All Products
Search
Document Center

MaxCompute:Perform access control based on project-level roles

Last Updated:Oct 13, 2023

If you want to grant the same permissions to multiple users in a MaxCompute project, you can create a role in the project, grant the permissions to the role, and then assign the role to the users. This topic describes the syntaxes of commands that can be used to perform access control based on project-level roles. This topic also provides examples on how to perform access control based on project-level roles.

Background information

MaxCompute allows you to perform role-based access control in the scenarios that are described in the following table.

Scenario

Access control method

Authorized by

Operation platform

Grant the operation permissions on an object to a role

For more information about the identities that can be used to perform policy-based access control, see the Authorized by column in the Permission list section in Permissions on projects and objects in projects.

Revoke the operation permissions on an object from a role

Grant the Download permission to a role

Download control

Revoke the Download permission from a role

Grant the access permissions on data that has a high sensitivity level to a role

Label-based access control

Revoke the access permissions on data that has a high sensitivity level from a role

After you grant permissions to a role, you can assign the role to users. If the users no longer require the permissions, you can revoke the role from the users. For more information, see Assign a role to a user and Revoke a role from a user.

Grant the operation permissions on an object to a role

You can grant the operation permissions on projects, tables, resources, functions, or instances to a role.

  • Syntaxes

    • Grant the operation permissions on a project to a role

      • ACL-based access control

        grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
              on project <project_name> 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control by using the ACL syntax

        grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
              on project <project_name> 
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
    • Grant the operation permissions on a table to a role

      • ACL-based access control

        grant Describe|Select|Alter|Update|Drop|ShowHistory|All 
              on table <table_name> [(<column_list>)] 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control by using the ACL syntax

        grant Describe|Select|Alter|Update|Drop|ShowHistory|All 
              on table <table_name> [(<column_list>)] 
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
    • Grant the operation permissions on a resource to a role

      • ACL-based access control

        grant Read|Write|Delete|All 
              on resource <resource_name> 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control by using the ACL syntax

        grant Read|Write|Delete|All 
              on resource <resource_name> 
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
    • Grant the operation permissions on a function to a role

      • ACL-based access control

        grant Read|Write|Delete|Execute|All 
              on function <function_name> 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control by using the ACL syntax

        grant Read|Write|Delete|Execute|All 
              on function <function_name>  
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
    • Grant the operation permissions on an instance to a role

      • ACL-based access control

        grant Read|Write|All 
              on instance <instance_id> 
              to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
      • Policy-based access control by using the ACL syntax

        grant Read|Write|All  
              on instance <instance_id>   
              to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
  • Parameters

    For more information about the parameters, see ACL-based access control or Policy-based access control.

  • Examples

    For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the project test_project_a, and a role named Worker is created in the project. You want to grant permissions to the role Worker. The following examples provide the commands that you can use to grant different operation permissions to the role Worker.

    • Example 1: Grant the CreateTable, CreateFunction, CreateInstance, and List permissions on the project test_project_a to the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
      -- Use the ACL syntax to perform policy-based access control. 
      grant CreateTable, CreateFunction, CreateInstance, List 
            on project test_project_a  
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 2: Grant the Describe and Select permissions on a table in the project test_project_a to the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant Describe, Select on table sale_detail to ROLE Worker;
      -- Use the ACL syntax to perform policy-based access control. 
      grant Describe, Select  
            on table sale_detail   
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 3: Grant the Read and Write permissions on a resource in the project test_project_a to the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant Read, Write on resource udtf.jar to ROLE Worker;
      -- Use the ACL syntax to perform policy-based access control. 
      grant Read, Write   
            on resource udtf.jar  
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 4: Grant the Read and Write permissions on a function in the project test_project_a to the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant Read, Write on function udf_test to ROLE Worker;
      -- Use the ACL syntax to perform policy-based access control. 
      grant Read, Write   
            on function udf_test  
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 5: Grant all operation permissions on an instance in the project test_project_a to the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Grant the permissions to the role Worker by using the ACL-based access control method. 
      grant All on instance 202112300224**** to ROLE Worker;
      -- Use the ACL syntax to perform policy-based access control. 
      grant All    
            on instance 202112300224****   
            to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Revoke the operation permissions on an object from a role

You can revoke the operation permissions on projects, tables, resources, functions, or instances from a role.

  • Syntaxes

    • Revoke the operation permissions on a project from a role

      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

        revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
              on project <project_name> 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role

        revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
              on project <project_name> 
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
    • Revoke the operation permissions on a table from a role

      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

        revoke Describe|Select|Alter|Update|Drop|ShowHistory|All 
              on table <table_name> [(<column_list>)] 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role

        revoke Describe|Select|Alter|Update|Drop|ShowHistory|All 
              on table <table_name> [(<column_list>)] 
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
    • Revoke the operation permissions on a resource from a role

      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

        revoke Read|Write|Delete|All 
              on resource <resource_name> 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role

        revoke Read|Write|Delete|All 
              on resource <resource_name> 
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
    • Revoke the operation permissions on a function from a role

      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

        revoke Read|Write|Delete|Execute|All 
              on function <function_name> 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role

        revoke Read|Write|Delete|Execute|All 
              on function <function_name>  
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
    • Revoke the operation permissions on an instance from a role

      • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

        revoke Read|Write|All 
              on instance <instance_id> 
              from ROLE <role_name>;
      • Revoke the operation permissions that are granted by using the policy-based access control method from a role

        revoke Read|Write|All  
              on instance <instance_id>   
              from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
  • Parameters

    For more information about the parameters, see ACL-based access control or Policy-based access control.

  • Examples

    In the following examples, the operation permissions that are granted to the role Worker in the preceding section are revoked. The following examples provide the commands that you can use to revoke different operation permissions to the role Worker.

    • Example 1: Revoke the CreateTable, CreateFunction, CreateInstance, and List permissions on the project test_project_a from the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke CreateTable, CreateFunction, CreateInstance, List 
            on project test_project_a  
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 2: Revoke the Describe and Select permissions on the table in the project test_project_a from the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke Describe, Select on table sale_detail to ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke Describe, Select  
            on table sale_detail   
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 3: Revoke the Read and Write permissions on the resource in the project test_project_a from the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke Read, Write on resource udtf.jar from ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke Read, Write   
            on resource udtf.jar  
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 4: Revoke the Read and Write permissions on the function in the project test_project_a from the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke Read, Write on function udf_test from ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke Read, Write   
            on function udf_test  
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
    • Example 5: Revoke all operation permissions on the instance in the project test_project_a from the role Worker.

      -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
      use test_project_a;
      -- Revoke the permissions that are granted by using the ACL-based access control method from the role Worker. 
      revoke All on instance 202112300224**** from ROLE Worker;
      -- Revoke the permissions that are granted by using the policy-based access control method from the role Worker. 
      revoke All    
            on instance 202112300224****   
            from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

Grant the Download permission to a role

You can grant the Download permission on tables, resources, functions, or instances to a role.

  • Syntax

    grant Download on {Table|Resource|Function|Instance} <object_name> to ROLE <role_name>;
  • Parameters

    For more information about the parameters, see Download control.

  • Example

    Grant the Download permission on a specific table in the project test_project_a for which download control is enabled to the role Worker. Sample commands:

    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to grant the Download permissions to the role Worker. 
    grant download on table sale_detail to ROLE Worker;

Revoke the Download permission from a role

You can revoke the Download permission on tables, resources, functions, or instances from a role.

  • Syntax

    revoke Download on {Table|Resource|Function|Instance} <object_name> from ROLE <role_name>;
  • Parameters

    For more information about the parameters, see Download control.

  • Example

    Revoke the Download permission that is granted to the role Worker in the preceding section. Sample commands:

    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the Download permission from the role Worker. 
    revoke download on table sale_detail from ROLE Worker;

Grant the access permissions on data that has a high sensitivity level to a role

If you want to use a role that is classified into a specific data access level by using labels to access data whose sensitivity level is higher than the data access level of the role, you must grant the access permissions on the data to the role. For more information about how to use labels to classify roles into different access levels, see Configure access-level labels for users or roles.

  • Syntax

    grant Label <number> on table <table_name> [(<column_list>)] to ROLE <role_name> [with exp <days>];
  • Parameters

    For more information about the parameters, see Enable label-based explicit authorization.

  • Example

    Grant the access permissions on data whose sensitivity level is 4 in the sale_detail table of the project test_project_a to the role Worker whose data access level is 2. Sample commands:

    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to grant the access permissions to the role Worker. 
    grant Label 4 on table sale_detail to ROLE Worker;

Revoke the access permissions on data that has a high sensitivity level from a role

You can revoke the access permissions on data that has a high sensitivity level from a role. After you revoke such access permissions from a role, the data access level of the role is not affected.

  • Syntax

    revoke Label on table <table_name> [(<column_list>)] from ROLE <role_name>;
  • Parameters

    For more information about the parameters, see Revoke label-based explicit authorization.

  • Example

    Revoke the access permissions that are granted to the role Worker in the preceding section. Sample commands:

    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the access permissions from the role Worker. 
    revoke Label on table sale_detail from ROLE Worker;

Assign a role to a user

After you assign a built-in role or custom role in a project to a user, the user is granted the permissions of the role.

  • Syntax

    grant <role_name> to <user_name>;
  • Precautions

    Multiple users can be assigned the same role, and a user can be assigned multiple roles.

  • Parameters

    Parameter

    Required

    Description

    role_name

    Yes

    The name of the role that you want to assign to the user.

    You can run the list roles; command on the MaxCompute client to query the name of the role.

    user_name

    Yes

    The name of the user to which you want to assign the role.

    You can run the list users; command on the MaxCompute client to query the name of the user.

  • Example

    Assign the role Worker to the Alibaba Cloud account Kate@aliyun.com and the RAM user Bob@aliyun.com:Allen. Kate@aliyun.com and Bob@aliyun.com:Allen are added to the project test_project_a.

    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to assign the role Worker to Kate@aliyun.com and Bob@aliyun.com:Allen. 
    grant Worker to ALIYUN$Kate@aliyun.com;
    grant Worker to RAM$Bob@aliyun.com:Allen;

Revoke a role from a user

After you revoke a role from a user, the user no longer has the permissions of the role.

  • Syntax

    revoke <role_name> from <user_name>;
  • Parameters

    Parameter

    Required

    Description

    role_name

    Yes

    The name of the role that you want to revoke from the user.

    You can run the list roles; command on the MaxCompute client to query the name of the role.

    user_name

    Yes

    The name of the user from which you want to revoke the role.

    You can run the list users; command on the MaxCompute client to query the name of the user.

  • Example

    Revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen.

    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
    use test_project_a;
    -- Use the Alibaba Cloud account Bob@aliyun.com to revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen. 
    revoke Worker from ALIYUN$Kate@aliyun.com;
    revoke Worker from RAM$Bob@aliyun.com:Allen;

What to do next

After you grant permissions to a role, you can perform the following operations based on your business requirements: