Roles let you grant the same set of permissions to multiple users without configuring each user individually. Role-based access control (RBAC) reduces permission management overhead — assign permissions to a role once, then add or remove users from the role as needed.
MaxCompute supports two role types: administrator roles and resource roles. You can use built-in roles for common administrative tasks, or create custom roles tailored to your team's structure.
Role types
MaxCompute categorizes roles by the type of permissions they can hold:
| Role type | Permission scope | How permissions are granted |
|---|---|---|
| Administrator role | Management permissions (user management, security configuration) | Policies only — not ACLs |
| Resource role | Object resource permissions (tables, packages, quotas) | ACLs or policies |
Administrator roles cannot hold resource permissions. Resource roles cannot hold management permissions.
Built-in roles
MaxCompute provides four built-in administrator roles across two scopes.
Project-level built-in roles
Super_Administrator
The highest-level built-in role in a project. Holds all resource operation permissions and all management permissions. The project owner or any user assigned the Super_Administrator role can assign this role to other users.
Admin
A built-in administrator role with all resource operation permissions and a subset of management permissions. Restrictions:A built-in administrator role provided by MaxCompute. It is used to manage permissions for all objects and network connections (Networklink).
Only the project owner can assign the Admin role to users.
Users assigned the Admin role cannot reassign the Admin role to others.
Users assigned the Admin role cannot configure security policies, modify authentication models, or modify the permissions of the Admin role itself.
Tenant-level built-in roles
Super_Administrator
Holds all permissions that an Alibaba Cloud account has on MaxCompute, except the permissions to create a project, delete a project, and activate the MaxCompute service.
Admin
Holds permissions to manage all objects and network connections within the tenant.
Default project access
Project owners have all permissions on the projects that they created. Only the project owner can access objects in a project by default. Other users cannot access project objects unless the project owner explicitly grants them the required permissions.
Permissions of project-level administrator roles
The following table lists the permissions available to each project-level administrator role.
<table> <thead> <tr> <td><p><b>Permission type</b></p></td> <td><p><b>Object</b></p></td> <td><p><b>Operation</b></p></td> <td><p><b>Description</b></p></td> <td><p><b>Project owner</b></p></td> <td><p><b>Super_Administrator</b></p></td> <td><p><b>Admin</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>Project security configuration</p></td> <td><p>Project</p></td> <td><p>SetSecurityConfiguration</p></td> <td><p>Configure security settings for a project.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>GetSecurityConfiguration</p></td> <td><p>Query the security settings of a project.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Management of protected projects</p></td> <td><p>Project</p></td> <td><p>AddTrustedProject</p></td> <td><p>Add a protected project.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>RemoveTrustedProject</p></td> <td><p>Remove a protected project.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>ListTrustedProjects</p></td> <td><p>Query protected projects.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>User management</p></td> <td><p>Project</p></td> <td><p>AddUser</p></td> <td><p>Add a user.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>RemoveUser</p></td> <td><p>Remove a user.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>ListUsers</p></td> <td><p>Query users.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>ListUserRoles</p></td> <td><p>Query the roles assigned to a user.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Role management</p></td> <td><p>Project</p></td> <td><p>CreateRole</p></td> <td><p>Create a role.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>DescribeRole</p></td> <td><p>View the permissions of a role.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>AlterRole</p></td> <td><p>Modify the attributes of a role.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>DropRole</p></td> <td><p>Drop a role.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>ListRoles</p></td> <td><p>Query roles.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Permission management by using a role</p></td> <td><p>Role</p></td> <td><p>GrantRole</p></td> <td><p>Assign a role to a user.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Role</p></td> <td><p>RevokeRole</p></td> <td><p>Revoke a role from a user.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Role</p></td> <td><p>ListRolePrincipals</p></td> <td><p>Query the users assigned a specific role.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package management</p></td> <td><p>Project</p></td> <td><p>CreatePackage</p></td> <td><p>Create a package.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Project</p></td> <td><p>ShowPackages</p></td> <td><p>View packages.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package</p></td> <td><p>DescribePackage</p></td> <td><p>View the details of a package.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package</p></td> <td><p>DropPackage</p></td> <td><p>Drop a package.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package</p></td> <td><p>InstallPackage</p></td> <td><p>Install a package.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package</p></td> <td><p>UninstallPackage</p></td> <td><p>Uninstall a package.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package</p></td> <td><p>AllowInstallPackage</p></td> <td><p>Allow a package to be installed and used in other projects.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package</p></td> <td><p>DisallowInstallPackage</p></td> <td><p>Revoke the permissions for a package to be installed and used in other projects.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package</p></td> <td><p>AddPackageResource</p></td> <td><p>Add a resource to a package.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Package</p></td> <td><p>RemovePackageResource</p></td> <td><p>Remove a resource from a package.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Label management</p></td> <td><p>Table</p></td> <td><p>GrantLabel</p></td> <td><p>Grant permissions to a role or user by using labels.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Table</p></td> <td><p>RevokeLabel</p></td> <td><p>Revoke label-based permissions from a role or user.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Table</p></td> <td><p>ShowLabelGrants</p></td> <td><p>Query the label-based permissions granted to a role or user.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Table</p></td> <td><p>SetDataLabel</p></td> <td><p>Configure labels for a role or user.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> <tr> <td><p>Clearance of expired permissions</p></td> <td><p>Project</p></td> <td><p>ClearExpiredGrants</p></td> <td><p>Clear information about expired permissions.</p></td> <td><p><img></p></td> <td><p><img></p></td> <td><p><img></p></td> </tr> </tbody> </table>
In the preceding table,indicates that the role has the permission, and
indicates that the role does not have the permission.
Delete a role (tenant level)
To delete a tenant-level role in the MaxCompute console, perform the following steps:
Log on to the MaxCompute console and select a region in the top-left corner.
On the Role Management tab, find the target role and click Delete in the Actions column.
In the Delete Role dialog box, click OK.
Modify a role (tenant level)
You can modify only the access policy of a role. You cannot modify the role name.
To modify the access policy of a tenant-level role in the MaxCompute console, perform the following steps:
Log on to the MaxCompute console and select a region in the top-left corner.
On the Role Management tab, find the target role and click Permission Management in the Actions column.
In the Edit Role dialog box, click OK.
Create a role (tenant level)
To create a tenant-level role in the MaxCompute console, perform the following steps:
Log on to the MaxCompute console and select a region in the top-left corner.
On the Role Management tab, click Add Role.
In the Add Role dialog box, configure the parameters that are described in the following table.
Parameter Name
Description
Role Name
The name of the new tenant-level role. The name must be unique within your Alibaba Cloud account. The name must meet the following requirements:
It must start with a letter.
It can contain only letters, underscores (_), and digits.
It must be 6 to 64 characters in length.
Policy Content
The access policy for the role. You can edit the policy code in the interface based on a policy template.
Click OK.
Custom roles
When built-in roles don't match your team's requirements, create custom roles. The types available depend on the scope:
| Scope | Role type | What you can grant |
|---|---|---|
| Project level | Administrator or resource | Management permissions or object resource permissions within a project |
| Tenant level | Resource only | Permissions on object resources such as quotas, network links, and projects |
Create a project-level role
Project owners and users assigned a built-in project-level role can create, query, and drop custom roles using the MaxCompute client, MaxCompute Studio, or the DataWorks console.
After creating a role, assign it to users to put its permissions into effect. For details, see Assign a role to a user.
Syntax
create role <role_name> [privilegeproperties("type"="admin|resource")];Parameters
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | The name of the role. Must be unique within a project. Rules: starts with a letter; contains only letters and digits; 1–64 characters in length. Run list roles; on the MaxCompute client to check existing role names. |
privilegeproperties | No | The role type. "type"="admin" creates an administrator role — permissions can only be granted through policies. "type"="resource" creates a resource role — permissions can be granted through ACLs or policies. If omitted, a resource role is created by default. |
Examples
Create a resource role named Worker:
create role Worker;Create an administrator role named sale_admin:
create role sale_admin privilegeproperties("type"="admin");Query project-level roles
Syntax
list roles;Example
list roles;Output:
admin
super_administrator
workerDrop a project-level role
Before dropping a role, be aware of the following:
A role can only be dropped if no users are currently assigned to it. Revoke the role from all assigned users first. For details, see Revoke a role from a user.
Dropping a role does not delete its permissions. ACL-based, policy-based, and label-based permissions tied to the role remain in the project. If a new role is created with the same name, it inherits those residual permissions. Run
purge privs from roleafter dropping the role to remove them.
Syntax
drop role <role_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | The name of the role to drop. Run list roles; on the MaxCompute client to check existing role names. |
Example
drop role Worker;Delete permissions of a dropped role
After a role is dropped, its residual permissions (ACL-based, policy-based, and label-based) remain in the project. The project owner, Admin, or Super_Administrator can remove them with the following command.
Run this command only after the role is dropped. If the role still exists, the command returns: "Principal <role_name> still exist in the project".Syntax
purge privs from role <role_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | The name of the dropped role whose permissions you want to delete. Run list roles; to verify the role no longer exists before running this command. |
What's next
Grant permissions to the roles you created: Perform access control based on project-level roles
Assign roles to users to put permissions into effect: Assign a role to a user
Limits
You can plan and manage tenant-level roles only in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), and China (Shenzhen).