If you want to grant the same permissions to multiple users in a MaxCompute project, you can create a role, grant permissions to the role, and then attach the role to the users. The users then inherit the permissions of the role. This topic describes the syntax for project-level role authorization and provides examples.
Role authorization scenarios
MaxCompute supports the role authorization scenarios described in the following table. After you grant permissions to a role, you can attach the role to a user. If a user no longer requires the permissions, you can detach the role from the user.
Role authorization scenario | Authorization method | Authorizer | Authorization entry |
| For more information, see the Supported authorizers column in the Permissions topic. | ||
Revoke permissions to access high-sensitivity data from a role |
Grant operation permissions on an object to a role
You can grant operation permissions on projects, tables, models, resources, functions, or instances to a role.
Command format
Grant operation permissions on a project to a role
ACL authorization
GRANT Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy authorization using the ACL syntax
GRANT Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant operation permissions on a table to a role
ACL authorization
GRANT Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy authorization using the ACL syntax
GRANT Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant operation permissions on a model to a role
ACL authorization
GRANT Describe|Execute|Alter|Drop|All ON MODEL <model_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy authorization using the ACL syntax
GRANT Describe|Execute|Alter|Drop|All ON MODEL <model_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant operation permissions on a resource to a role
ACL authorization
GRANT Read|Write|Delete|All ON resource <resource_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy authorization using the ACL syntax
GRANT Read|Write|Delete|All ON resource <resource_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant operation permissions on a function to a role
ACL authorization
GRANT Read|Write|Delete|Execute|All ON FUNCTION <function_name> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy authorization using the ACL syntax
GRANT Read|Write|Delete|Execute|All ON FUNCTION <function_name> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Grant operation permissions on an instance to a role
ACL authorization
GRANT Read|Write|All ON instance <instance_id> TO ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];Policy authorization using the ACL syntax
GRANT Read|Write|All ON instance <instance_id> TO ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);
Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
Examples
Assume that `Bob@aliyun.com` is the owner of the `test_project_a` project and a role named `Worker` is created in the project. The following examples show how to grant permissions to the `Worker` role.
Example 1: Grant a role the permissions to create tables, functions, and instances, and to list all objects in a project.
-- Bob enters the test_project_a project. use test_project_a; -- Grant permissions using ACL. GRANT CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker; -- Grant permissions using the ACL syntax for policy authorization. GRANT CreateTable, CreateFunction, CreateInstance, List ON project test_project_a TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 2: Grant a role the permissions to read the metadata and data of a table.
-- Bob enters the test_project_a project. use test_project_a; -- Grant permissions using ACL. GRANT Describe, Select ON TABLE sale_detail TO ROLE Worker; -- Grant permissions using the ACL syntax for policy authorization. GRANT Describe, Select ON TABLE sale_detail TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 3: Grant a role all permissions on a model.
-- Bob enters the test_project_a project. use test_project_a; -- Grant permissions using ACL. GRANT All ON MODEL my_model TO ROLE Worker; -- Grant permissions using the ACL syntax for policy authorization. GRANT All ON MODEL my_model TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 4: Grant a role the permissions to read and update a resource.
-- Bob enters the test_project_a project. use test_project_a; -- Grant permissions using ACL. GRANT Read, Write ON resource udtf.jar TO ROLE Worker; -- Grant permissions using the ACL syntax for policy authorization. GRANT Read, Write ON resource udtf.jar TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 5: Grant a role the permissions to read and update a function.
-- Bob enters the test_project_a project. use test_project_a; -- Grant permissions using ACL. GRANT Read, Write ON FUNCTION udf_test TO ROLE Worker; -- Grant permissions using the ACL syntax for policy authorization. GRANT Read, Write ON FUNCTION udf_test TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 6: Grant a role all operation permissions on an instance.
-- Bob enters the test_project_a project. use test_project_a; -- Grant permissions using ACL. GRANT All ON instance 202112300224**** TO ROLE Worker; -- Grant permissions using the ACL syntax for policy authorization. GRANT All ON instance 202112300224**** TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Revoke operation permissions on an object from a role
You can revoke the operation permissions on projects, tables, models, resources, functions, or instances from a role.
Command format
Revoke operation permissions on a project from a role
Revoke permissions granted using ACL
REVOKE Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> FROM ROLE <role_name>;Revoke permissions granted using policy authorization
REVOKE Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All ON project <project_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke operation permissions on a table from a role
Revoke permissions granted using ACL
REVOKE Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name>;Revoke permissions granted using policy authorization
REVOKE Describe|Select|Alter|Update|Drop|ShowHistory|All ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke operation permissions on a model from a role
Revoke permissions granted using ACL
REVOKE Describe|Execute|Alter|Drop|All ON MODEL <model_name> FROM ROLE <role_name>;Revoke permissions granted using policy authorization
REVOKE Describe|Execute|Alter|Drop|All ON MODEL <model_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke operation permissions on a resource from a role
Revoke permissions granted using ACL
REVOKE Read|Write|Delete|All ON resource <resource_name> FROM ROLE <role_name>;Revoke permissions granted using policy authorization
REVOKE Read|Write|Delete|All ON resource <resource_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke operation permissions on a function from a role
Revoke permissions granted using ACL
REVOKE Read|Write|Delete|Execute|All ON FUNCTION <function_name> FROM ROLE <role_name>;Revoke permissions granted using policy authorization
REVOKE Read|Write|Delete|Execute|All ON FUNCTION <function_name> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Revoke operation permissions on an instance from a role
Revoke permissions granted using ACL
REVOKE Read|Write|All ON instance <instance_id> FROM ROLE <role_name>;Revoke permissions granted using policy authorization
REVOKE Read|Write|All ON instance <instance_id> FROM ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");
Parameters
For more information about the parameters, see ACL-based access control or Policy-based access control.
Examples
The following examples show how to revoke permissions from the `Worker` role.
Example 1: Revoke the permissions to create tables, functions, and instances, and to list all objects in a project from the `Worker` role.
-- Bob enters the test_project_a project. use test_project_a; -- Revoke permissions granted using ACL. REVOKE CreateTable, CreateFunction, CreateInstance, List ON project test_project_a FROM ROLE Worker; -- Revoke permissions granted using policy authorization. REVOKE CreateTable, CreateFunction, CreateInstance, List ON project test_project_a FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 2: Revoke the permissions to read the metadata and data of a table from the `Worker` role.
-- Bob enters the test_project_a project. use test_project_a; -- Revoke permissions granted using ACL. REVOKE Describe, Select ON TABLE sale_detail TO ROLE Worker; -- Revoke permissions granted using policy authorization. REVOKE Describe, Select ON TABLE sale_detail FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 3: Revoke all permissions on a model from the `Worker` role.
-- Bob enters the test_project_a project. use test_project_a; -- Revoke permissions granted using ACL. REVOKE All ON MODEL my_model FROM ROLE Worker; -- Revoke permissions granted using policy authorization. REVOKE All ON MODEL my_model FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 4: Revoke the permissions to read and update a resource from the `Worker` role.
-- Bob enters the test_project_a project. USE test_project_a; -- Revoke permissions granted using ACL. REVOKE Read, Write ON resource udtf.jar FROM ROLE Worker; -- Revoke permissions granted using policy authorization. REVOKE Read, Write ON resource udtf.jar FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 5: Revoke the permissions to read and update a function from the `Worker` role.
-- Bob enters the test_project_a project. USE test_project_a; -- Revoke permissions granted using ACL. REVOKE Read, Write ON FUNCTION udf_test FROM ROLE Worker; -- Revoke permissions granted using policy authorization. REVOKE Read, Write ON FUNCTION udf_test FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Example 6: Revoke all operation permissions on an instance from the `Worker` role.
-- Bob enters the test_project_a project. USE test_project_a; -- Revoke permissions granted using ACL. REVOKE All ON instance 202112300224**** FROM ROLE Worker; -- Revoke permissions granted using policy authorization. REVOKE All ON instance 202112300224**** FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
Grant the Download permission to a role
You can grant a role the permission to download data from tables, resources, functions, or instances.
