Use SQL statements to manage users and roles in a MaxCompute project. The typical workflow is:
Add users to the project.
Create a role and grant it permissions on project objects.
Assign the role to users.
To remove access, revoke the role from the user before removing the user or deleting the role.
You can run these statements on the MaxCompute client, the DataWorks console, or MaxCompute Studio.
The following table summarizes the available operations.
| Operation | Description |
|---|---|
| Add a user | Add an Alibaba Cloud account or a RAM user to a project. |
| Remove a user | Remove an Alibaba Cloud account or a RAM user from a project. |
| List users | View all users in a project. |
| Create a role | Create a role in a project. |
| List roles | View all roles in a project. |
| Grant a role to a user | Assign a role to a user. |
| Revoke a user from a role | Remove a role assignment from a user. |
| Delete a role | Delete a role from a project. |
Add a user
Adds an Alibaba Cloud account or a Resource Access Management (RAM) user to a MaxCompute project.
You can only add RAM users that belong to your own Alibaba Cloud account. RAM users from other Alibaba Cloud accounts cannot be added.
Required role: Project owner or Super_Administrator role.
Syntax
add user <user_name>;Parameter
| Parameter | Required | Description |
|---|---|---|
user_name | Yes | The name of the account to add. Format: ALIYUN$<username>@aliyun.com for Alibaba Cloud accounts, or RAM$<username> for RAM users. |
Examples
Add an Alibaba Cloud account:
add user ALIYUN$test_user@aliyun.com;Add a RAM user:
add user RAM$ram_test_user;Remove a user
Removes an Alibaba Cloud account or a RAM user from a MaxCompute project. After removal, the user can no longer access project resources.
Revoke the role from the user before removing them. MaxCompute retains permission data after removal — if you add the user back, their historical access permissions are restored automatically.
Syntax
remove user <user_name>;Parameter
| Parameter | Required | Description |
|---|---|---|
user_name | Yes | The name of the account to remove. Format: ALIYUN$<username>@aliyun.com for Alibaba Cloud accounts, or RAM$<username> for RAM users. |
Examples
Remove an Alibaba Cloud account:
remove user ALIYUN$test_user@aliyun.com;Remove a RAM user:
remove user RAM$ram_test_user;List users
Lists all users in a MaxCompute project.
list users;Create a role
Creates a role in a MaxCompute project. After creating a role, grant it permissions on project objects before assigning it to users. For details, see Grant a role or user.
Syntax
create role <role_name>;Parameter
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | The name of the role to create. |
Example
-- Create the player role.
create role player;List roles
Lists all roles in a MaxCompute project.
list roles;Grant a role to a user
Assigns a role to a user. The user inherits all permissions associated with the role.
Grant the role permissions on project objects before assigning it to users. For details, see Grant a role or user.
Syntax
grant <role_name> to <user_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | The name of the role to assign. |
user_name | Yes | The name of the account to assign the role to. Format: ALIYUN$<username>@aliyun.com for Alibaba Cloud accounts, or RAM$<username> for RAM users. |
Example
-- Grant the player role to the Alibaba Cloud account test_user@aliyun.com.
grant player to ALIYUN$test_user@aliyun.com;Revoke a user from a role
Removes a role assignment from a user. The user loses all permissions associated with the role.
Syntax
revoke <role_name> from <user_name>;Parameters
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | The name of the role to revoke. |
user_name | Yes | The name of the account to revoke the role from. Format: ALIYUN$<username>@aliyun.com for Alibaba Cloud accounts, or RAM$<username> for RAM users. |
Example
-- Revoke the player role from the Alibaba Cloud account alice@aliyun.com.
revoke player from ALIYUN$alice@aliyun.com;Delete a role
Deletes a role from a MaxCompute project.
Make sure no users are assigned to the role before deleting it. Revoke the role from all users first.
Syntax
drop role <role_name>;Parameter
| Parameter | Required | Description |
|---|---|---|
role_name | Yes | The name of the role to delete. |
Example
-- Delete the player role.
drop role player;