Permission-related command set
Use this reference to look up permission management commands for a MaxCompute project. Commands are organized by category: role management, user management, role authorization, user authorization, and permission queries.
Role management
Create a project-level role
Syntax
Parameters
| Parameter | Description |
|---|---|
role_name |
Name of the role to create. |
type |
Role type. Set to admin to create an administrator role. Omit this property to create a resource role. |
Examples
Create a resource role named Worker:
create role Worker;Create an administrator role named sale_admin:
create role sale_admin privilegeproperties("type"="admin");List project-level roles
list roles;Delete a project-level role
Syntax
DROP ROLE <role_name>;Example
Delete the Worker role:
drop role Worker;User management
Add a user to a project
Use the add user command to add an Alibaba Cloud account, a RAM user, or a RAM role to a project. For command syntax and examples, see Manage project members.
Remove a user from a project
Use the remove user command to remove an Alibaba Cloud account, a RAM user, or a RAM role from a project.
| Account type | Syntax |
|---|---|
| Alibaba Cloud account | remove user ALIYUN$<account_id>; |
| RAM user | remove user RAM$<account_id>:<ram_user_name>; |
| RAM role | remove user RAM$<account_id>:role/<ram_role_name>; |
Example
Remove the Alibaba Cloud account 5527xxxxxxxx5788:
remove user ALIYUN$5527xxxxxxxx5788;List project users
list users;Role authorization
Grant a role permissions on an object
Use GRANT to assign operation privileges to a role on a specific object. MaxCompute supports two access control modes: ACL-based and policy-based.
Syntax
-- ACL-based access control
GRANT <privilege>[, <privilege> ...]
ON <object_type> <object_name>
TO ROLE <role_name>
[PRIVILEGEPROPERTIES("conditions" = "<conditions>", "expires"="<days>")];
-- Policy-based access control (using ACL syntax)
GRANT <privilege>[, <privilege> ...]
ON <object_type> <object_name>
TO ROLE <role_name>
PRIVILEGEPROPERTIES("policy" = "true", "{allow}"="{true|false}"
[, "conditions"= "<conditions>", "expires"="<days>"]);Parameters
| Parameter | Description |
|---|---|
privilege |
One or more privileges to grant, separated by commas. Use All to grant all supported privileges at once. Available privileges vary by object type — see the table below. |
object_type |
Type of the object: project, TABLE, MODEL, resource, FUNCTION, or instance. |
object_name |
Name of the specific object. For instances, use the instance ID. |
column_list |
(Optional) Comma-separated column names. Restricts the privilege to specified columns. Applicable to TABLE grants only: ON TABLE <table_name> [(<column_list>)]. |
role_name |
Name of the role to receive the privileges. |
conditions |
(Optional) Conditions on the grant. |
expires |
(Optional) Number of days until the grant expires. |
policy |
Set to "true" to use policy-based access control. |
allow |
For policy-based grants: "true" to allow, "false" to deny. |
Privileges by object type
| Object type | Available privileges |
|---|---|
project |
Read, Write, List, CreateTable, CreateInstance, CreateFunction, CreateResource, All |
TABLE |
Describe, Select, Alter, Update, Drop, ShowHistory, All |
MODEL |
Describe, Execute, Alter, Drop, All |
resource |
Read, Write, Delete, All |
FUNCTION |
Read, Write, Delete, Execute, All |
instance |
Read, Write, All |
Examples
Grant the Worker role privileges on a project:
-- ACL-based
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
-- Policy-based
grant CreateTable, CreateFunction, CreateInstance, List
on project test_project_a
to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Grant the Worker role privileges on a table:
-- ACL-based
grant Describe, Select on table sale_detail to ROLE Worker;
-- Policy-based
grant Describe, Select
on table sale_detail
to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Grant the Worker role privileges on a model (switch to the target project first):
use test_project_a;
-- ACL-based
GRANT All ON MODEL my_model TO ROLE Worker;
-- Policy-based
GRANT All
ON MODEL my_model
TO ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Grant the Worker role privileges on a resource:
-- ACL-based
grant Read, Write on resource udtf.jar to ROLE Worker;
-- Policy-based
grant Read, Write
on resource udtf.jar
to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Grant the Worker role privileges on a function:
-- ACL-based
grant Read, Write on function udf_test to ROLE Worker;
-- Policy-based
grant Read, Write
on function udf_test
to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Grant the Worker role privileges on an instance:
-- ACL-based
grant All on instance 202112300224**** to ROLE Worker;
-- Policy-based
grant All
on instance 202112300224****
to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Revoke permissions on an object from a role
Use REVOKE to remove previously granted privileges from a role.
Syntax
-- Revoke ACL-based grants
REVOKE <privilege>[, <privilege> ...]
ON <object_type> <object_name> [(<column_list>)]
FROM ROLE <role_name>;
-- Revoke policy-based grants
REVOKE <privilege>[, <privilege> ...]
ON <object_type> <object_name> [(<column_list>)]
FROM ROLE <role_name>
PRIVILEGEPROPERTIES("policy" = "true", "{allow}"="{true|false}");The object_type, privilege, and column_list parameters follow the same rules as GRANT. See the Privileges by object type table above.
Examples
Revoke privileges from the Worker role on a project:
-- Revoke ACL-based grant
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
-- Revoke policy-based grant
revoke CreateTable, CreateFunction, CreateInstance, List
on project test_project_a
from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Revoke privileges on a table:
-- Revoke ACL-based grant
revoke Describe, Select on table sale_detail from ROLE Worker;
-- Revoke policy-based grant
revoke Describe, Select
on table sale_detail
from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Revoke privileges on a model:
use test_project_a;
-- Revoke ACL-based grant
REVOKE All ON MODEL my_model FROM ROLE Worker;
-- Revoke policy-based grant
REVOKE All
ON MODEL my_model
FROM ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Revoke privileges on a resource:
-- Revoke ACL-based grant
revoke Read, Write on resource udtf.jar from ROLE Worker;
-- Revoke policy-based grant
revoke Read, Write
on resource udtf.jar
from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Revoke privileges on a function:
-- Revoke ACL-based grant
revoke Read, Write on function udf_test from ROLE Worker;
-- Revoke policy-based grant
revoke Read, Write
on function udf_test
from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Revoke privileges on an instance:
-- Revoke ACL-based grant
revoke All on instance 202112300224**** from ROLE Worker;
-- Revoke policy-based grant
revoke All
on instance 202112300224****
from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");Grant or revoke the Download permission for a role
The Download permission controls whether a role can download data from tables, resources, functions, or instances.
Syntax
-- Grant
GRANT Download ON {Table|Resource|Function|Instance} <object_name> TO ROLE <role_name>;
-- Revoke
REVOKE Download ON {Table|Resource|Function|Instance} <object_name> FROM ROLE <role_name>;Examples
-- Grant
grant download on table sale_detail to ROLE Worker;
-- Revoke
revoke download on table sale_detail from ROLE Worker;Grant or revoke sensitivity label access for a role
Sensitivity labels control access to highly sensitive data under the LabelSecurity policy.
Syntax
-- Grant
GRANT Label <number> ON TABLE <table_name> [(<column_list>)] TO ROLE <role_name> [WITH exp <days>];
-- Revoke
REVOKE Label ON TABLE <table_name> [(<column_list>)] FROM ROLE <role_name>;Parameters
| Parameter | Description |
|---|---|
number |
Sensitivity label level. |
table_name |
Name of the sensitive table. Use * to apply to all tables. |
column_list |
(Optional) Restrict label access to specific columns. |
days |
(Optional) Number of days until the label grant expires. |
Examples
-- Grant label level 4 access on a specific table
grant Label 4 on table sale_detail to ROLE Worker;
-- Revoke label access
revoke Label on table sale_detail from ROLE Worker;Assign or revoke a role for a user
Syntax
-- Assign
GRANT <role_name> TO <user_name>;
-- Revoke
REVOKE <role_name> FROM <user_name>;Examples
Assign the Worker role to users:
grant Worker to ALIYUN$Ka**@aliyun.com;
grant Worker to RAM$Bo*@aliyun.com:Allen;Revoke the Worker role from users:
revoke Worker from ALIYUN$Ka**@aliyun.com;
revoke Worker from RAM$Bo*@aliyun.com:Allen;User authorization
Grant a user permissions on an object
Grant operation privileges directly to a user on a specific object.
Syntax
GRANT <privilege>[, <privilege> ...]
ON <object_type> <object_name> [(<column_list>)]
TO USER <user_name>
[PRIVILEGEPROPERTIES("conditions" = "<conditions>", "expires"="<days>")];Supported object_type values and their available privileges are the same as for role authorization. See the Privileges by object type table in the role authorization section.
Examples
Grant privileges on a project:
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user RAM$Ka**@aliyun.com:Lily;Grant privileges on a table:
grant Describe, Select on table sale_detail to USER RAM$Bo*@aliyun.com:Allen;Grant privileges on a resource:
grant Read, Write on resource udtf.jar to USER RAM$Bo*@aliyun.com:Alice;Grant privileges on a function:
grant Read, Write on function udf_test to USER RAM$Bo*@aliyun.com:Tom;Grant privileges on an instance:
grant All on instance 202112300224**** to USER RAM$Bo*@aliyun.com:Tom;Revoke permissions from a user
Syntax
REVOKE <privilege>[, <privilege> ...]
ON <object_type> <object_name> [(<column_list>)]
FROM USER <user_name>;Examples
Revoke privileges on a project:
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user RAM$Ka**@aliyun.com:Lily;Revoke privileges on a table:
revoke Describe, Select on table sale_detail from USER RAM$Bo*@aliyun.com:Allen;Revoke privileges on a resource:
revoke Read, Write on resource udtf.jar from USER RAM$Bo*@aliyun.com:Alice;Revoke privileges on a function:
revoke Read, Write on function udf_test from USER RAM$Bo*@aliyun.com:Tom;Revoke privileges on an instance:
revoke All on instance 202112300224**** from USER RAM$Bo*@aliyun.com:Tom;Grant or revoke the Download permission for a user
Syntax
-- Grant
grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;
-- Revoke
revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;Examples
-- Grant
grant Download on table sale_detail to USER RAM$Bo*@aliyun.com:Allen;
-- Revoke
revoke Download on table sale_detail from USER RAM$Bo*@aliyun.com:Allen;Grant or revoke sensitivity label access for a user
Syntax
-- Grant
grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];
-- Revoke
revoke Label on table <table_name> [(<column_list>)] from USER <user_name>;Examples
-- Grant label level 4 access
grant Label 4 on table sale_detail to USER RAM$Bo*@aliyun.com:Allen;
-- Revoke label access
revoke Label on table sale_detail from USER RAM$Bo*@aliyun.com:Allen;Assign permissions via a role (recommended)
Instead of granting privileges directly to each user, grant them to a role and then assign the role to multiple users. This approach scales better when managing permissions for groups of users.
Grant permissions to the Worker role, then assign it to users:
-- Grant permissions to the role (ACL-based)
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
-- Assign the role to users
grant Worker to RAM$Bo*@aliyun.com:Allen;
grant Worker to RAM$Bo*@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;To revoke via role, either remove the role's privileges or unassign the role from users:
-- Option 1: Revoke the role's privileges
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
-- Option 2: Unassign the role from a user
revoke Worker from RAM$Bo*@aliyun.com:Allen;To grant the Download permission via a role:
-- Create the role
create role Worker;
-- Grant the Download permission to the role
grant download on table sale_detail to ROLE Worker;
-- Assign the role to users
grant Worker to RAM$Bo*@aliyun.com:Allen;
grant Worker to RAM$Bo*@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;To grant label access via a role:
-- Create the role
create role Worker;
-- Grant label access to the role (all tables)
grant Label 4 on table * to ROLE Worker;
-- Assign the role to users
grant Worker to RAM$Bo*@aliyun.com:Allen;
grant Worker to RAM$Bo*@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;Clean up residual permissions of a deleted user
After removing a user from a project, run the following command to purge any residual permissions that remain:
purge privs from user <user_name>;Example
purge privs from user RAM$Bo*@aliyun.com:Allen;Query permission information
Query a role's permissions and attached users
Returns the privileges granted to the role and the list of users assigned to it.
describe role <role_name>;Example
describe role Worker;For details about the output, see Query permission information.
Query a user's permissions
Query the current user's permissions and assigned roles
show grants;Query a specified user's permissions and assigned roles
show grants for <user_name>;Examples
show grants for ALIYUN$Bo*@aliyun.com;
show grants for RAM$Bo*@aliyun.com:Allen;For details about the output, see Query permission information.
Query ACL authorization on an object
Returns all Access Control List (ACL)-based grants on a specified object.
show acl for <object_name> [on type <object_type>];Example
Query ACL grants on the test_project_a project:
show acl for test_project_a on type project;For details, see Query the ACL authorization information of a specified object.
Query label-based permission information
All commands in this section use the LabelSecurity model.
Query all sensitive tables accessible to the current user
show label grants;Query sensitive tables at a specific label level accessible to the current user
show label <level> grants;Example — query tables at level 2:
show label 2 grants;Query all sensitive tables accessible to a specified user
show label grants for user <user_name>;Example:
show label grants for user RAM$Bob@aliyun.com:Allen;Query sensitive tables at a specific label level accessible to a specified user
show label <level> grants for user <user_name>;Example — query level 3 tables for a user:
show label 3 grants for user RAM$Bob@aliyun.com:Allen;Query all users who can access a specified sensitive table
show label grants on table <table_name>;Example:
show label grants on table sale_detail;Query users at a specific label level who can access a specified sensitive table
show label <level> grants on table <table_name>;Example — query level 4 users for a table:
show label 4 grants on table sale_detail;Query a specific user's permissions on a specified sensitive table
show label [<label>] grants on table <table_name> for user <user_name>;Example:
show label grants on table sale_detail for user RAM$Bob@aliyun.com:Allen;Query sensitivity labels of all columns in a table
describe <table_name>;Example:
describe sale_detail;Query package authorization information
Query all authorizations of a package
show acl for <project_name>.<package_name> on type package;Example:
show acl for test_project_b.datashare on type package;Query grants on a specific resource within a package
show grants on <object_type> <object_name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Example — query grants on a table inside a package:
show grants on Table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");Query label-based grants on a table within a package
show label grants on table <table_name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Example:
show label grants on table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");View security configurations of a project
Project data protection (ProjectProtection)
Enable or disable data protection for the project:
set ProjectProtection=true|false;View the current security configuration:
show SecurityConfiguration;The output includes ProjectProtection=true|false. View added trusted projects with:
list trustedprojects;Label-based access control (LabelSecurity)
Enable or disable the LabelSecurity policy:
set LabelSecurity=true|false;View the current security configuration:
show SecurityConfiguration;The output includes LabelSecurity=true|false. A value of true means label-based access control is active for the project.
Download permission control
Enable or disable download permission enforcement:
setproject odps.security.enabledownloadprivilege=true|false;View current project properties:
setproject;The output includes odps.security.enabledownloadprivilege = true|false. A value of true means download permission enforcement is active.