If you want to grant the same permissions to multiple users in a MaxCompute project, you can create a role in the project, grant the permissions to the role, and then assign the role to the users. This topic describes the syntaxes of commands that can be used to perform access control based on project-level roles. This topic also provides examples on how to perform access control based on project-level roles.
Background information
MaxCompute allows you to perform role-based access control in the scenarios that are described in the following table.
Scenario | Access control method | Authorized by | Operation platform |
| For more information about the identities that can be used to perform policy-based access control, see the Authorized by column in the Permission list section in Permissions on projects and objects in projects. | ||
Grant the access permissions on data that has a high sensitivity level to a role | |||
Revoke the access permissions on data that has a high sensitivity level from a role |
After you grant permissions to a role, you can assign the role to users. If the users no longer require the permissions, you can revoke the role from the users. For more information, see Assign a role to a user and Revoke a role from a user.
Grant the operation permissions on an object to a role
You can grant the operation permissions on projects, tables, resources, functions, or instances to a role.
Syntaxes
Grant the operation permissions on a project to a role
ACL-based access control
grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant the operation permissions on a table to a role
ACL-based access control
grant Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
grant Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant the operation permissions on a resource to a role
ACL-based access control
grant Read|Write|Delete|All on resource <resource_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
grant Read|Write|Delete|All on resource <resource_name> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant the operation permissions on a function to a role
ACL-based access control
grant Read|Write|Delete|Execute|All on function <function_name> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
grant Read|Write|Delete|Execute|All on function <function_name> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant the operation permissions on an instance to a role
ACL-based access control
grant Read|Write|All on instance <instance_id> to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
grant Read|Write|All on instance <instance_id> to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
Examples
For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the project test_project_a, and a role named Worker is created in the project. You want to grant permissions to the role Worker. The following examples provide the commands that you can use to grant different operation permissions to the role Worker.
Example 1: Grant the CreateTable, CreateFunction, CreateInstance, and List permissions on the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker; -- Use the ACL syntax to perform policy-based access control. grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 2: Grant the Describe and Select permissions on a table in the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant Describe, Select on table sale_detail to ROLE Worker; -- Use the ACL syntax to perform policy-based access control. grant Describe, Select on table sale_detail to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 3: Grant the Read and Write permissions on a resource in the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant Read, Write on resource udtf.jar to ROLE Worker; -- Use the ACL syntax to perform policy-based access control. grant Read, Write on resource udtf.jar to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 4: Grant the Read and Write permissions on a function in the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant Read, Write on function udf_test to ROLE Worker; -- Use the ACL syntax to perform policy-based access control. grant Read, Write on function udf_test to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 5: Grant all operation permissions on an instance in the project test_project_a to the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Grant the permissions to the role Worker by using the ACL-based access control method. grant All on instance 202112300224**** to ROLE Worker; -- Use the ACL syntax to perform policy-based access control. grant All on instance 202112300224**** to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke the operation permissions on an object from a role
You can revoke the operation permissions on projects, tables, resources, functions, or instances from a role.
Syntaxes
Revoke the operation permissions on a project from a role
Revoke the operation permissions that are granted by using the ACL-based access control method from a role
revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> from ROLE <role_name>;Revoke the operation permissions that are granted by using the policy-based access control method from a role
revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All on project <project_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke the operation permissions on a table from a role
Revoke the operation permissions that are granted by using the ACL-based access control method from a role
revoke Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] from ROLE <role_name>;Revoke the operation permissions that are granted by using the policy-based access control method from a role
revoke Describe|Select|Alter|Update|Drop|ShowHistory|All on table <table_name> [(<column_list>)] from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke the operation permissions on a resource from a role
Revoke the operation permissions that are granted by using the ACL-based access control method from a role
revoke Read|Write|Delete|All on resource <resource_name> from ROLE <role_name>;Revoke the operation permissions that are granted by using the policy-based access control method from a role
revoke Read|Write|Delete|All on resource <resource_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke the operation permissions on a function from a role
Revoke the operation permissions that are granted by using the ACL-based access control method from a role
revoke Read|Write|Delete|Execute|All on function <function_name> from ROLE <role_name>;Revoke the operation permissions that are granted by using the policy-based access control method from a role
revoke Read|Write|Delete|Execute|All on function <function_name> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke the operation permissions on an instance from a role
Revoke the operation permissions that are granted by using the ACL-based access control method from a role
revoke Read|Write|All on instance <instance_id> from ROLE <role_name>;Revoke the operation permissions that are granted by using the policy-based access control method from a role
revoke Read|Write|All on instance <instance_id> from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
Examples
In the following examples, the operation permissions that are granted to the role Worker in the preceding section are revoked. The following examples provide the commands that you can use to revoke different operation permissions to the role Worker.
