ACL-based access control lets you grant or revoke permissions on MaxCompute objects for specific users and roles. It uses an allow-list model: you explicitly specify who can perform which actions on which objects. To manage permissions for multiple users at once, grant permissions to a role and attach the role to those users.
ACL-based access control is enabled by default for every MaxCompute project. To enable or disable it, run:
set CheckPermissionUsingACL=true|false;ACL is suitable for two scenarios:
| Scenario | How it works |
|---|---|
| Grant permissions to a user | Grant one or more actions on a specific object directly to a single user. |
| Grant permissions through a role | Grant actions on an object to a role, then attach the role to multiple users. All attached users inherit the role's permissions. For details, see Role planning and Attach a role to a user. |
Roles are used to better manage users. Typically, you do not grant the same permissions on the same object to multiple roles.
Prerequisites
Before you begin, ensure that you have:
A grantee in the project. Run
list users;orlist roles;on the MaxCompute client to verify. To add a user or role, see User planning and management or Role planning.The account format. ACL commands require the full account identifier:
Alibaba Cloud account: ALIYUN$<account_id>
RAM user:
RAM$<account_id>:<RAM_user_UID>`RAM$<account_id>:role/<RAM role name>` RAM$<account_id>:<RAM user ID>RAM role:
RAM$<account_id>:role/<RAM_role_name>
The object name. ACL only supports granting permissions on existing objects. Find object names using the following commands:
Object type Command Project Find the project name on the Project Management tab in the MaxCompute console. Table or view show tables;Model show models;Resource list resources;Function list functions;Instance show instances;The actions to grant. For valid actions and object types, see MaxCompute permissions.
Limitations
Existing objects only. Permissions can only be granted on objects that already exist and to users or roles already in the project. This prevents privilege escalation through object re-creation with the same name.
No privilege delegation. ACL does not support the
WITH GRANT OPTIONclause. If user A grants a permission to user B, user B cannot grant that same permission to user C.Allow-list only. ACL uses an allow-list model. A deny-list is not supported.
No future-object grants. You cannot pre-authorize permissions on objects that do not yet exist. If you create a new object, you must explicitly grant permissions on it.
Usage notes
Deleting an object automatically revokes all ACL permissions associated with that object.
Deleting a user retains that user's permission records. If the user is re-added to the project, their previous permissions are reactivated. To permanently clear a deleted user's permissions, see Completely clear the residual permission information of a deleted user.
Syntax
Grant permissions
grant <actions> on <object_type> <object_name>
[(<column_list>)] to <subject_type> <subject_name>
[privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Revoke permissions
revoke <actions> on <object_type> <object_name>
[(<column_list>)] from <subject_type> <subject_name>;Grant or revoke column-level permissions
grant <actions> on table <table_name> (<column_list>) to <subject_type> <subject_name>;
revoke <actions> on table <table_name> (<column_list>) from <subject_type> <subject_name>;Required parameters
| Parameter | Description |
|---|---|
actions | One or more actions to grant or revoke, separated by commas. For valid values, see MaxCompute permissions. |
object_type | The type of object (for example, project, table, view, function, resource, instance). Only one object type per command. For valid values, see MaxCompute permissions. |
object_name | The name of the object. Use * as a wildcard only when granting to a ROLE — wildcards are not supported for USER. For example, table taobao* matches all tables whose names start with taobao. |
subject_type | The type of grantee: USER (an Alibaba Cloud account or RAM user) or ROLE. |
subject_name | The account or role name. Only one user or role per command. Formats: ALIYUN$<account_id> (Alibaba Cloud account), RAM$<account_id>:<RAM user ID> (RAM user), RAM$<account_id>:role/<RAM role name> (RAM role). Run list users; or list roles; to look up the exact name. |
Optional parameters
| Parameter | Description |
|---|---|
column_list | Required only for column-level access control (object_type = table). Specify one or more column names, separated by commas. Controls the Describe, Select, Alter, Update, Drop, ShowHistory, and ALL permissions on those columns. For columns with sensitivity labels, use Label-based access control instead. |
conditions | Restricts the grant to requests matching specific attributes. Format: "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and .... For supported variables and operations, see Conditions. |
days | Expiration period in days. If omitted, the permission is permanent. MaxCompute automatically removes the permission record after the expiration period. |
Conditions
Use the conditions parameter to restrict permissions based on request attributes such as IP address or access time.
| Variable | Type | Supported operations | Description |
|---|---|---|---|
acs:UserAgent | STRING | = (StringEquals), <> (StringNotEquals), like (StringLike), not like (StringNotLike) | The User-Agent of the client sending the request. |
acs:Referer | STRING | Same as acs:UserAgent | The HTTP Referer of the request. |
acs:SourceIp | IP address | in (...) (IpAddress), not in (...) (NotIpAddress) | The IP address of the client. |
acs:SecureTransport | BOOLEAN | True, False | Whether the request was sent over a secure channel such as HTTPS. |
acs:CurrentTime | DATEANDTIME | = (DateEquals), <> (DateNotEquals), < (DateLessThan), <= (DateLessThanEquals), > (DateGreaterThan), >= (DateGreaterThanEquals) | The time the server receives the request, in ISO 8601 format (for example, 2012-11-11T23:59:59Z). |
Examples
The following examples use this setup:
Project owner: Bob@aliyun.com (account ID:
5527xxxxxxxx5788), project:test_project_aRAM users under Bob's account:
Allen (UID:
1652xxxxxxxxxx1538)Alice (UID:
2763xxxxxxxxxx1649)Tom (UID:
3874xxxxxxxxxx1850)
External Alibaba Cloud account: Lily@aliyun.com (account ID:
5638xxxxxxxx6899)(account ID: 5638xxxxxxxx6899)
All commands are run on the MaxCompute client.
Example 1: Grant table-level permissions to a user
Create a table and grant Allen the Describe (read metadata) and Select (read data) permissions on it.
-- Switch to the project.
use test_project_a;
-- Create a partitioned table.
create table if not exists sale_detail
(
shop_name string,
customer_id string,
total_price double
)
partitioned by (sale_date string, region string);
-- Add Allen as a project member.
add user RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538;
-- Grant Describe and Select on the table to Allen.
grant Describe, Select on table sale_detail to USER RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538;
-- Verify the grant.
show grants for RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538;Expected output:
Authorization Type: ACL
[user/RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538]
A projects/test_project_a/tables/sale_detail: Describe | SelectExample 2: Grant column-level permissions to a user
Grant Alice all permissions on the shop_name and customer_id columns of sale_detail.
-- Switch to the project.
use test_project_a;
-- Add Alice as a project member.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- Grant All on the specified columns to Alice.
grant All on table sale_detail (shop_name, customer_id) to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- Verify the grant.
show grants for RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;Expected output:
Authorization Type: ACL
[user/RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649]
A projects/test_project_a/tables/sale_detail/customer_id: All
A projects/test_project_a/tables/sale_detail/shop_name: AllExample 3: Revoke permissions from users
Revoke the permissions granted in examples 1 and 2 from Allen and Alice.
-- Switch to the project.
use test_project_a;
-- Revoke Allen's table-level permissions.
revoke Describe, Select on table sale_detail (shop_name, customer_id) from USER RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538;
-- Revoke Alice's column-level permissions.
revoke All on table sale_detail (shop_name, customer_id) from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- Verify: Allen's and Alice's permission lists no longer contain the revoked permissions.
show grants for RAM$5527xxxxxxxx5788:1652xxxxxxxxxx1538;
show grants for RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;Example 4: Grant project-level permissions to multiple users through a role
Grant Alice, Tom, and Lily the ability to create instances, resources, functions, and tables — and to list all objects — in test_project_a. Use a role to apply the same permissions to all three users in one step.
-- Switch to the project.
use test_project_a;
-- Add all three users as project members.
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:3874xxxxxxxxxx1850;
add user ALIYUN$5638xxxxxxxx6899;
-- Create the Worker role and attach it to all three users.
create role Worker;
grant Worker TO RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker TO RAM$5527xxxxxxxx5788:3874xxxxxxxxxx1850;
grant Worker TO ALIYUN$5638xxxxxxxx6899;
-- Grant project-level permissions to the Worker role.
grant CreateInstance, CreateResource, CreateFunction, CreateTable, List on project test_project_a TO ROLE Worker;
-- Verify: Lily now has the Worker role and its permissions.
show grants for ALIYUN$5638xxxxxxxx6899;Expected output:
[roles]
worker
Authorization Type: ACL
[role/worker]
A projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | ListExample 5: Revoke a role from multiple users
Revoke the Worker role from Alice, Tom, and Lily. This removes all permissions that were inherited from the role.
-- Switch to the project.
use test_project_a;
-- Revoke the Worker role from all three users.
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
revoke Worker from RAM$5527xxxxxxxx5788:3874xxxxxxxxxx1850;
revoke Worker from ALIYUN$5638xxxxxxxx6899;
-- Verify: Lily no longer has the Worker role or its permissions.
show grants for ALIYUN$5638xxxxxxxx6899;