Use GRANT and REVOKE statements to control what users and roles can do in a MaxCompute project.
Prerequisites
Before you begin, make sure that you have one of the following roles in the project:
Project owner
A user assigned the Super_Administrator role
A user assigned the Admin role
You can run the statements in this topic on any of the following platforms:
Grant a role or user
Grants a specific permission on an object to a user or role.
Syntax
grant <Action> [, <Action>] on <Object> <object_name> to {user|role} {<user_name|role_name>};Parameters
| Parameter | Required | Description |
|---|---|---|
Action | Yes | The name of the permission to grant. For a full list of permissions, see MaxCompute permissions. |
Object | Yes | The object type. For a full list of object types, see MaxCompute permissions. |
object_name | Yes | The name of the object. |
user|role | Yes | The grantee type. Specify user to grant the permission to a user, or role to grant it to a role. |
user_name|role_name | Yes | The name of the user or role receiving the permission. |
Examples
Grant a user the CreateTable permission on a project:
grant CreateTable on Project prj1 to user ALIYUN$test_user@aliyun.com;Grant a role the CreateInstance permission on a project:
grant CreateInstance on Project prj1 to role player;Revoke role or user permissions
Revokes a specific permission on an object from a user or role.
Syntax
revoke <Action> [, <Action>] on <Object> <object_name> from {user|role} {<user_name|role_name>};Parameters
| Parameter | Required | Description |
|---|---|---|
Action | Yes | The name of the permission to revoke. For a full list of permissions, see MaxCompute permissions. |
Object | Yes | The object type. For a full list of object types, see MaxCompute permissions. |
object_name | Yes | The name of the object. |
user|role | Yes | The revokee type. Specify user to revoke the permission from a user, or role to revoke it from a role. |
user_name|role_name | Yes | The name of the user or role to revoke the permission from. |
Examples
Revoke the CreateTable permission on a project from a user:
revoke CreateTable on Project prj1 from user ALIYUN$test_user@aliyun.com;Revoke the CreateInstance permission on a project from a role:
revoke CreateInstance on Project prj1 from role player;Related topics
For a full list of objects and the permissions that apply to each object type, see MaxCompute permissions.