Example 1: Revoke the CreateTable, CreateFunction, CreateInstance, and List permissions on the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 2: Revoke the Describe and Select permissions on the table in the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke Describe, Select on table sale_detail to ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke Describe, Select on table sale_detail from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 3: Revoke the Read and Write permissions on the resource in the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke Read, Write on resource udtf.jar from ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke Read, Write on resource udtf.jar from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 4: Revoke the Read and Write permissions on the function in the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke Read, Write on function udf_test from ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke Read, Write on function udf_test from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 5: Revoke all operation permissions on the instance in the project test_project_a from the role Worker.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. revoke All on instance 202112300224**** from ROLE Worker; -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. revoke All on instance 202112300224**** from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant the Download permission to a role
You can grant the Download permission on tables, resources, functions, or instances to a role.
Syntax
grant Download on {Table|Resource|Function|Instance} <object_name> to ROLE <role_name>;Parameters
For more information about the parameters, see Download control.
Example
Grant the Download permission on a specific table in the project test_project_a for which download control is enabled to the role Worker. Sample commands:
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to grant the Download permissions to the role Worker. grant download on table sale_detail to ROLE Worker;
Revoke the Download permission from a role
You can revoke the Download permission on tables, resources, functions, or instances from a role.
Syntax
revoke Download on {Table|Resource|Function|Instance} <object_name> from ROLE <role_name>;Parameters
For more information about the parameters, see Download control.
Example
Revoke the Download permission that is granted to the role Worker in the preceding section. Sample commands:
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the Download permission from the role Worker. revoke download on table sale_detail from ROLE Worker;
Grant the access permissions on data that has a high sensitivity level to a role
If you want to use a role that is classified into a specific data access level by using labels to access data whose sensitivity level is higher than the data access level of the role, you must grant the access permissions on the data to the role. For more information about how to use labels to classify roles into different access levels, see Configure access-level labels for users or roles.
Syntax
grant Label <number> on table <table_name> [(<column_list>)] to ROLE <role_name> [with exp <days>];Parameters
For more information about the parameters, see Enable label-based explicit authorization.
Example
Grant the access permissions on data whose sensitivity level is 4 in the sale_detail table of the project test_project_a to the role Worker whose data access level is 2. Sample commands:
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to grant the access permissions to the role Worker. grant Label 4 on table sale_detail to ROLE Worker;
Revoke the access permissions on data that has a high sensitivity level from a role
You can revoke the access permissions on data that has a high sensitivity level from a role. After you revoke such access permissions from a role, the data access level of the role is not affected.
Syntax
revoke Label on table <table_name> [(<column_list>)] from ROLE <role_name>;Parameters
For more information about the parameters, see Revoke label-based explicit authorization.
Example
Revoke the access permissions that are granted to the role Worker in the preceding section. Sample commands:
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the access permissions from the role Worker. revoke Label on table sale_detail from ROLE Worker;
Assign a role to a user
After you assign a built-in role or custom role in a project to a user, the user is granted the permissions of the role.
Syntax
grant <role_name> to <user_name>;Precautions
Multiple users can be assigned the same role, and a user can be assigned multiple roles.
Parameters
Parameter
Required
Description
role_name
Yes
The name of the role that you want to assign to the user.
You can run the
list roles;command on the MaxCompute client to query the name of the role.user_name
Yes
The name of the user to which you want to assign the role.
You can run the
list users;command on the MaxCompute client to query the name of the user.Example
Assign the role Worker to the Alibaba Cloud account Kate@aliyun.com and the RAM user Bob@aliyun.com:Allen. Kate@aliyun.com and Bob@aliyun.com:Allen are added to the project test_project_a.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to assign the role Worker to Kate@aliyun.com and Bob@aliyun.com:Allen. grant Worker to ALIYUN$Kate@aliyun.com; grant Worker to RAM$Bob@aliyun.com:Allen;
Revoke a role from a user
After you revoke a role from a user, the user no longer has the permissions of the role.
Syntax
revoke <role_name> from <user_name>;Parameters
Parameter
Required
Description
role_name
Yes
The name of the role that you want to revoke from the user.
You can run the
list roles;command on the MaxCompute client to query the name of the role.user_name
Yes
The name of the user from which you want to revoke the role.
You can run the
list users;command on the MaxCompute client to query the name of the user.Example
Revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen.
-- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. use test_project_a; -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen. revoke Worker from ALIYUN$Kate@aliyun.com; revoke Worker from RAM$Bob@aliyun.com:Allen;
What to do next
After you grant permissions to a role, you can perform the following operations based on your business requirements: