This topic describes the permissions that are supported in MaxCompute.
Background information
MaxCompute supports fine-grained access control on projects, quotas, network connections, tables, functions, resources, and instances. MaxCompute also allows you to control Tunnel downloads, access to sensitive data, and cross-project access. You can grant specific permissions on objects in a project to users based on the operation scope. This ensures object security.
The following table describes the elements that are involved in authorization operations.
Permission element | Description |
Subject | The user or role to which you want to grant permissions. Take note of the following points:
Note A user who performs authorization operations is called an authorizer. An authorizer can perform authorization operations only if the authorizer has the capability to grant permissions on objects and actions. |
Object | An object in a MaxCompute tenant.
The objects or behavior in a MaxCompute project.
|
Actions | The actions vary based on the object type. For example, you can read data from, write data to, and query data from tables. |
Permissions on objects in a tenant
The following table describes the permission relationships of objects in a MaxCompute tenant.
Object | Action | Description | Authorized by | Authorization method |
Networklink | List | Allows you to view all types of network connections. |
| Grant permissions to roles: Policy-based access control. |
CreateNetworklink | Allows you to create a network connection in a MaxCompute tenant. | |||
Describe | Allows you to read the metadata of a network connection in a MaxCompute tenant. | |||
Drop | Allows you to delete a network connection. | |||
All | Allows you to perform all the preceding operations on network connections. | |||
Quota | Usage | Allows you to |
|
Permissions on projects and objects in projects
This section describes the permissions supported by MaxCompute projects and objects in MaxCompute projects.
Objects
The following table describes the permission relationships of MaxCompute projects and permission relationships of objects in MaxCompute projects.
Object
Action
Description
Authorized by
Authorization method
Project
Read
Allows you to view information about a project, excluding objects in the project.
Project owner
Not supported
Write
Allows you to update information about a project, excluding objects in the project.
List
Allows you to query all types of objects in a project. For example, you can run the
show tables;orshow functions;command to query tables or functions.Project owner
Users assigned with the Super_Administrator or Admin role
Grant permissions to users or roles: ACL-based access control
Grant permissions to roles: Policy-based access control
CreateTable
Allows you to create a table in a project. For example, you can run the
create table <table_name>...;command to create a table.CreateInstance
Allows you to create an instance in a project. When you run jobs, instances are created.
CreateFunction
Allows you to create a function in a project. For example, you can run the
create function <function_name> ...;command to create a function.CreateResource
Allows you to add a resource to a project. For example, you can run the
add file|archive|py|jar <local_file>... ;oradd table <table_name> ...;command to add a resource.All
Allows you to perform all the preceding operations on a project.
Table
Describe
Allows you to read the metadata of a table, including the table structure, creation time, modification time, and table data size. For example, you can run the
desc <table_name>;command to read the metadata of a table.Table owner
Project owner
Users assigned with the Super_Administrator role
Users assigned with the Admin role (excluding permissions to change table owners)
Select
Allows you to query the data of a table. For example, you can run the
select * from <table_name>;command to query the data of a table.Alter
Allows you to modify the metadata of a table. You can change the owner of a table, name of a table, or name of a column, and add or delete partitions. For example, you can run the
alter table <table_name> add if not exists partition ...;command to modify the metadata of a table.Update
Allows you to update the data of a table. For example, you can run the
insert into|overwrite table <table_name> ...;,update <table_name> set ...;, ordelete from <table_name> where ...;command to update the data of a table.Drop
Allows you to drop a table. For example, you can run the
drop table <table_name>;command to drop a table.ShowHistory
Allows you to query the backup data of a table. For example, you can run the
show history for table <table_name>;command to query the backup data of a table.All
Allows you to perform all the preceding operations on a table.
Function
Read
Allows you to read the program file in which a MaxCompute UDF is called.
Function owner
Project owner
Users with the Super_Administrator or Admin role
Write
Allows you to update a UDF.
Delete
Allows you to delete a UDF. For example, you can run the
drop function <function_name>;command to delete a UDF.Execute
Allows you to call a UDF. For example, you can run the
select <function_name> from ...;command to call a UDF.All
Allows you to perform all the preceding operations on a function.
Resource
Read
Allows you to read a resource.
Resource owner
Project owner
Users assigned with the Super_Administrator or Admin role
Write
Allows you to update a resource.
Delete
Allows you to delete a resource. For example, you can run the
drop resource <resource_name>;command to delete a resource.All
Allows you to perform all the preceding operations on a resource.
External Volume
CreateVolume
Allows you to create an external volume.
External volume owner
Project owner
Users assigned with the Super_Administrator or Admin role
Read
Allows you to read data from an external volume.
Write
Allows you to update data in an external volume.
Delete
Allows you to delete an external volume. For example, you can run the
vfs -rm -r <volume_path>;command to delete an external volume.All
Allows you to perform all the preceding operations on an external volume.
Instance
Read
Allows you to read an instance.
Project owner
Users assigned with the Super_Administrator or Admin role
Write
Allows you to update an instance.
All
Allows you to perform all the preceding operations on an instance.
NoteThe CreateTable permission on a project and the Select, Alter, Update, and Drop permissions on tables in the project must be used together with the CreateInstance permission on the project.
If you separately use the Select, Alter, Update, or Drop permission on tables in a project and you do not have the CreateInstance permission on the project, the operations on the tables cannot be performed. For example, if you query data of a table in Project B from Project A, you must have the CreateInstance permission on Project A and the Select permission on the table in Project B.
Behavior
The following table describes the permission relationships of behavior on objects in a MaxCompute project.
Object
Action
Description
Authorized by
Authorization method
Tables, functions, resources, and instances
Download
Allows you to use Tunnel commands to download table data, resources, functions, or instances.
Project owner
Users assigned with the Super_Administrator role
Label
N/A
Allows you to read sensitive data at the column level.
Project owner
Users assigned with the Admin role
Package
Read
Allows you to package the objects and allowed operation permissions on the objects in a project and use the generated package to support cross-project authorization.
Project owner
Users assigned with the Admin role
Permissions on project management
The following table describes the operations that you can perform to configure MaxCompute management permissions.
Permission type
Action
Description
Project security configurations
SetSecurityConfiguration
Allows you to set security configurations for a project.
GetSecurityConfiguration
Allows you to view the security configurations of a project.
SetProperty
Allows you to configure an IP address whitelist for a project.
Policy management
PutPolicy
Allows you to update a policy.
GetPolicy
Allows you to view policy information.
AddPolicyStatments
Allows you to add policy statements.
RemovePolicyStatments
Allows you to remove policy statements.
Account provider management
AddAccountProviders
Allows you to add an account provider.
RemoveAccountProviders
Allows you to remove an account provider.
ListAccountProviders
Allows you to view all account providers.
Management of trusted projects
AddTrustedProjects
Allows you to add trusted projects.
RemoveTrustedProjects
Allows you to remove trusted projects.
ListTrustedProjects
Allows you to view all trusted projects.
Principal management
AddUser
Allows you to add a user.
RemoveUser
Allows you to remove a user.
ListUsers
Allows you to view all users.
ListUserRoles
Allows you to view the roles assigned to a user.
Role management
CreateRole
Allows you to create a role.
DescribeRole
Allows you to query information about a role.
AlterRole
Allows you to modify properties of a role.
DropRole
Allows you to drop a role.
ListRoles
Allows you to view all roles.
Role authorization
GrantRole
Allows you to assign a role to a user.
RevokeRole
Allows you to revoke a role from a user.
ListRolePrincipals
Allows you to view the users to which a role is assigned.
Package management
CreatePackage
Allows you to create a package.
DescribePackage
Allows you to view information about a package.
DropPackage
Allows you to delete a package.
ShowPackages
Allows you to view all packages.
InstallPackage
Allows you to install a package.
UninstallPackage
Allows you to uninstall a package.
AllowInstallPackage
Allows you to grant the permissions on a package to other projects.
DisallowInstallPackage
Allows you to revoke the permissions on a package from other projects.
AddPackageResource
Allows you to add a resource to a package.
RemovePackageResource
Allows you to remove a resource from a package.
Label-based access control
GrantLabel
Allows you to configure labels.
RevokeLabel
Allows you to remove labels.
ShowLabelGrants
Allows you to view label configurations.
SetDataLabel
Allows you to configure labels for users or roles.
ACL-based access control
GrantPrivs
Allows you to grant permissions based on the access control list (ACL).
RevokePrivs
Allows you to revoke permissions granted based on the ACL.
ShowAclGrants
Allows you to view permissions granted based on the ACL.
Clearance of expired permissions
ClearExpiredGrants
Allows you to clear configurations of expired permissions.
The following table describes the resource URIs of management permissions.
NoteIn the following resource URIs, the
acs:odps:*:projects/<project_name>/part is omitted, and only the part that follows<project_name>/is provided.Permission resource category
Resouce URI
Description
Project security configurations
authorization/configurations/security_configuration
project security_configuration
authorization/configurations/policy
project policy
authorization/configurations/security_policy
project security_policy
authorization/configurations/protected_exception
project protected_exception
Project
authorization
Management objects such as account providers of projects and trusted projects
Project Principal
authorization/users
The user of a project
Project role
authorization/roles/resource/<role_name>
The resource role of a project
authorization/roles/administrator/<role_name>
The administrator role of a project
authorization/roles/super_administrator/super_administrator
The super_administrator role that is built in a project
Project resource
authorization/objecttype/objectname
Resources such as tables, volumes, and jobs
Package management
authorization/packages/<projectname>.<packagename>
Package permissions
Package resource
authorization/packageresources/projectname.packagename/objecttype/objectname
The resources in a package
Usage notes:
If you want to identify specific users, usernames are required. You can use URIs to identify only user categories but not specific users.
You can use URIs to identify specific roles.
To distinguish semantic differences among all packages and resources in all packages, the URIs of packages are in the format of
packages/projectname.packagename, and the URIs of resources in all packages are in the format ofpackageresources/projectname.packagename/objecttype/objectname. This way, you can usepackages/*to indicate all packages andpackageresources/*to indicate all resources in packages.
The following table describes management permissions.
Permission type
Permission
Action
Resource
Security configuration permissions on a project
Allows you to set security configurations for a project.
SetSecurityConfigurationprojects/<project_name>/authorization/configurations/security_configurationAllows you to view security configurations of a project.
GetSecurityConfigurationAllows you to set a policy.
PutPolicyprojects/<project_name>/authorization/configurations/policyAllows you to view policy information.
GetPolicyAllows you to set protected_exception.
PutPolicyprojects/<project_name>/authorization/configurations/protected_exceptionAllows you to view protected_exception.
GetPolicyAllows you to set security_policy.
PutPolicyprojects/<project_name>/authorization/configurations/security_policyAllows you to view security_policy.
GetPolicyManagement of project account providers
Allows you to add an account provider.
AddAccountProviderprojects/<project_name>/authorizationAllows you to remove an account provider.
RemoveAccountProviderAllows you to view all account providers.
ListAccountProvidersManagement of trusted projects
Allows you to add trusted projects.
AddTrustedProjectsprojects/<project_name>/authorizationAllows you to remove trusted projects.
RemoveTrustedProjectsAllows you to view all trusted projects.
ListTrustedProjectsManagement of project principals
Allows you to add a user.
AddUserprojects/<project_name>/authorization/usersAllows you to remove a user.
RemoveUserAllows you to view all users.
ListUsersAllows you to view all roles that are assigned to a user.
ListUserRolesManagement of project roles
Allows you to create a resource role.
CreateRoleprojects/<project_name>/authorization/roles/resourceAllows you to query information about a resource role.
DescribeRoleprojects/<project_name>/authorization/roles/resource/<role_name>Allows you to drop a resource role.
DropRoleAllows you to create an administrator role.
N/A
NoteOnly project owners or users with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
Allows you to drop an administrator role.
Allows you to query information about an administrator role.
DescribeRoleprojects/<project_name>/authorization/roles/administrator/<role_name>Allows you to view all roles.
ListRolesprojects/<project_name>/authorization/rolesPolicy management of roles in a project
Allows you to set policies about resource roles in a project.
PutPolicyprojects/<project_name>/authorization/roles/resource/<role_name>Allows you to view policies about resource roles in a project.
GetPolicyAllows you to add statements that are used to set resource role policies.
AddPolicyStatmentsprojects/<project_name>/authorization/roles/resource/<role_name>Allows you to remove statements that are used to set resource role policies.
RemovePolicyStatmentsAllows you to set policies about administrator roles.
N/A
NoteOnly project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
Allows you to view policies about administrator roles.
GetPolicyprojects/<project_name>/authorization/roles/administrator/<role_name>Allows you to add statements that are used to set administrator role policies.
N/A
NoteOnly project owners or users assigned with the Super_Administrator role can create administrator roles and grant permissions to the administrator roles.
Allows you to remove statements that are used to set administrator role policies.
Role assignment and view
Allows you to assign a resource role to a user.
GrantRoleprojects/<project_name>/authorization/roles/resource/<role_name>Allows you to revoke a resource role from a user.
RevokeRoleAllows you to assign an administrator role to a user.
GrantRoleprojects/<project_name>/authorization/roles/administrator/<role_name>Allows you to revoke an administrator role from a user.
RevokeRoleAllows you to assign the Super_Administrator role to a user.
N/A
NoteOnly project owners or users assigned with the Super_Administrator role can assign or revoke the Super_Administrator role to or from a user.
Allows you to revoke the Super_Administrator role from a user.
Allows you to view the users to which a resource role is assigned.
ListRolePrincipalsprojects/<project_name>/authorization/roles/resource/<role_name>Allows you to view the users to which an administrator role is assigned.
ListRolePrincipalsprojects/<project_name>/authorization/roles/administrator/<role_name>Allows you to view the users to which the Super_Administrator role is assigned.
ListRolePrincipalsprojects/<project_name>/authorization/roles/super_administrator/super_administratorAllows you to view the roles assigned to a user.
ListPrincipalRolesprojects/<project_name>/authorization/principals/usersPackage management
Allows you to create a package.
CreatePackageprojects/<project_name>/authorization/packagesAllows you to view packages.
ShowPackagesAllows you to query information about a package.
DescribePackageprojects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>Allows you to delete a package.
DropPackageAllows you to install a package.
InstallPackageprojects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>Allows you to uninstall a package.
UninstallPackageAllows you to grant the permissions on a package to other projects.
AllowInstallPackageprojects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>Allows you to revoke the permissions on a package from other projects.
DisallowInstallPackageAllows you to add a resource to a package.
AddPackageResourceprojects/<project_name>/authorization/packages/<package_creater_project_name>.<package_name>Allows you to remove resources from a package.
RemovePackageResourceLabel-based access control
Allows you to enable label-based access control on resources in a project.
GrantLabelprojects/<project_name>/authorization/label/<resource_relative_id>NoteIn the resource URI,
resource_relative_idspecifies the resource path in a project. For example,resource_relative_idoftable_1istables/table_1.You can use an asterisk (*) to specify all resources. For example, you can use
tables/*to specify all tables in a project.
Allows you to disable label-based access control on resources in a project.
RevokeLabelAllows you to view label-based access control on resources in a project.
ShowLabelGrantsAllows you to enable label-based access control on packages.
GrantLabelprojects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>Allows you to disable label-based access control on packages.
RevokeLabelAllows you to view label-based access control on resources in a package.
ShowLabelGrantsAllows you to view label-based access control for a user.
ShowLabelGrantsprojects/<project_name>/authorization/usersAllows you to view label-based access control for a role.
ShowLabelGrantsprojects/<project_name>/authorization/roles/resource/<role_name>NoteYou cannot enable, set, or view label-based access control for an administrator role.
Access-level label configuration for users and roles
Allows you to set an access-level label for a user.
SetDataLabelprojects/<project_name>/authorization/usersAllows you to set an access-level label for a role.
SetDataLabelprojects/<project_name>/authorization/roles/resource/<role_name>ACL-based access control
Allows you to grant permissions on resources in a project based on the ACL.
GrantPrivsprojects/<project_name>/authorization/<resource_relative_id>NoteYou can use the following string set operators in a policy to manage
actionsthat can be granted or revoked:StringIntersectSetEmpty(IgnoreCase), StringIntersectSetNotEmpty(IgnoreCase), StringSubSet(IgnoreCase), and StringNotSubSet(IgnoreCase). You can useacs:Privilegesas keywords in the condition.For example, you can use the following policy to deny the user
odpsxxxx@aliyun.comfrom granting the Download or Select permission on all tables in theprj1project:{ "Action":[ "odps:GrantPrivs"], "Effect":"Deny", "Principal":"aliyun$odpsxxxx@aliyun.com", "Resource":"acs:odps::projects/prj1/authorization/acl/tables/*", "Condition":{ "IntersectionSetNotNull":{ "acs:Privileges":["Download","Select"] } } }The
resource_relative_idof the project is in theprojects/<project_name>format.
Allows you to revoke permissions on resources in a project that are granted based on the ACL.
RevokePrivsAllows you to view permissions on resources in a project that are granted based on the ACL.
ShowAclGrantsAllows you to grant permissions on packages based on the ACL.
GrantPrivsprojects/<project_name>/authorization/packageresources/<package_creater_project_name>.<package_name>/<resource_relative_id>Allows you to revoke permissions on packages that are granted based on the ACL.
RevokePrivsAllows you to view permissions on packages that are granted based on the ACL.
ShowAclGrantsAllows you to view permissions that are granted to users based on the ACL.
ShowAclGrantsprojects/<project_name>/authorization/usersAllows you to view permissions that are granted to resource roles based on the ACL.
ShowAclGrantsprojects/<project_name>/authorization/roles/resource/<role_name>Clearance of expired permissions
Allows you to clear configurations of expired permissions.
ClearExpiredGrantsprojects/<project_name>/authorization