Use MaxCompute SQL to audit who has access to what — query the permissions of a user, a role, or an object, and inspect label-based and package-level access controls.
Permission indicators
Query results use single-letter codes to represent the type of permission granted:
| Code | Meaning |
|---|---|
| A | Allow — the operation is permitted |
| D | Deny — the operation is denied |
| C | With Condition — the permission applies only under specified conditions |
| G | With Grant Option — the grantee can also grant this permission to others |
Command reference
Use this overview to find the command for your scenario, then see the relevant section for the full syntax and examples.
-- Role permissions
show grants for role <role_name>;
describe role <role_name>;
-- User permissions
show grants;
show grants for <user_name>;
-- Access control list (ACL) permissions on an object
show acl for <object_name> [on type <object_type>];
-- Label-based permissions (sensitive data)
show label grants;
show label <level> grants;
show label grants for user <user_name>;
show label <level> grants for user <user_name>;
show label grants on table <table_name>;
show label <level> grants on table <table_name>;
show label [<level>] grants on table <table_name> for user <user_name>;
describe <table_name>;
-- Package permissions
show acl for <project_name>.<package_name> on type package;
show grants on <object_type> <object_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");
show label grants on table <table_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Run these commands from the MaxCompute client, MaxCompute Studio, or the DataWorks console.
describe role requires the project owner or a user assigned the Super_Administrator or Admin role.Query role permissions
Query permissions of a specified role
show grants for role <role_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | Name of the role. Run list roles; on the MaxCompute client to list available roles. |
Query result: Returns ACL-based, policy-based, and Download permissions for the role.
Example
Query permissions for the Worker role in test_project_a:
show grants for role Worker;Output:
Authorization Type: ACL
[role/Worker]
A projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List
A projects/test_project_a/tables/bank_data: Download | Describe | Select Expires:20xx-xx-xxTxx:xx:xx+xxxx
Authorization Type: Policy
[role/Worker]
A projects/test_project_a/tables/bak*: Download
A projects/test_project_a/tables/sale_detail: Update
A projects/test_project_a/tables/tb_*: Download | Drop
A projects/test_project_a/tables/view_1: DropQuery permissions and assigned users for a specified role
Requires the project owner or a user assigned the Super_Administrator or Admin role.
describe role <role_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | Name of the role. Run list roles; on the MaxCompute client to list available roles. |
Query result: Returns ACL-based, policy-based, and Download permissions for the role, plus a list of users assigned to it.
Example
Bob@aliyun.com owns test_project_a. The Worker role is used in the project. Query the Worker role's permissions and its assigned users:
describe role Worker;Output:
[users]
RAM$Bob@aliyun.com:Allen
Authorization Type: ACL
A projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List
A projects/test_project_a/tables/bank_data: Download
Authorization Type: Policy
A projects/test_project_a/tables/bak*: Download
A projects/test_project_a/tables/sale_detail: Update
A projects/test_project_a/tables/tb_*: Download | Drop
A projects/test_project_a/tables/view_1: DropQuery user permissions
Query permissions of the current user
show grants;Query result:
If the current user is the project owner: returns the Alibaba Cloud account and the projects created by the user.
Otherwise: returns the user's assigned roles and their ACL-based, policy-based, and Download permissions.
Example
Bob@aliyun.com owns test_project_a. Allen is a RAM user added to the project.
As the project owner (Bob@aliyun.com):
show grants;Output:
[ALIYUN$Bob@aliyun.com]
projects/test_project_a: Project OwnerAs the RAM user Allen:
show grants;Output:
[roles]
worker
Authorization Type: ACL
[user/RAM$Bob@aliyun.com:Allen]
A projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List
A projects/test_project_a/packages/project_test_b.datashare: Read
Authorization Type: Policy
[role/worker]
A projects/test_project_a/tables/tb_*: Drop | DownloadQuery permissions of a specified user
show grants for <user_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
user_name | Yes | Name of the user. For RAM users, use the format RAM$<account_name>:<ram_user_name>. Run list users; on the MaxCompute client to list users. |
Query result:
If the specified user is the project owner: returns the Alibaba Cloud account and the projects created by the user.
Otherwise: returns the user's assigned roles and their ACL-based, policy-based, and Download permissions.
Example
Query permissions for the Alibaba Cloud account Bob@aliyun.com:
show grants for ALIYUN$Bob@aliyun.com;Output:
[ALIYUN$Bob@aliyun.com]
projects/test_project_a: Project OwnerQuery permissions for the RAM user Allen:
show grants for RAM$Bob@aliyun.com:Allen;Output:
[roles]
worker
Authorization Type: ACL
[user/RAM$Bob@aliyun.com:Allen]
A projects/test_project_a: CreateTable | CreateResource | CreateInstance | CreateFunction | List
A projects/test_project_a/packages/project_test_b.datashare: Read
Authorization Type: Policy
[role/worker]
A projects/test_project_a/tables/tb_*: Drop | DownloadQuery ACL-based permissions on an object
show acl for <object_name> [on type <object_type>];Parameters
| Parameter | Required | Description |
|---|---|---|
object_name | Yes | Name of the object. See below for how to get names by object type. |
object_type | No | Type of the object. Valid values: Project, Table, Model, Resource, Function, Instance. Defaults to Table if omitted. |
Getting object names by type
| Object type | Command |
|---|---|
| Project | View on the the MaxCompute consoleProject management tab in the MaxCompute console. Only the current project is accessible. |
| Table or view | Run show tables; on the MaxCompute client |
| Resource | Run list resources; on the MaxCompute client |
| Function | Run list functions; on the MaxCompute client |
| Instance | Run show instances; on the MaxCompute client (instance names equal instance IDs) |
Query result: Returns the roles and users that have permissions on the object, along with their ACL-based permissions.
Examples
Query permissions on the test_project_a project:
show acl for test_project_a on type project;Output:
Authorization Type: Implicit
AG project_owner/ALIYUN$Bob@aliyun.com: All
AG admin/ALIYUN$Bob@aliyun.com: All
Authorization Type: ACL
A role/worker(projects/test_project_a): CreateTable | CreateResource | CreateInstance | CreateFunction | List
A role/worker1(projects/test_project_a): CreateTable | CreateResource | CreateInstance | CreateFunction | List
A role/worker2(projects/test_project_a): CreateTable | CreateResource | CreateInstance | CreateFunctionQuery permissions on the sale_detail table:
show acl for sale_detail on type table;Output:
Authorization Type: Implicit
AG project_owner/ALIYUN$Bob@aliyun.com: All
AG admin/ALIYUN$Bob@aliyun.com: All
AG object_creator/ALIYUN$Bob@aliyun.com: All
Authorization Type: ACL
A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/tables/sale_detail/customer_id): Describe | Select
A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/tables/sale_detail/shop_name): Describe | SelectQuery permissions on the udtf.jar resource:
show acl for udtf.jar on type resource;Output:
Authorization Type: Implicit
AG project_owner/ALIYUN$Bob@aliyun.com: All
AG admin/ALIYUN$Bob@aliyun.com: All
AG object_creator/ALIYUN$Bob@aliyun.com: All
Authorization Type: ACL
A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/resources/udtf.jar): Read | WriteQuery permissions on the UDTFResource function:
show acl for UDTFResource on type function;Output:
Authorization Type: Implicit
AG project_owner/ALIYUN$Bob@aliyun.com: All
AG admin/ALIYUN$Bob@aliyun.com: All
AG object_creator/ALIYUN$Bob@aliyun.com: All
Authorization Type: ACL
A role/worker1(acs:odps:*:projects/test_project_a/registration/functions/udtfresource): Download
A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/registration/functions/udtfresource): AllQuery permissions on an instance:
show acl for 20220105031923461ghu**** on type instance;Output:
Authorization Type: Implicit
AG project_owner/ALIYUN$Bob@aliyun.com: All
AG admin/ALIYUN$Bob@aliyun.com: All
AG object_creator/ALIYUN$Bob@aliyun.com: All
Authorization Type: ACL
A user/RAM$Bob@aliyun.com:Allen(acs:odps:*:projects/test_project_a/instances/20220105031923461ghu****): AllQuery label-based permissions
Label-based permissions control access to sensitive data tables and columns. Sensitivity levels range from 1 (lowest) to 4 (highest). The following commands let you find which sensitive tables a user can access, which users can access a given table, and what label each column carries.
Query all sensitive tables the current user can access
show label grants;Query result
| Field | Description |
|---|---|
| User Label | The current user's access label level |
| TableName | Name of the sensitive table the user can access |
| GrantedLabel | The label level the user is granted on the table |
| Expires | When the permission expires |
Example
Bob@aliyun.com owns test_project_a. Allen is a RAM user in the project.
As Bob@aliyun.com (project owner):
show label grants;Output:
User Label: 0
+--------------+--------------+--------------------------+
| TableName | GrantedLabel | Expires |
+--------------+--------------+--------------------------+
| bank_data | 3 | 2022-07-04T16:30:47+0800 |
+--------------+--------------+--------------------------+
| bank_data_pt | 4 | 2022-07-04T16:36:04+0800 |
+--------------+--------------+--------------------------+As the RAM user Allen:
show label grants;Output:
User Label: 1
+-------------+--------------+--------------------------+
| TableName | GrantedLabel | Expires |
+-------------+--------------+--------------------------+
| sale_detail | 2 | 2022-01-09T11:43:27+0800 |
+-------------+--------------+--------------------------+Query sensitive tables of a specified level the current user can access
show label <level> grants;Parameters
| Parameter | Required | Description |
|---|---|---|
level | Yes | The sensitivity level to filter by (1–4) |
Example
As Bob@aliyun.com, query level-3 sensitive tables:
show label 3 grants;Output:
User Label: 0
+--------------+--------------+--------------------------+
| TableName | GrantedLabel | Expires |
+--------------+--------------+--------------------------+
| bank_data | 3 | 2022-07-04T16:30:47+0800 |
+--------------+--------------+--------------------------+As the RAM user Allen, query level-2 sensitive tables:
show label 2 grants;Output:
User Label: 1
+-------------+--------------+--------------------------+
| TableName | GrantedLabel | Expires |
+-------------+--------------+--------------------------+
| sale_detail | 2 | 2022-01-09T11:43:27+0800 |
+-------------+--------------+--------------------------+Query sensitive tables a specified user can access
show label grants for user <user_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
user_name | Yes | Name of the user. Run list users; on the MaxCompute client to list users. |
Example
Query sensitive tables that RAM user Allen can access:
show label grants for user RAM$Bob@aliyun.com:Allen;Output:
User Label: 2
+-----------+--------------+--------------------------+
| TableName | GrantedLabel | Expires |
+-----------+--------------+--------------------------+
| bank_data | 3 | 2022-07-04T16:29:32+0800 |
+-----------+--------------+--------------------------+Query sensitive tables of a specified level that a specified user can access
show label <level> grants for user <user_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
level | Yes | The sensitivity level to filter by (1–4) |
user_name | Yes | Name of the user. Run list users; on the MaxCompute client to list users. |
Example
Query level-3 sensitive tables that RAM user Allen can access:
show label 3 grants for user RAM$Bob@aliyun.com:Allen;Output:
User Label: 2
+-----------+--------------+--------------------------+
| TableName | GrantedLabel | Expires |
+-----------+--------------+--------------------------+
| bank_data | 3 | 2022-07-04T16:29:32+0800 |
+-----------+--------------+--------------------------+Query users authorized to access a specified sensitive table
show label grants on table <table_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
table_name | Yes | Name of the sensitive table. Run show tables; on the MaxCompute client to list tables. |
Query result
| Field | Description |
|---|---|
| Sensitive Label Range | The label level range of the table |
| UserName | Users and roles with access to the table |
| GrantedLabel | The label level each user is granted |
| Expires | When the permission expires |
Example
Query users who can access the sale_detail table in test_project_a:
show label grants on table sale_detail;Output:
Sensitive Label Range: [3, 4]
+-------------------------------------------------+--------------+--------------------------+
| UserName | GrantedLabel | Expires |
+-------------------------------------------------+--------------+--------------------------+
| worker | 4 | 2022-07-04T11:23:35+0800 |
+-------------------------------------------------+--------------+--------------------------+
| RAM$Bob@aliyun.com:Allen | 4 | 2022-07-04T17:54:00+0800 |
+-------------------------------------------------+--------------+--------------------------+Query users of a specified level who can access a specified sensitive table
show label <level> grants on table <table_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
level | Yes | The sensitivity level to filter by (1–4) |
table_name | Yes | Name of the sensitive table. Run show tables; on the MaxCompute client to list tables. |
Example
Query level-4 users who can access the sale_detail table:
show label 4 grants on table sale_detail;Output:
Sensitive Label Range: [3, 4]
+-------------------------------------------------+--------------+--------------------------+
| UserName | GrantedLabel | Expires |
+-------------------------------------------------+--------------+--------------------------+
| worker | 4 | 2022-07-04T11:23:35+0800 |
+-------------------------------------------------+--------------+--------------------------+
| RAM$Bob@aliyun.com:Allen | 4 | 2022-07-04T17:54:00+0800 |
+-------------------------------------------------+--------------+--------------------------+Query a specified user's permissions on a specified sensitive table
show label [<level>] grants on table <table_name> for user <user_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
level | No | The sensitivity level to filter by (1–4). Omit to return all levels. |
table_name | Yes | Name of the sensitive table. Run show tables; on the MaxCompute client to list tables. |
user_name | Yes | Name of the user. Run list users; on the MaxCompute client to list users. |
Query result
| Field | Description |
|---|---|
| User Label | The user's access label level |
| Column | Columns the user can access in the table |
| GrantedLabel | The label level the user is granted on each column |
| Expires | When the permission expires |
Example
Query what columns RAM user Allen can access in the sale_detail table:
show label grants on table sale_detail for user RAM$Bob@aliyun.com:Allen;Output:
User Label: 2
+-------------+--------------+--------------------------+
| Column | GrantedLabel | Expires |
+-------------+--------------+--------------------------+
| customer_id | 4 | 2022-07-04T17:54:00+0800 |
+-------------+--------------+--------------------------+
| shop_name | 4 | 2022-07-04T17:54:00+0800 |
+-------------+--------------+--------------------------+
| total_price | 4 | 2022-07-04T17:54:00+0800 |
+-------------+--------------+--------------------------+Query sensitivity levels of all columns in a specified table
describe <table_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
table_name | Yes | Name of the table. Run show tables; on the MaxCompute client to list tables. |
Query result: Returns TableLabel (the table's overall sensitivity level), MaxLabel (the highest column-level sensitivity label in the table), and Label (the sensitivity level of each column).
Example
Query sensitivity levels for the sale_detail table and its columns:
describe sale_detail;Output:
+------------------------------------------------------------------------------------+
| Owner: ALIYUN$Bob@aliyun.com | Project: project_test_a |
| TableComment: |
+------------------------------------------------------------------------------------+
| CreateTime: 2021-12-13 11:27:04 |
| LastDDLTime: 2021-12-13 11:27:04 |
| LastModifiedTime: 2021-12-13 11:27:26 |
+------------------------------------------------------------------------------------+
| TableLabel: 3 |
| MaxLabel: L4 |
+------------------------------------------------------------------------------------+
| InternalTable: YES | Size: 784 |
+------------------------------------------------------------------------------------+
| Native Columns: |
+------------------------------------------------------------------------------------+
| Field | Type | Label | Comment |
+------------------------------------------------------------------------------------+
| shop_name | string | 4 | |
| customer_id | string | 4 | |
| total_price | double | 3 | |
+------------------------------------------------------------------------------------+
| Partition Columns: |
+------------------------------------------------------------------------------------+
| sale_date | string | |
| region | string | |
+------------------------------------------------------------------------------------+Query package permissions
Query permissions on a specified package
show acl for <project_name>.<package_name> on type package;Parameters
| Parameter | Required | Description |
|---|---|---|
project_name | Yes | Name of the project the package belongs to. Run describe package <package_name>; on the MaxCompute client to find the project name. |
package_name | Yes | Name of the package. Run show packages; on the MaxCompute client to list packages. |
Query result: Returns the built-in roles and users with management permissions on the package, along with their ACL-based permissions.
Example
Query permissions on the datashare package installed in test_project_b:
show acl for test_project_b.datashare on type package;Output:
Authorization Type: Implicit
AG project_owner/ALIYUN$Bob@aliyun.com: All
AG admin/ALIYUN$Bob@aliyun.com: All
Authorization Type: ACL
A user/RAM$Amy@aliyun.com:Bella(acs:odps:*:projects/test_project_b/packages/test_project_a.datashare): ReadQuery permissions on an object in a specified package
show grants on <object_type> <object_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Parameters
| Parameter | Required | Description |
|---|---|---|
object_type | Yes | Type of the object in the package. Run describe package <project_name>.<package_name>; on the MaxCompute client to find the type. |
object_name | Yes | Name of the object in the package. Run describe package <project_name>.<package_name>; to find the name. |
project_name | Yes | Name of the project the package belongs to. Run describe package <project_name>.<package_name>; to find the project name. |
package_name | Yes | Name of the package. Run show packages; on the MaxCompute client to list packages. |
Query result: Returns the built-in roles and users with permissions on the specified object in the package, along with their ACL-based permissions.
Example
Query permissions on the sale_detail table in the datashare package:
show grants on Table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");Output:
Authorization Type: Implicit
AG project_owner/: All
Authorization Type: InstalledObjecACL
[datashare]
A user/RAM$Amy@aliyun.com:Bella(acs:odps:*:projects/test_project_a/tables/sale_detail): SelectQuery label-based permissions on a table in a specified package
show label grants on table <table_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Parameters
| Parameter | Required | Description |
|---|---|---|
table_name | Yes | Name of the table in the package. Run describe package <project_name>.<package_name>; on the MaxCompute client to find the table name. |
project_name | Yes | Name of the project the package belongs to. Run describe package <package_name>; to find the project name. |
package_name | Yes | Name of the package. Run show packages; on the MaxCompute client to list packages. |
Query result
| Field | Description |
|---|---|
| Sensitive Label Range | The label level range of the table |
| UserName | Users and roles with label-based access to the table |
| GrantedLabel | The label level each user is granted |
| Expires | When the permission expires |
Example
Query label-based permissions on the sale_detail table in the datashare package:
show label grants on table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");Output:
Sensitive Label Range: [2, 4]
+-------------------------------------------------+--------------+--------------------------+
| UserName | GrantedLabel | Expires |
+-------------------------------------------------+--------------+--------------------------+
| RAM$Amy@aliyun.com:Bella | 3 | 2022-07-12T22:24:24+0800 |
+-------------------------------------------------+--------------+--------------------------+