Use the GRANT statement to manage permissions - MaxCompute

Use the GRANT statement to grant permissions on a MaxCompute object to a user or role. MaxCompute supports two access control methods:

ACL-based access control — grants permissions directly on an existing object to a user or role using a whitelist. This is the standard method for most use cases.
Policy-based access control — grants permissions to a role using either a whitelist or a blacklist. Use this method when you need to explicitly deny actions or apply fine-grained access on top of built-in roles.

To assign a role to a user, see Grant a role to a user. To grant package access, see Grant access to a package.

Key concepts

Term	Description
Subject	The entity receiving the permission. Valid values: `USER` (an Alibaba Cloud account or RAM user) and `ROLE`.
Object	The MaxCompute resource on which permissions are granted, such as a project, table, view, resource, function, or instance.
Action	The operation permitted on the object, such as `Select`, `Describe`, `Drop`, or `CreateTable`. For a full list, see MaxCompute permissions.
Alibaba Cloud account	Format: `ALIYUN$<account>`. Example: `ALIYUN$Bob@aliyun.com`.
RAM user	Format: `RAM$<parent-account>:<username>`. Example: `RAM$Bob@aliyun.com:Allen`.

To query existing users and roles in a project, run list users; or list roles; on the MaxCompute client.

ACL-based access control

ACL-based access control grants permissions on an existing object to a user or role. It uses the whitelist mechanism only — you cannot use it to deny actions.

Prerequisites

Before granting permissions:

The user account or role already exists in the project. To add a user or role, see User planning and management or Role planning.
The object on which you want to grant permissions already exists.

Limitations

Permissions can only be granted on existing objects to existing subjects. A new object created with the same name as a deleted object does not inherit the deleted object's permissions.
ACL-based access control does not support the [with grant option] clause — permission delegation is not supported. If user A grants user B access to an object, user B cannot re-grant that access to user C.
Only the whitelist mechanism is supported. To deny actions, use policy-based access control.

Usage notes

Deleting an object revokes all ACL permissions on it.
Removing a user from a project retains that user's permissions. If the user is re-added, the historical permissions are reactivated. To clear residual permissions, see Completely clear the residual permission information of a removed user.

Syntax

-- Grant permissions on an object
grant <actions> on <object_type> <object_name>
[(<column_list>)] to <subject_type> <subject_name>
[privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

-- Grant or revoke column-level permissions
grant <actions> on table <table_name> (<column_list>) to <subject_type> <subject_name>;
revoke <actions> on table <table_name> (<column_list>) from <subject_type> <subject_name>;

Parameters

Parameter	Required	Description
`actions`	Yes	One or more actions to permit, separated by commas. For supported actions, see MaxCompute permissions.
`object_type`	Yes	The type of object. One type per statement. For supported types, see MaxCompute permissions.
`object_name`	Yes	The name of the object. Wildcards (``) are supported only when `subject_type` is `ROLE`. For example, `table taobao` matches all tables whose names start with `taobao`. To get the object name: run `show tables;` for tables or views, `list resources;` for resources, `list functions;` for functions, or `show instances;` for instances. For a project name, go to the MaxCompute console, select the region, and view the Project management tab.
`column_list`	No	Column names for column-level access control. Required only when `object_type` is `table` and you want to control access to specific columns. Separate multiple column names with commas. Supported permissions for column-level control: `Describe`, `Select`, `Alter`, `Update`, `Drop`, `ShowHistory`, and `All`. If columns have sensitivity levels assigned, use label-based access control instead.
`subject_type`	Yes	The type of subject. Valid values: `USER` (an Alibaba Cloud account or RAM user) and `ROLE`.
`subject_name`	Yes	The name of the user or role. One subject per statement. Run `list users;` or `list roles;` on the MaxCompute client to get the name.
`conditions` (in `privilegeproperties`)	No	Conditions for access control, such as request source or access method. Format: `"<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ...`. See Conditions for valid values.
`days` (in `privilegeproperties`)	No	Permission validity period in days. If omitted, permissions are permanently valid. MaxCompute clears the permission record after the specified number of days.

Conditions

Use conditions in privilegeproperties to add access restrictions based on request attributes.

var_name	Type	Supported operations	Description
`acs:UserAgent`	STRING	`=` (StringEquals), `<>` (StringNotEquals), `like` (StringLike), `not like` (StringNotLike)	Client user agent
`acs:Referer`	STRING	`=` (StringEquals), `<>` (StringNotEquals), `like` (StringLike), `not like` (StringNotLike)	HTTP referer of the request
`acs:SourceIp`	IP address	`in (...)` (IpAddress), `not in (...)` (NotIpAddress)	Client IP address
`acs:SecureTransport`	BOOLEAN	`True`, `False`	Whether the request is sent over a secure channel such as HTTPS
`acs:CurrentTime`	DATEANDTIME	`=` (DateEquals), `<>` (DateNotEquals), `<` (DateLessThan), `<=` (DateLessThanEquals), `>` (DateGreaterThan), `>=` (DateGreaterThanEquals)	Time the server receives the request. ISO 8601 format: `yyyy-MM-ddTHH:mm:ssZ`. Example: `2012-11-11T23:59:59Z`.

Examples

The following examples use the project test_project_a, owned by the Alibaba Cloud account Bob@aliyun.com. Allen, Alice, and Tom are RAM users of Bob@aliyun.com. All statements are executed on the MaxCompute client.

Example 1: Grant table-level permissions to a user

Grant Describe and Select permissions on the table sale_detail to RAM user Allen.

-- Switch to the project
use test_project_a;
-- Create a partitioned table
create table if not exists sale_detail
(
shop_name     string,
customer_id   string,
total_price   double
)
partitioned by (sale_date string, region string);
-- Add Allen to the project
add user RAM$Bob@aliyun.com:Allen;
-- Grant permissions
grant Describe, Select on table sale_detail to USER RAM$Bob@aliyun.com:Allen;
-- Verify: query Allen's permissions
show grants for RAM$Bob@aliyun.com:Allen;
-- Expected output:
-- Authorization Type: ACL
-- [user/RAM$Bob@aliyun.com:Allen]
-- A       projects/test_project_a/tables/sale_detail: Describe | Select

Example 2: Grant column-level permissions to a user

Grant all permissions on columns shop_name and customer_id in sale_detail to RAM user Alice.

use test_project_a;
-- Add Alice to the project
add user RAM$Bob@aliyun.com:Alice;
-- Grant column-level permissions
grant All on table sale_detail (shop_name, customer_id) to USER RAM$Bob@aliyun.com:Alice;
-- Verify: query Alice's permissions
show grants for RAM$Bob@aliyun.com:Alice;
-- Expected output:
-- Authorization Type: ACL
-- [user/RAM$Bob@aliyun.com:Alice]
-- A       projects/test_project_a/tables/sale_detail/customer_id: All
-- A       projects/test_project_a/tables/sale_detail/shop_name: All

Example 3: Use a role to grant the same permissions to multiple users

Grant CreateInstance, CreateResource, CreateFunction, CreateTable, and List permissions on the project test_project_a to RAM users Alice and Tom and the Alibaba Cloud account Lily@aliyun.com.

use test_project_a;
-- Add members to the project
add user RAM$Bob@aliyun.com:Alice;
add user RAM$Bob@aliyun.com:Tom;
add user ALIYUN$Lily@aliyun.com;
-- Create a role named Worker
create role Worker;
-- Assign the role to all three members
grant Worker TO RAM$Bob@aliyun.com:Alice;
grant Worker TO RAM$Bob@aliyun.com:Tom;
grant Worker TO ALIYUN$Lily@aliyun.com;
-- Grant permissions on the project to the role
grant CreateInstance, CreateResource, CreateFunction, CreateTable, List on project test_project_a TO ROLE Worker;
-- Verify: query Lily's permissions
show grants for ALIYUN$Lily@aliyun.com;
-- Expected output:
-- [roles]
-- worker
--
-- Authorization Type: ACL
-- [role/worker]
-- A       projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List

Policy-based access control

Policy-based access control grants permissions to roles using either a whitelist (allow=true) or a blacklist (allow=false). Unlike ACL-based access control, it can apply to objects that do not yet exist and supports explicit deny rules.

Prerequisites

Before granting permissions:

The role already exists in the project. Run list roles; to verify. To create a role, see Role planning.
The object type and the actions to grant or deny are identified.

Limitations

Permissions can only be granted to roles, not directly to users.

Usage notes

When both whitelist and blacklist rules apply, the blacklist takes precedence.
Permissions can be granted on non-existent objects. If a deleted object is recreated with the same name, the retained permission record applies automatically, which may create security risks.
Removing a user from a project retains that user's role-based permissions. If the user is re-added, the historical permissions are reactivated. To clear residual permissions, see Completely clear the residual permission information of a removed user.

Syntax

grant <actions> on <object_type> <object_name>
to ROLE <role_name>
privilegeproperties("policy" = "true", "allow"="{true|false}"[, "conditions"= "<conditions>" ,"expires"="<days>"]);

Parameters

Parameter	Required	Description
`actions`	Yes	One or more actions to permit or deny, separated by commas. For supported actions, see MaxCompute permissions.
`object_type`	Yes	The type of object. One type per statement.
`object_name`	Yes	The name of the object. Wildcards (``) are supported. For example, `table tb_` matches all tables whose names start with `tb_`.
`role_name`	Yes	The name of the role. One role per statement. Run `list roles;` on the MaxCompute client to get the name.
`policy`	Yes	Set to `true` to use policy-based access control.
`allow`	Required	Whether to allow the action. `true` applies the whitelist mechanism (allow). `false` applies the blacklist mechanism (deny).
`conditions`	No	Conditions for access control. For configuration details, see Conditions.
`days`	No	Permission validity period in days. If omitted, permissions are permanently valid. MaxCompute clears the permission record after the specified number of days.

Examples

The following examples use the project test_project_a, owned by the Alibaba Cloud account Bob@aliyun.com. Allen and Tom are RAM users of Bob@aliyun.com. RAM user Allen is assigned the Admin role of test_project_a. All statements are executed on the MaxCompute client.

Example 1: Deny an action using the blacklist mechanism

Deny role Worker (and its assigned users) from dropping tables whose names start with tb_ in the project.

use test_project_a;
-- Create a role named Worker
create role Worker;
-- Add Tom to the project and assign the role
add user RAM$Bob@aliyun.com:Tom;
grant Worker TO RAM$Bob@aliyun.com:Tom;
-- Deny the Drop action on matching tables
grant Drop on table tb_* to ROLE Worker privilegeproperties("policy" = "true", "allow"="false");
-- Verify: query Tom's permissions
show grants for RAM$Bob@aliyun.com:Tom;
-- Expected output (D = Deny):
-- Authorization Type: Policy
-- [role/worker]
-- D      projects/test_project_a/tables/tb_*: Drop

Example 2: Revoke a deny rule

Revoke the Drop deny rule from example 1 by removing the role from the user.

use test_project_a;
-- Revoke the Worker role from Tom
revoke Worker from RAM$Bob@aliyun.com:Tom;
-- Verify: Tom no longer has the Drop deny rule
show grants for RAM$Bob@aliyun.com:Tom;

Example 3: Allow an action using the whitelist mechanism

Allow role Worker to update tables whose names start with tb_ in the project.

use test_project_a;
create role Worker;
add user RAM$Bob@aliyun.com:Tom;
grant Worker TO RAM$Bob@aliyun.com:Tom;
-- Allow the Update action on matching tables
grant Update on table tb_* to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Verify: query Tom's permissions
show grants for RAM$Bob@aliyun.com:Tom;
-- Expected output (A = Allow):
-- Authorization Type: Policy
-- [role/worker]
-- A       projects/test_project_a/tables/tb_*: Update

Example 4: Revoke an allow rule

Revoke the Update allow rule from example 3 by removing the role from the user.

use test_project_a;
revoke Worker from RAM$Bob@aliyun.com:Tom;
-- Verify: Tom no longer has the Update permission
show grants for RAM$Bob@aliyun.com:Tom;

Example 5: Restrict a user assigned a built-in role

Allen is assigned the Admin role, which grants all permissions. Use a policy blacklist to prevent Allen from dropping any table.

use test_project_a;
create role Worker;
grant Worker TO RAM$Bob@aliyun.com:Allen;
-- Deny the Drop action on all tables
grant Drop on table * to ROLE Worker privilegeproperties("policy" = "true", "allow"="false");
-- Verify: query Allen's permissions
show grants for RAM$Bob@aliyun.com:Allen;
-- Expected output:
-- [roles]
-- role_project_admin, worker
--
-- Authorization Type: Policy
-- [role/role_project_admin]
-- A       projects/test_project_a: *
-- A       projects/test_project_a/instances/*: *
-- A       projects/test_project_a/jobs/*: *
-- A       projects/test_project_a/offlinemodels/*: *
-- A       projects/test_project_a/packages/*: *
-- A       projects/test_project_a/registration/functions/*: *
-- A       projects/test_project_a/resources/*: *
-- A       projects/test_project_a/tables/*: *
-- A       projects/test_project_a/volumes/*: *
--
-- [role/worker]
-- A       projects/test_project_a/tables/tb_*: Update
-- D       projects/test_project_a/tables/*: Drop
--
-- Authorization Type: ObjectCreator
-- AG      projects/test_project_a/tables/local_test: All
-- AG      projects/test_project_a/tables/mr_multiinout_out1: All
-- AG      projects/test_project_a/tables/mr_multiinout_out2: All
-- AG      projects/test_project_a/tables/ramtest: All
-- AG      projects/test_project_a/tables/wc_in: All
-- AG      projects/test_project_a/tables/wc_in1: All
-- AG      projects/test_project_a/tables/wc_in2: All
-- AG      projects/test_project_a/tables/wc_out: All

Example 6: Revoke a restrict rule from a built-in role user

Revoke the Drop deny rule from example 5 by removing the role from Allen.

use test_project_a;
revoke Worker from RAM$Bob@aliyun.com:Allen;
-- Verify: Allen no longer has the Drop deny rule
show grants for RAM$Bob@aliyun.com:Allen;

Grant a role to a user

After a role is assigned to a user, the user inherits all permissions of the role.

Limitations

Grant the role the necessary permissions on project objects before assigning it to a user. For details, see Grant a role or user.

Syntax

grant <role_name> to <user_name>;

Parameters

Parameter	Required	Description
`role_name`	Yes	The name of the role to assign.
`user_name`	Yes	The name of the user. Alibaba Cloud account format: ALIYUN$@aliyun.com`. RAM user format: `RAM$.

Example

-- Grant the player role to the Alibaba Cloud account test_user@aliyun.com
grant player to ALIYUN$test_user@aliyun.com;

Grant access to a package

A package is an independent object type in MaxCompute. To access resources in a package, a user or role must have the Read permission on it. The project owner and users assigned the Super_Administrator or Admin role can grant this permission using an access control list (ACL).

Syntax

grant <actions> on package <project_name>.<package_name> to {USER|ROLE} <name>;

Usage notes

After the Read permission is granted, the user or role can access package resources only in the project where the package is installed. For fine-grained package permission management, see Access control for packages.

Parameters

Parameter	Required	Description
`actions`	Yes	Set to `Read`.
`project_name`	Yes	The name of the MaxCompute project the package belongs to. To get the project name, go to the MaxCompute console, select the region, and view the Project management tab.
`package_name`	Yes	The name of the package. Run `show packages;` on the MaxCompute client to list packages.
`name`	Yes	The name of the user or role to grant access to. One subject per statement. Run `list users;` or `list roles;` to get the name.

Example

Bella is a RAM user of the Alibaba Cloud account Amy@aliyun.com. Grant Bella access to the package datashare.

grant Read on package test_project_a.datashare to user RAM$Amy@aliyun.com:Bella;

What's next

CREATE PACKAGE: Create a package.
CREATE ROLE: Create a role in a MaxCompute project.
REVOKE: Revoke access permissions from a user or role.