Grants a user or role access to data at a sensitivity level higher than their default access level allows.
Prerequisites
Before you begin, ensure that you have:
The Project Owner or Admin role in the target MaxCompute project
The name of the table or view to grant access to (run
show tables;on the MaxCompute client to look it up)The name of the user or role to grant access to (run
list users;orlist roles;on the MaxCompute client to look it up)
Usage notes
A column-level label grant overrides any table-level label grant for the same user.
Syntax
grant Label <number> on table <table_name> [(<column_list>)] to {USER|ROLE} <name> [with exp <days>];Parameters
| Parameter | Required | Description |
|---|---|---|
number | Yes | The highest sensitivity level to grant. Valid values: 0–9, corresponding to sensitivity-level labels. |
table_name | Yes | The name of the table or view. |
column_list | No | The columns to grant access to. Separate multiple columns with commas (,). If omitted, the grant applies to the entire table. |
name | Yes | The name of the user or role. |
days | No | How long the permission lasts, in days. Valid values: 0 to 2<sup>63</sup> − 1. Default: 180 days. |
Examples
The following examples use the test_project_a project, which contains the sale_detail table with columns shop_name, customer_id, and total_price. Bob@aliyun.com is the project owner. Allen is a RAM user belonging to Bob@aliyun.com and is a member of test_project_a.
Grant table-level label access to a user
Grant Allen access to all data in sale_detail at sensitivity level 3 or below, valid for 4 days.
-- Switch to the project as Bob@aliyun.com
use test_project_a;
-- Grant Allen access to data at sensitivity level 3 or below in sale_detail, valid for 4 days
grant Label 3 on table sale_detail to USER RAM$Bob@aliyun.com:Allen with exp 4;
-- Verify the grant
show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;The output lists the granted label and expiration for each column:
User Label: 1
+-------------+--------------+--------------------------+
| Column | GrantedLabel | Expires |
+-------------+--------------+--------------------------+
| total_price | 3 | 2021-12-31T19:56:18+0800 |
+-------------+--------------+--------------------------+Grant column-level label access to a user
Grant Allen access to specific columns (shop_name, customer_id, total_price) at sensitivity level 4 or below, valid for 10 days. Column-level grants override any existing table-level grant for the same user.
-- Grant Allen access to data at sensitivity level 4 or below in specific columns, valid for 10 days
grant Label 4 on table sale_detail(shop_name, customer_id, total_price) to USER RAM$Bob@aliyun.com:Allen with exp 10;
-- Verify the grant
show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;The output confirms the column-level grants:
User Label: 1
+-------------+--------------+--------------------------+
| Column | GrantedLabel | Expires |
+-------------+--------------+--------------------------+
| customer_id | 4 | 2022-01-06T19:58:00+0800 |
+-------------+--------------+--------------------------+
| shop_name | 4 | 2022-01-06T19:58:00+0800 |
+-------------+--------------+--------------------------+
| total_price | 4 | 2022-01-06T19:58:00+0800 |
+-------------+--------------+--------------------------+Grant label access to a role
To apply label access to multiple users at once, grant the label to a role rather than individual users. The following example grants access to data at sensitivity level 3 or below in sale_detail to the data_analyst role, valid for 30 days.
grant Label 3 on table sale_detail to ROLE data_analyst with exp 30;What's next
SET LABEL: Configure sensitivity-level labels on a table or column before granting label access to users or roles.
REVOKE: Remove an explicitly granted label from a user or role when access is no longer needed.
CLEAR EXPIRED GRANTS: Clean up permissions that have passed their expiration date.