Grant and revoke project-level permissions to a role - MaxCompute

Roles let you grant the same set of permissions to multiple users at once. Create a role, grant it permissions, then attach it to users — each user inherits the role's permissions automatically.

This topic covers the SQL syntax for granting and revoking permissions on project-level roles in MaxCompute, including operation permissions on objects, download permissions, label-based permissions on high-sensitivity data, and how to attach or detach roles from users.

Role authorization scenarios

Scenario	Authorization method	Authorization platform
Grant or revoke operation permissions on an object	Access Control List (ACL)-based access control (whitelist) or policy-based access control (whitelist or blacklist)	MaxCompute client, MaxCompute console (recommended), MaxCompute Studio, or DataWorks console
Grant or revoke the Download permission	Download permission control	Same platforms as above
Grant or revoke permissions on high-sensitivity data	Label-based access control	Same platforms as above

For the authorizers allowed to perform each action, see Supported authorizers.

After granting permissions to a role, attach the role to users. To remove access, detach the role from the user.

Grant operation permissions on an object to a role

Grant a role permissions on projects, tables, models, resources, functions, or instances. Supported permissions vary by object type:

Object type	Supported permissions
Project	`Read`, `Write`, `List`, `CreateTable`, `CreateInstance`, `CreateFunction`, `CreateResource`, `All`
Table	`Describe`, `Select`, `Alter`, `Update`, `Drop`, `ShowHistory`, `All`
Model	`Describe`, `Execute`, `Alter`, `Drop`, `All`
Resource	`Read`, `Write`, `Delete`, `All`
Function	`Read`, `Write`, `Delete`, `Execute`, `All`
Instance	`Read`, `Write`, `All`

Syntax

ACL authorization:

GRANT <permissions>
      ON {project <project_name> | TABLE <table_name> [(<column_list>)] | MODEL <model_name> | resource <resource_name> | FUNCTION <function_name> | instance <instance_id>}
      TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

Policy authorization (using ACL syntax):

GRANT <permissions>
      ON {project <project_name> | TABLE <table_name> [(<column_list>)] | MODEL <model_name> | resource <resource_name> | FUNCTION <function_name> | instance <instance_id>}
      TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);

For parameter details, see ACL-based access control and Policy-based access control.

Examples

The following examples use test_project_a as the project, Worker as the role, and Bob@aliyun.com as the project owner. Each example shows both ACL and policy syntax.

Example 1: Grant project-level permissions

Grant the Worker role the permissions to create tables, functions, and instances, and to list all objects in test_project_a.

-- Enter the project.
USE test_project_a;
-- ACL authorization
GRANT CreateTable, CreateFunction, CreateInstance, List ON project test_project_a TO ROLE Worker;
-- Policy authorization
GRANT CreateTable, CreateFunction, CreateInstance, List
      ON project test_project_a
      TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 2: Grant table permissions

Grant the Worker role the permissions to read the metadata and data of the sale_detail table.

USE test_project_a;
-- ACL authorization
GRANT Describe, Select ON TABLE sale_detail TO ROLE Worker;
-- Policy authorization
GRANT Describe, Select
      ON TABLE sale_detail
      TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 3: Grant model permissions

Grant the Worker role all permissions on the my_model model.

USE test_project_a;
-- ACL authorization
GRANT All ON MODEL my_model TO ROLE Worker;
-- Policy authorization
GRANT All
      ON MODEL my_model
      TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 4: Grant resource permissions

Grant the Worker role the permissions to read and update the udtf.jar resource.

USE test_project_a;
-- ACL authorization
GRANT Read, Write ON resource udtf.jar TO ROLE Worker;
-- Policy authorization
GRANT Read, Write
      ON resource udtf.jar
      TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 5: Grant function permissions

Grant the Worker role the permissions to read and update the udf_test function.

USE test_project_a;
-- ACL authorization
GRANT Read, Write ON FUNCTION udf_test TO ROLE Worker;
-- Policy authorization
GRANT Read, Write
      ON FUNCTION udf_test
      TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 6: Grant instance permissions

Grant the Worker role all permissions on instance 202112300224****.

USE test_project_a;
-- ACL authorization
GRANT All ON instance 202112300224**** TO ROLE Worker;
-- Policy authorization
GRANT All
      ON instance 202112300224****
      TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Revoke operation permissions on an object from a role

Syntax

Revoke ACL-granted permissions:

REVOKE <permissions>
       ON {project <project_name> | TABLE <table_name> [(<column_list>)] | MODEL <model_name> | resource <resource_name> | FUNCTION <function_name> | instance <instance_id>}
       FROM ROLE <role_name>;

Revoke policy-granted permissions:

REVOKE <permissions>
       ON {project <project_name> | TABLE <table_name> [(<column_list>)] | MODEL <model_name> | resource <resource_name> | FUNCTION <function_name> | instance <instance_id>}
       FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");

For parameter details, see ACL-based access control and Policy-based access control.

Examples

The following examples revoke permissions from the Worker role in test_project_a.