Command format
GRANT Download ON {Table|Resource|Function|Instance} <object_name> TO ROLE <role_name>;Parameters
For more information about the parameters, see Download permission control.
Example
Assume that download permission control is enabled for the `test_project_a` project. The following example shows how to grant the `Worker` role the permission to download data from a specific table.
-- Bob enters the test_project_a project. USE test_project_a; -- Bob grants the permission to the Worker role. GRANT Download ON TABLE sale_detail TO ROLE Worker;
Revoke the Download permission from a role
You can revoke the permission to download data from tables, resources, functions, or instances from a role.
Command format
REVOKE Download ON {Table|Resource|Function|Instance} <object_name> FROM ROLE <role_name>;Parameters
For more information about the parameters, see Download permission control.
Example
The following example shows how to revoke the permission to download data from a specific table from the `Worker` role.
-- Bob enters the test_project_a project. USE test_project_a; -- Bob revokes the permission from the Worker role. REVOKE Download ON TABLE sale_detail FROM ROLE Worker;
Grant permissions to access high-sensitivity data to a role
After you set a permission level label for a role, if the role needs to access data of a higher sensitivity level, you must grant the required permissions. For more information about how to set a permission level label for a user or role, see Set a permission level label for a user or role.
Command format
GRANT Label <number> ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> [WITH exp <days>];Parameters
For more information about the parameters, see Explicit label-based authorization.
Example
Assume that in the `test_project_a` project, the permission level label of the `Worker` role is 2. The following example shows how to grant this role the permission to access data with a maximum sensitivity level of 4 in the `sale_detail` table.
-- Bob enters the test_project_a project. USE test_project_a; -- Bob grants the permission to the Worker role. GRANT Label 4 ON TABLE sale_detail TO ROLE Worker;
Revoke permissions to access high-sensitivity data from a role
You can revoke the permissions to access high-sensitivity data from a role. The permission level of the role itself is not affected.
Command format
REVOKE Label ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name>;Parameters
For more information about the parameters, see Revoke explicit label-based authorization.
Example
The following example shows how to revoke the permission to access data with a maximum sensitivity level of 4 in the `sale_detail` table from the `Worker` role.
-- Bob enters the test_project_a project. USE test_project_a; -- Bob revokes the permission from the Worker role. REVOKE Label ON TABLE sale_detail FROM ROLE Worker;
Attach a role to a user
You can attach a project-level built-in or custom role to a user. The user then inherits the permissions of the role.
Command format
GRANT <role_name> TO <user_name>;Notes
Multiple users can be attached to the same role, and a user can be attached to multiple roles.
Parameters
Parameter
Required
Description
role_name
Yes
The name of the role to attach to the user.
You can execute the
list roles;command in the MaxCompute client to view role information.user_name
Yes
The name of the user to which you want to attach the role.
You can run the
list users;command in the MaxCompute client to view user information.Example
This example shows how to attach the `Worker` role to the user `Ka**@aliyun.com` and the RAM user `RAM$Bob@aliyun.com:Allen` in a MaxCompute project.
-- Bob enters the test_project_a project. USE test_project_a; -- Bob attaches the role to the users. GRANT Worker TO ALIYUN$Ka**@aliyun.com; GRANT Worker TO RAM$Bob@aliyun.com:Allen;
Detach a role from a user
You can detach a role from a user. The user no longer has the permissions granted by that role.
Command format
REVOKE <role_name> FROM <user_name>;Parameters
Parameter
Required
Description
role_name
Yes
The name of the role to detach from the user.
You can execute the
list roles;command in the MaxCompute client to obtain the role name.user_name
Yes
The name of the user from which you want to detach the role.
You can use the MaxCompute client to run the
list users;command to obtain the username.Example
This example shows how to detach the `Worker` role from `Kate@aliyun.com` and `RAM$Bob@aliyun.com:Allen`.
-- Bob enters the test_project_a project. USE test_project_a; -- Bob detaches the role from the users. REVOKE Worker FROM ALIYUN$Kate@aliyun.com; REVOKE Worker FROM RAM$Bob@aliyun.com:Allen;
What to do next
After you grant permissions to a role, you can perform the following operations as needed: