc_out: All

For more information, see Query permissions by using MaxCompute SQL.

Log in to the MaxCompute client as Alice and run DROP TABLE to confirm that deletion now succeeds.
```
DROP TABLE tb_test;
```
If OK is returned, the deny rule has been successfully removed.

Method 2: Revoke the deny role from the user

Use this method to remove Alice's association with the delete_test role entirely. Optionally delete the role if it is no longer needed.

Install and start the MaxCompute client.
Run REVOKE to remove the delete_test role from Alice.
```
REVOKE delete_test FROM ram$bo*@aliyun.com:Alice;
```
For more information, see Role planning.

Run SHOW GRANTS to confirm Alice no longer has the delete_test role.

SHOW GRANTS FOR ram$bo*@aliyun.com:Alice;

The delete_test entry should be absent from the [roles] line.

[roles]
role_project_admin

Authorization Type: Policy
[role/role_project_admin]
A       projects/mcproject_name: *
A       projects/mcproject_name/instances/*: *
A       projects/mcproject_name/jobs/*: *
A       projects/mcproject_name/offlinemodels/*: *
A       projects/mcproject_name/packages/*: *
A       projects/mcproject_name/registration/functions/*: *
A       projects/mcproject_name/resources/*: *
A       projects/mcproject_name/tables/*: *
A       projects/mcproject_name/volumes/*: *

Authorization Type: ObjectCreator
AG      projects/mcproject_name/tables/local_test: All
AG      projects/mcproject_name/tables/mr_multiinout_out1: All
AG      projects/mcproject_name/tables/mr_multiinout_out2: All
AG      projects/mcproject_name/tables/ramtest: All
AG      projects/mcproject_name/tables/wc_in: All
AG      projects/mcproject_name/tables/wc_in1: All
AG      projects/mcproject_name/tables/wc_in2: All
AG      projects/mcproject_name/tables/wc_out: All

Log in to the MaxCompute client as Alice and run DROP TABLE to confirm the restriction is lifted.
```
DROP TABLE tb_test;
```
If OK is returned, Alice can now delete tb_* tables.
(Optional) Run DROP ROLE to delete the delete_test role if it is no longer needed.
```
DROP ROLE delete_test;
```
If OK is returned, the role is deleted. For more information, see Role planning.