Example 1: Revoke project-level permissions

USE test_project_a;
-- Revoke ACL-granted permissions.
REVOKE CreateTable, CreateFunction, CreateInstance, List ON project test_project_a FROM ROLE Worker;
-- Revoke policy-granted permissions.
REVOKE CreateTable, CreateFunction, CreateInstance, List
      ON project test_project_a
      FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 2: Revoke table permissions

USE test_project_a;
-- Revoke ACL-granted permissions.
REVOKE Describe, Select ON TABLE sale_detail FROM ROLE Worker;
-- Revoke policy-granted permissions.
REVOKE Describe, Select
      ON TABLE sale_detail
      FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 3: Revoke model permissions

USE test_project_a;
-- Revoke ACL-granted permissions.
REVOKE All ON MODEL my_model FROM ROLE Worker;
-- Revoke policy-granted permissions.
REVOKE All
      ON MODEL my_model
      FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 4: Revoke resource permissions

USE test_project_a;
-- Revoke ACL-granted permissions.
REVOKE Read, Write ON resource udtf.jar FROM ROLE Worker;
-- Revoke policy-granted permissions.
REVOKE Read, Write
      ON resource udtf.jar
      FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 5: Revoke function permissions

USE test_project_a;
-- Revoke ACL-granted permissions.
REVOKE Read, Write ON FUNCTION udf_test FROM ROLE Worker;
-- Revoke policy-granted permissions.
REVOKE Read, Write
      ON FUNCTION udf_test
      FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Example 6: Revoke instance permissions

USE test_project_a;
-- Revoke ACL-granted permissions.
REVOKE All ON instance 202112300224**** FROM ROLE Worker;
-- Revoke policy-granted permissions.
REVOKE All
      ON instance 202112300224****
      FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Grant the Download permission to a role

Grant a role the permission to download data from tables, resources, functions, or instances. Download permission control must be enabled for the project before running this command.

Syntax

GRANT Download ON {Table|Resource|Function|Instance} <object_name> TO ROLE <role_name>;

For parameter details, see Download permission control.

Example

Grant the Worker role the permission to download data from the sale_detail table.

-- Enter the project.
USE test_project_a;
-- Grant the Download permission to the role.
GRANT Download ON TABLE sale_detail TO ROLE Worker;

Revoke the Download permission from a role

Syntax

REVOKE Download ON {Table|Resource|Function|Instance} <object_name> FROM ROLE <role_name>;

For parameter details, see Download permission control.

Example

Revoke the permission to download data from the sale_detail table from the Worker role.

USE test_project_a;
REVOKE Download ON TABLE sale_detail FROM ROLE Worker;

Grant permissions to access high-sensitivity data to a role

Use label-based authorization to grant a role access to data above its current sensitivity level. For information on setting a permission level label for a role, see Set a permission level label for a user or role.

Syntax

GRANT Label <number> ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> [WITH exp <days>];

For parameter details, see Explicit label-based authorization.

Example

The Worker role has a permission level label of 2. Grant it access to data with a maximum sensitivity level of 4 in the sale_detail table.

USE test_project_a;
GRANT Label 4 ON TABLE sale_detail TO ROLE Worker;

Revoke permissions to access high-sensitivity data from a role

Revoking label-based permissions does not affect the role's own permission level label.

Syntax

REVOKE Label ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name>;

For parameter details, see Revoke explicit label-based authorization.

Example

Revoke the permission to access data with a sensitivity level of up to 4 in the sale_detail table from the Worker role.

USE test_project_a;
REVOKE Label ON TABLE sale_detail FROM ROLE Worker;

Attach a role to a user

Attach a built-in or custom project-level role to a user. The user inherits all permissions granted to that role. Multiple users can share the same role, and a user can hold multiple roles.

Syntax

GRANT <role_name> TO <user_name>;

Parameters

Parameter	Required	Description
`role_name`	Yes	The name of the role to attach. Run `list roles;` in the MaxCompute client to view available roles.
`user_name`	Yes	The name of the target user. Run `list users;` in the MaxCompute client to view project members.

Example

Attach the Worker role to the Alibaba Cloud account Ka**@aliyun.com and the RAM user RAM$Bob@aliyun.com:Allen.

USE test_project_a;
GRANT Worker TO ALIYUN$Ka**@aliyun.com;
GRANT Worker TO RAM$Bob@aliyun.com:Allen;

Detach a role from a user

After detaching a role, the user loses all permissions granted by that role.

Syntax

REVOKE <role_name> FROM <user_name>;

Parameters

Parameter	Required	Description
`role_name`	Yes	The name of the role to detach. Run `list roles;` in the MaxCompute client to get the role name.
`user_name`	Yes	The name of the target user. Run `list users;` in the MaxCompute client to get the username.

Example

Detach the Worker role from Kate@aliyun.com and RAM$Bob@aliyun.com:Allen.

USE test_project_a;
REVOKE Worker FROM ALIYUN$Kate@aliyun.com;
REVOKE Worker FROM RAM$Bob@aliyun.com:Allen;

MaxCompute:Project-level role authorization

Role authorization scenarios

Grant operation permissions on an object to a role

Syntax

Examples

Revoke operation permissions on an object from a role

Syntax

Examples

Grant the Download permission to a role

Syntax

Example

Revoke the Download permission from a role

Syntax

Example

Grant permissions to access high-sensitivity data to a role

Syntax

Example

Revoke permissions to access high-sensitivity data from a role

Syntax

Example

Attach a role to a user

Syntax

Parameters

Example

Detach a role from a user

Syntax

Parameters

Example

What to do next