This topic describes how to grant permissions to tenant-level roles, use related commands, and manage these roles to control access to tenant-level objects like quotas and NetworkLinks.
Background
In MaxCompute, permissions for objects like projects, tables, functions, resources, and instances are typically managed at the project level, which requires adding a user to a project before granting permissions. In contrast, you can use a policy to grant a tenant-level role permissions for actions on quota and NetworkLink objects.
Prerequisites
Only an Alibaba Cloud account or a RAM user with the tenant-level Super_Administrator or Admin role can manage tenant-level permissions.
Tenant-level permissions can be controlled only through tenant-level roles.
You can grant permissions to a tenant-level
roleonly by using apolicy.
Workflow for tenant-level role authorization
Create a tenant-level role named
t_role1.Grant permissions to the
t_role1role by using apolicy.Add a user as a tenant member.
Assign the
t_role1role to the user.
Commands
-- Run the following commands in a project within the tenant.
-- Add or remove a user from a tenant.
ADD tenant USER <user_name>;
REMOVE tenant USER <user_name>;
-- View users and roles in a tenant.
List tenant users;
List tenant roles;
-- Create or drop a tenant-level role.
CREATE tenant role <role_name>;
DROP tenant role <role_name>;
-- Grant a tenant-level role to a user or revoke it from a user.
GRANT tenant role <rolename> TO USER <user_name>;
REVOKE tenant role <rolename> FROM USER <user_name>;
-- Add a tenant-level role to a project or remove it from a project.
ADD tenant role <rolename> TO project <projectname>;
REMOVE tenant role <rolename> FROM project <projectname>;
-- View the permissions of a tenant-level role or user.
SHOW grants FOR tenant role <role_name>;
SHOW grants FOR tenant USER <user_name>;
SHOW principals FOR tenant [role] <role_name>;
Manage permissions in the console
Create a tenant role
Log on to the MaxCompute console, and select a region in the upper-left corner.
In the navigation pane on the left, choose .
On the Tenants page, click the Roles tab.
On the Roles tab, click Add Role. In the Add Role dialog box, enter a Role Name and Policy Content, and then click OK to create the role.
Parameter
Description
Role Name
A unique name for the tenant-level role that meets the following requirements:
Starts with a letter.
Contains only letters, underscores (_), and digits.
Is 6 to 64 characters in length.
Policy Content
角色的权限策略。在界面上根据策略模板编辑策略代码。
policy内容示例,下述示例表示:
对于
networklink对象表示允许该角色对所有networklinks具备CreateNetworkLink、List和Execute操作权限。对于
Quota对象表示允许该角色对所有Region下所有Quota具备Usage权限。
{ "Statement":[ { "Action":[ "odps:CreateNetworkLink", "odps:List", "odps:Execute" ], "Effect":"Allow", "Resource":[ "acs:odps:*:networklinks/*" ] }, { "Action":[ "odps:Usage" ], "Effect":"Allow", "Resource":[ "acs:odps:*:regions/*/quotas/*" ] } ], "Version":"1" }On the Tenants page, click the Users tab.
On this tab, you can manage tenant-level users. This includes adding new users from the current Alibaba Cloud account and granting them tenant-level roles.
Manage tenant roles
Log on to the MaxCompute console, and select a region in the upper-left corner.
In the navigation pane on the left, choose .
On the Tenants page, click the Roles tab.
In the Actions column of the role list, you can view, delete, or modify a role.
Manage tenant users
Log on to the MaxCompute console, and select a region in the upper-left corner.
In the navigation pane on the left, choose .
On the Tenants page, click the Users tab.
On this tab, you can manage tenant-level users. This includes adding new users from the current Alibaba Cloud account and granting them tenant-level roles.