If you want to grant the same permissions to multiple users in a MaxCompute project, you can create a role in the project, grant the permissions to the role, and then assign the role to the users. After you assign the role to the users, the users are granted the permissions of the role. This topic describes the syntax of project-level role-based access control and provides examples for your reference.
Background information
MaxCompute allows you to perform role-based access control in the scenarios described in the following table. After you grant permissions to a role, you can assign the role to users. If the users no longer require the permissions, you can revoke the role from the users.
Role-based access control scenario | Authorization method | Authorizer | Authorization entry |
| See the authorizer column in the permission list. | ||
Grant the access permissions on data that has a high sensitivity level to a role | |||
Revoke the access permissions on data that has a high sensitivity level from a role |
Grant the operation permissions on an object to a role
You can grant the operation permissions on projects, tables, resources, functions, or instances to a role.
Syntax
Grant operation permissions on a project to a role
ACL-based access control
GRANT Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant the operation permissions on a table to a role
ACL-based access control
GRANT Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant the operation permissions on a resource to a role
ACL-based access control
GRANT Read|Write|Delete|All ON resource <resource_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Read|Write|Delete|All ON resource <resource_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant the operation permissions on a function to a role
ACL-based access control
GRANT Read|Write|Delete|Execute|All ON FUNCTION <function_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Read|Write|Delete|Execute|All ON FUNCTION <function_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant the operation permissions on an instance to a role
ACL-based access control
GRANT Read|Write|All ON instance <instance_id> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy-based access control by using the ACL syntax
GRANT Read|Write|All ON instance <instance_id> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
Examples
For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the project test_project_a, and a role named Worker is created in the project. You want to grant permissions to the role Worker. Sample code:
Example 1: Grant permissions to create tables, functions, and instances and view the list of all types of objects in a project to a role.
--Bob enters the test_project_a project. use test_project_a; --ACL-based access control. GRANT CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker; --Policy-based access control by using the ACL syntax. GRANT CreateTable, CreateFunction, CreateInstance, List ON project test_project_a TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 2: Grant permissions to read the metadata and data of a table to a role.
--Bob enters the test_project_a project. use test_project_a; --ACL-based access control. GRANT Describe, Select ON TABLE sale_detail TO ROLE Worker; --Policy-based access control by using the ACL syntax. GRANT Describe, Select ON TABLE sale_detail TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 3: Grant permissions to read and update a resource to a role.
--Bob enters the test_project_a project. use test_project_a; --ACL-based access control. GRANT Read, Write ON resource udtf.jar TO ROLE Worker; --Policy-based access control by using the ACL syntax. GRANT Read, Write ON resource udtf.jar TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 4: Grant the permissions to read and update a function to a role.
--Bob enters the test_project_a project. use test_project_a; --ACL-based access control. GRANT Read, Write ON FUNCTION udf_test TO ROLE Worker; --Policy-based access control by using the ACL syntax. GRANT Read, Write ON FUNCTION udf_test TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 5: Grant all operation permissions on an instance to a role.
--Bob enters the test_project_a project. use test_project_a; --ACL-based access control. GRANT All ON instance 202112300224**** TO ROLE Worker; --Policy-based access control by using the ACL syntax. GRANT All ON instance 202112300224**** TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke the operation permissions on an object from a role
You can revoke the operation permissions on projects, tables, resources, functions, or instances from a role.
Syntax
Revoke the operation permissions on a project from a role
Revoke permissions that are granted by using ACL-based access control.
REVOKE Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke the operation permissions on a table from a role
Revoke permissions that are granted by using ACL-based access control.
REVOKE Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke the operation permissions on a resource from a role
Revoke permissions that are granted by using ACL-based access control.
REVOKE Read|Write|Delete|All ON resource <resource_name> FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Read|Write|Delete|All ON resource <resource_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke the operation permissions on a function from a role
Revoke permissions that are granted by using ACL-based access control.
REVOKE Read|Write|Delete|Execute|All ON FUNCTION <function_name> FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Read|Write|Delete|Execute|All ON FUNCTION <function_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke the operation permissions on an instance from a role
Revoke permissions that are granted by using ACL-based access control.
REVOKE Read|Write|All ON instance <instance_id> FROM ROLE <role_name>;Revoke permissions that are granted by using policy-based access control.
REVOKE Read|Write|All ON instance <instance_id> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
Examples
In the following examples, the operation permissions that are granted to the role Worker in the preceding section are revoked. Sample code:
Example 1: Revoke the permissions to create tables, functions, and instances and view the list of all types of objects in a project from the role Worker.
--Bob enters the test_project_a project. use test_project_a; --Revoke permissions that are granted by using ACL-based access control. REVOKE CreateTable, CreateFunction, CreateInstance, List ON project test_project_a FROM ROLE Worker; --Revoke permissions that are granted by using policy-based access control. REVOKE CreateTable, CreateFunction, CreateInstance, List ON project test_project_a FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 2: Revoke the permissions to read the metadata and data of a table from the role Worker.
--Bob enters the test_project_a project. use test_project_a; --Revoke permissions that are granted by using ACL-based access control. REVOKE Describe, Select ON TABLE sale_detail TO ROLE Worker; --Revoke permissions that are granted by using policy-based access control. REVOKE Describe, Select ON TABLE sale_detail FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 3: Revoke the permissions to read and update a resource from the Worker role.
--Bob enters the test_project_a project. USE test_project_a; --Revoke permissions that are granted by using ACL-based access control. REVOKE Read, Write ON resource udtf.jar FROM ROLE Worker; --Revoke permissions that are granted by using policy-based access control. REVOKE Read, Write ON resource udtf.jar FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 4: Revoke the permissions to read and update a function from the role Worker.
--Bob enters the test_project_a project. USE test_project_a; --Revoke permissions that are granted by using ACL-based access control. REVOKE Read, Write ON FUNCTION udf_test FROM ROLE Worker; --Revoke permissions that are granted by using policy-based access control. REVOKE Read, Write ON FUNCTION udf_test FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 5: Revoke all operation permissions on an instance from the Worker role.
--Bob enters the test_project_a project. USE test_project_a; --Revoke permissions that are granted by using ACL-based access control. REVOKE All ON instance 202112300224**** FROM ROLE Worker; --Revoke permissions that are granted by using policy-based access control. REVOKE All ON instance 202112300224**** FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant the Download permission to a role
You can grant the Download permission on tables, resources, functions, or instances to a role.
Syntax
GRANT Download ON {Table|Resource|Function|Instance} <object_name> TO ROLE <role_name>;Parameters
For more information about the parameters, see Download permission control.
Examples
Grant the Download permission on a specific table in the project test_project_a for which download control is enabled to the role Worker. Sample code:
--Bob enters the test_project_a project. USE test_project_a; --Use the Alibaba Cloud account Bob@aliyun.com to grant the Download permission to the role Worker. GRANT Download ON TABLE sale_detail TO ROLE Worker;
Revoke the Download permission from a role
You can revoke the Download permission on tables, resources, functions, or instances from a role.
Syntax
REVOKE Download ON {Table|Resource|Function|Instance} <object_name> FROM ROLE <role_name>;Parameters
For more information about the parameters, see Download permission control.
Examples
Revoke the Download permission that is granted to the role Worker in the preceding section. Sample code:
--Bob enters the test_project_a project. USE test_project_a; --Use the Alibaba Cloud account Bob@aliyun.com to revoke the Download permission from the role Worker. REVOKE Download ON TABLE sale_detail FROM ROLE Worker;
Grant the access permissions on data that has a high sensitivity level to a role
If you want to use a role that is classified into a specific data access level by using labels to access data whose sensitivity level is higher than the data access level of the role, you must grant the access permissions on the data to the role. For more information about how to set the data access level of a role by using labels, see Set the data access level of a user or role by using labels.
Syntax
GRANT Label <number> ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> [WITH exp <days>];Parameters
For more information about the parameters, see Explicit authorization of labels.
Examples
Grant the access permissions on data whose sensitivity level is 4 in the sale_detail table of the project test_project_a to the role Worker whose data access level is 2. Sample code:
--Bob enters the test_project_a project. USE test_project_a; --Use the Alibaba Cloud account Bob@aliyun.com to grant the access permissions to the role Worker. GRANT Label 4 ON TABLE sale_detail TO ROLE Worker;
Revoke the access permissions on data that has a high sensitivity level from a role
You can revoke the access permissions on data that has a high sensitivity level from a role. After you revoke such access permissions from a role, the data access level of the role is not affected.
Syntax
REVOKE Label ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name>;Parameters
For more information about the parameters, see Revoke explicit authorization of labels.
Examples
Revoke the access permissions that are granted to the role Worker in the preceding section. Sample code:
--Bob enters the test_project_a project. USE test_project_a; --Use the Alibaba Cloud account Bob@aliyun.com to revoke the access permissions from the role Worker. REVOKE Label ON TABLE sale_detail FROM ROLE Worker;
Assign a role to a user
After you assign a project-level built-in role or custom role to a user, the user is granted the permissions of the role.
Syntax
GRANT <role_name> TO <user_name>;Notes
Multiple users can be assigned the same role, and a user can be assigned multiple roles.
Parameters
Parameter
Required
Description
role_name
Yes
The name of the role that you want to assign to the user.
You can run the MaxCompute client
list roles;command in the MaxCompute client to view role information.user_name
Yes
The name of the user to which you want to assign the role.
You can run the MaxCompute client
list users;command in the MaxCompute client to view user information.Examples
Assign the role Worker to the user Kate@aliyun.com and the RAM user RAM$Bob@aliyun.com:Allen that are added to the MaxCompute project.
--Bob enters the test_project_a project. USE test_project_a; --Use the Alibaba Cloud account Bob@aliyun.com to assign the role Worker to Kate@aliyun.com and Bob@aliyun.com:Allen. GRANT Worker TO ALIYUN$Kate@aliyun.com; GRANT Worker TO RAM$Bob@aliyun.com:Allen;
Revoke a role from a user
After you revoke a role from a user, the user no longer has the permissions of the role.
Syntax
REVOKE <role_name> FROM <user_name>;Parameters
Parameter
Required
Description
role_name
Yes
The name of the role that you want to revoke from the user.
You can run the MaxCompute client
list roles;command in the MaxCompute client to obtain the role name.user_name
Yes
The name of the user from which you want to revoke the role.
You can run the MaxCompute client
list users;command in the MaxCompute client to obtain the username.Examples
Revoke the role Worker from Kate@aliyun.com and RAM$Bob@aliyun.com:Allen.
--Bob enters the test_project_a project. USE test_project_a; --Use the Alibaba Cloud account Bob@aliyun.com to revoke the role Worker from Kate@aliyun.com and Bob@aliyun.com:Allen. REVOKE Worker FROM ALIYUN$Kate@aliyun.com; REVOKE Worker FROM RAM$Bob@aliyun.com:Allen;
What to do next
After you grant permissions to a role, you can perform the following operations based on your business requirements: