Grant other users the permissions on an external project - MaxCompute

After you create an external project, the tables in the external project are owned by the Alibaba Cloud account that is used to create the external project. This topic describes how to grant other users the permissions to perform operations on a table in an external project or on an external project.

Precautions

If the data lakehouse solution is enabled for MaxCompute, MaxCompute does not persist for metadata in a data source. Therefore, policies are managed based on the names of objects in a data source. If the name of an object in the data source changes, the permissions on the object become invalid. You must run the Revoke command or delete policies to remove the permissions from the object. If you do not remove the permissions from an existing object at the earliest opportunity, a new object that has the same name as the existing object inherits the permissions. In this case, you obtain unexpected permissions on the new object that has the same name as the existing object of the data source in the external project.

Authorization-related statements

Go to the external project.
```
use <external_project_name>;
```
external_project_name specifies the name of the external project.
If you want to use the external project as a RAM user, you must enable RAM support for the external project.
```
add accountprovider ram;
```
If the external project that you created is based on a Hadoop external data source, you must enable the Hive-compatible data type edition.
```
set odps.sql.hive.compatible=true;
```
Add a user account to the project.
```
add user <Alibaba Cloud account>;
```
The Alibaba Cloud account is named in the ALIYUN$<account_name> format. You can run the list users; command on the MaxCompute client (odpscmd) to query user information.
Grant the user the permissions to view tables in the external project.
```
grant List on project external_project to USER <Alibaba Cloud account>;
```
The Alibaba Cloud account is named in the ALIYUN$<account_name> format. You can run the list users; command on the MaxCompute client (odpscmd) to query user information.
Grant the user all permissions on a table in the external project.
```
grant All on table <table_name> to user <Alibaba Cloud account>;
```
The Alibaba Cloud account is named in the ALIYUN$<account_name> format. You can run the list users; command on the MaxCompute client (odpscmd) to query user information.
Switch to the project in which jobs are run.
```
use <main_project_name>;
```
The Alibaba Cloud account is named in the ALIYUN$<account_name> format. You can run the list users; command on the MaxCompute client (odpscmd) to query user information.
Grant the user the permissions to run jobs.
```
grant CreateInstance on project <main_project_name> to user <Alibaba Cloud account>;
```
The Alibaba Cloud account is named in the ALIYUN$<account_name> format. You can run the list users; command on the MaxCompute client (odpscmd) to query user information.

Note

If you want to grant access permissions on external projects to other Alibaba Cloud accounts or RAM users, you must comply with the security standards of MaxCompute to perform authorization operations. For more information, see Permission overview.

References

You can manage an external project and tables in the external project. For example, you can query or update table data. For more information, see Use SQL statements to manage an external project.