All Products
Search

This Product

    MaxCompute:REVOKE

    Document Center

    MaxCompute:REVOKE

    Last Updated:Mar 26, 2026

    MaxCompute allows you to use the ACL-based access control method or policy-based access control method to revoke specified operation permissions on specific objects from a user or role.

    Prerequisites

    Before you begin, ensure that you have:

    • The account of the user or the name of the role to revoke permissions from. The user or role must already be added to your MaxCompute project. Run list users; or list roles; on the MaxCompute client to look up account or role names. For more information about adding users or roles, see User planning and management and Role planning.

      • Alibaba Cloud account format: ALIYUN$<Alibaba Cloud account>

      • RAM user format: RAM$<Alibaba Cloud account>:<RAM username>

    • The object type, object name, and the actions to revoke. For supported object types and actions, see MaxCompute permissions.

    Who can revoke permissions

    • Label-based revoke: the project owner or a user assigned the Admin role.

    Limitations

    ACL-based access control:

    • Permissions can only be revoked on existing objects and from existing subjects. If you delete an object and create a new one with the same name, the new object does not inherit the permissions of the deleted object.

    • The WITH GRANT OPTION clause is not supported. If User A grants User B access to an object, User B cannot grant that access to User C.

    • ACL-based access control uses a whitelist mechanism only. It cannot deny actions on objects.

    Policy-based access control:

    • Permissions can only be granted to existing roles.

    Usage notes

    ACL-based access control:

    Policy-based access control:

    • Policy-based permissions can be granted on objects that do not yet exist. If a permitted object is deleted, the permission record is retained. Re-creating an object with the same name restores those permissions, which may pose a security risk.

    • After a user is removed, permissions are retained and restored if the user is re-added. To clear residual permission data, see Completely clear the residual permission information of a removed user.

    Revoke ACL-based or policy-based permissions

    Syntax

    ACL-based:

    revoke <actions> on <object_type> <object_name>
[(<column_list>)] from <subject_type> <subject_name>;

    Policy-based:

    revoke <actions> on <object_type> <object_name>
from ROLE <role_name>
privilegeproperties ("policy" = "true", "allow"="{true|false}");

    Parameters

    Parameter Required Description
    actions Yes One or more actions to revoke, separated by commas. For supported actions, see MaxCompute permissions.
    object_type Yes The type of the object. Only one type per statement. For supported types, see MaxCompute permissions.
    object_name Yes The name of the object. Supports asterisks (*) for wildcard matching (for example, table taobao*) only when subject_type is ROLE. To look up object names: run show tables; for tables and views, list resources; for resources, list functions; for functions, and show instances; for instances. For project names, go to the MaxCompute console, select a region, and view names on the Project management tab.
    column_list No Column names for column-level access control, separated by commas. Required only when object_type is Table and you want to control access at the column level. Applies to the Describe, Select, Alter, Update, Drop, ShowHistory, and All permissions. For sensitive data columns, use label-based access control instead. For details, see Label-based access control.
    subject_type Yes The type of subject. Valid values: USER (Alibaba Cloud account or RAM user) and ROLE (role).
    subject_name Yes The account or role name to revoke permissions from. Only one subject per statement. Run list users; or list roles; on the MaxCompute client to look up names.
    role_name Yes (policy-based) The role name to revoke permissions from. Only one role per statement. Run list roles; to look up role names.
    privilegepropertiespolicy Yes (policy-based) Set to true to use policy-based access control.
    privilegepropertiesallow Required for whitelist Whether to allow the action. true allows the action (whitelist). false denies it (blacklist).

    Environment

    Examples

    The following examples use project test_project_a, owned by Alibaba Cloud account Bob@aliyun.com. Allen, Alice, and Tom are RAM users under Bob@aliyun.com. All statements are run on the MaxCompute client.

    Example 1: Revoke column-level permissions from users

    The following example revokes Describe and Select on two columns of sale_detail from Allen, and revokes all permissions on those columns from Alice.

    -- Switch to the test_project_a project.
use test_project_a;
-- Revoke the Describe and Select permissions on shop_name and customer_id from Allen.
revoke Describe, Select on table sale_detail (shop_name, customer_id) from USER RAM$Bob@aliyun.com:Allen;
-- Revoke all permissions on shop_name and customer_id from Alice.
revoke All on table sale_detail (shop_name, customer_id) from USER RAM$Bob@aliyun.com:Alice;
-- Verify: Allen no longer has Describe and Select.
show grants for RAM$Bob@aliyun.com:Allen;
-- Verify: Alice no longer has permissions on those columns.
show grants for RAM$Bob@aliyun.com:Alice;

    Example 2: Remove a role assignment from multiple users

    The following example removes the Worker role from Alice, Tom, and Lily@aliyun.com. Each user requires a separate statement.

    -- Switch to the test_project_a project.
use test_project_a;
-- Remove the Worker role from Alice.
revoke Worker from RAM$Bob@aliyun.com:Alice;
-- Remove the Worker role from Tom.
revoke Worker from RAM$Bob@aliyun.com:Tom;
-- Remove the Worker role from Lily@aliyun.com.
revoke Worker from ALIYUN$Lily@aliyun.com;
-- Verify: Lily@aliyun.com no longer has the Worker role permissions.
show grants for ALIYUN$Lily@aliyun.com;

    Revoke package permissions

    Revoke a user or role's access to a package in the MaxCompute project where the package is installed.

    Syntax

    revoke <actions> on package <project_name>.<package_name> from {USER|ROLE} <name>;

    Parameters

    Parameter Required Description
    actions Yes Set to Read.
    project_name Yes The MaxCompute project the package belongs to. Go to the MaxCompute console, select a region, and view project names on the Project management tab.
    package_name Yes The name of the package. Run show packages; on the MaxCompute client to look up package names.
    name Yes The account or role name to revoke access from. Only one subject per statement. Run list users; or list roles; to look up names.

    Example

    The following example revokes Bella's Read access to the datashare package.

    revoke Read on package test_project_a.datashare from user RAM$Amy@aliyun.com:Bella;

    Revoke label-based permissions

    The project owner or a user assigned the Admin role revokes explicitly granted label-based permissions from a user or role.

    Syntax

    revoke Label on table <table_name> [(<column_list>)] from {USER|ROLE} <name>;

    Usage notes

    • Revoking label-based permissions on a table also revokes all column-level label permissions in that table.

    • Revoking explicit label permissions does not change the user's or role's access-level label. For example, if a user has an access level of 2 and you revoke explicit label permissions that allowed access up to level 3, the user can still access data with a sensitivity level of 2 or lower.

    Parameters

    Parameter Required Description
    table_name Yes The name of the table or view. Run show tables; to look up names.
    column_list No Column names to revoke label permissions on, separated by commas. Specify columns to target specific sensitive columns.
    name Yes The user account or role name. Run list users; or list roles; to look up names.

    Example

    The following example revokes Allen's explicitly granted access to sensitive data in sale_detail. The table has columns shop_name, customer_id, and total_price. Allen is a RAM user under Bob@aliyun.com.

    -- Revoke label permissions on specific columns.
revoke Label on table sale_detail(shop_name, customer_id, total_price) from USER RAM$Bob@aliyun.com:Allen;
-- View Allen's current label grants.
show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
-- Output: Allen's access level is 1; total_price still has an explicit grant for level 3.
-- User Label: 1
-- +-------------+--------------+--------------------------+
-- | Column      | GrantedLabel | Expires                  |
-- +-------------+--------------+--------------------------+
-- | total_price | 3            | 2021-12-31T19:56:18+0800 |
-- +-------------+--------------+--------------------------+

-- Revoke all table-level label permissions.
revoke Label on table sale_detail from USER RAM$Bob@aliyun.com:Allen;
-- View Allen's grants again.
show label grants on table sale_detail for USER RAM$Bob@aliyun.com:Allen;
-- Output: User Label: 1

    Remove a user from a role

    Syntax

    revoke <role_name> from <user_name>;

    Parameters

    • role_name: The name of the role to remove the user from.

    • user_name: The Alibaba Cloud account or RAM user to remove. Format for an Alibaba Cloud account: ALIYUN$<account>@aliyun.com. Format for a RAM user: RAM$<account>.

    Example

    The following example removes alice@aliyun.com from the player role.

    revoke player from ALIYUN$alice@aliyun.com;

    Related statements

    • GRANT: Grant permissions on an object to a user or role using ACL-based access control.

    • SET LABEL: Configure access-level labels for users or roles and sensitivity level labels for table or column data.

    • CREATE ROLE: Create a role in a MaxCompute project.

    • CREATE PACKAGE: Create a package.