If a user is assigned a built-in role in MaxCompute, the user has the permissions of the built-in role. For example, if a user is assigned the Development role, the user is granted the operation permissions on tables and resources. In actual business scenarios, you may need to manage the operation permissions of such users in a fine-grained manner. For example, you may need to prohibit the users from deleting important tables. This topic describes how to perform policy-based permission management for users assigned built-in roles.

Prerequisites

The MaxCompute client is installed. For more information, see Install and configure the MaxCompute client.

Background information

If a user is assigned a built-in role and you want to manage the permissions of the user in a fine-grained manner, we recommend that you use the policy-based permission management mechanism instead of the access control list (ACL) mechanism. For more information about built-in roles, see Users and roles. For more information about the policy-based permission management mechanism, see Policy-based access control and download control.

The policy-based access control mechanism is used to manage permissions based on roles. This mechanism allows you to grant or revoke operation permissions on project objects, such as tables, for roles. The operations include read and write operations. After you assign a role to a user, the permissions granted to or revoked from the role also take effect on the user. For more information about the GRANT and REVOKE syntax, see Policy-based access control and download control.

Grant permissions by using the policy-based access control mechanism

In the following example, the RAM user Alice is assigned the Development role of a MaxCompute project. You need to prohibit the RAM user Alice from deleting all tables whose names start with tb_. The RAM user Alice belongs to the Alibaba Cloud account Bob@aliyun.com.

This operation can be performed only by the project owner or users assigned the Super_Administrator or Admin role.

  1. Start the MaxCompute client.
  2. Execute the CREATE ROLE statement to create a role named delete_test.
    Sample statement:
    create role delete_test;

    For more information about how to create a role, see Create a RAM role.

  3. Execute the GRANT statement to grant the delete_test role the permission that prohibits the role from deleting all tables whose names start with tb_.
    Sample statement:
    grant drop on table tb_* to role delete_test privilegeproperties("policy" = "true", "allow"="false");

    For more information about the GRANT syntax, see the "Policy-based access control by using the GRANT statement" section in Policy-based access control and download control.

  4. Execute the GRANT statement to assign the delete_test role to the RAM user Alice.
    Sample statement:
    grant delete_test to ram$bob@aliyun.com:Alice;  

    If you do not know the Alibaba Cloud account to which the RAM user belongs, you can execute the LIST USERS; statement on the MaxCompute client to obtain the account. For more information about how to assign a role to a user, see Assign a role to a user.

  5. Execute the SHOW GRANTS statement to view the permissions of the RAM user Alice.
    Sample statement:
    show grants for ram$bob@aliyun.com:Alice; 
    The following results are returned:
    [roles]
    role_project_admin, delete_test                                 -- Alice is assigned the delete_test role. 
    
    Authorization Type: Policy                                      -- The authorization method is Policy. 
    [role/delete_test]
    D       projects/mcproject_name/tables/tb_*: Drop               -- Alice is not allowed to delete the tables whose names start with tb_ in the project. D indicates Deny. 
    [role/role_project_admin]
    A       projects/mcproject_name: *
    A       projects/mcproject_name/instances/*: *
    A       projects/mcproject_name/jobs/*: *
    A       projects/mcproject_name/offlinemodels/*: *
    A       projects/mcproject_name/packages/*: *
    A       projects/mcproject_name/registration/functions/*: *
    A       projects/mcproject_name/resources/*: *
    A       projects/mcproject_name/tables/*: *
    A       projects/mcproject_name/volumes/*: *
    
    Authorization Type: ObjectCreator
    AG      projects/mcproject_name/tables/local_test: All
    AG      projects/mcproject_name/tables/mr_multiinout_out1: All
    AG      projects/mcproject_name/tables/mr_multiinout_out2: All
    AG      projects/mcproject_name/tables/ramtest: All
    AG      projects/mcproject_name/tables/wc_in: All
    AG      projects/mcproject_name/tables/wc_in1: All
    AG      projects/mcproject_name/tables/wc_in2: All
    AG      projects/mcproject_name/tables/wc_out: All

    For more information about how to view user permissions, see View permissions of a specified user.

  6. Log on to the MaxCompute client as Alice and execute the DROP TABLE statement to delete the tables whose names start with tb_.
    Sample statement:
    drop table tb_test;
    The following results are returned. The results indicate that the permission takes effect. If the tables are deleted, the permission does not take effect. In this case, you must check whether the preceding steps are correctly performed.
    FAILED: Catalog Service Failed, ErrorCode: 50, Error Message: ODPS-0130013:Authorization exception - Authorization Failed [4011],
    You have NO privilege 'odps:Drop' on {acs:odps:*:projects/mcproject_name/tables/tb_test}.
    Explicitly denied by policy.
    Context ID:85efa8e9-40da-4660-bbfd-b503dfa64c0a. --->Tips: Pricipal:RAM$bob@aliyun.com:Alice; Deny by policy

Revoke permissions by using the policy-based access control mechanism

The RAM user Alice is not allowed to delete the tables whose names start with tb_, as described in Grant permissions by using the policy-based access control mechanism. If the tables are no longer required and you want to allow the RAM user Alice to delete the tables, you can revoke the related permission from the RAM user Alice.

This operation can be performed only by the project owner or users assigned the Super_Administrator or Admin role. You can use one of the following methods to revoke the permission from the RAM user Alice based on your business requirements.
  • Revoke the permission that is granted to the role and retain the role

    Perform the following steps:

    1. Start the MaxCompute client.
    2. Execute the REVOKE statement to revoke the permission that is granted to the delete_test role. This way, the delete_test role is allowed to delete the tables whose names start with tb_.
      Sample statement:
      revoke drop on table tb_* from role delete_test privilegeproperties("policy" = "true", "allow"="false");

      For more information about the REVOKE syntax, see the "Policy-based access control by using the GRANT statement" section in Policy-based access control and download control.

    3. Execute the SHOW GRANTS statement to view the permissions of the RAM user Alice. Sample statement:
      show grants for ram$bob@aliyun.com:Alice; 
      The following results are returned:
      [roles]
      role_project_admin, delete_test                                 -- The delete_test role is retained. 
      
      Authorization Type: Policy                                      -- The permission is revoked. 
      [role/role_project_admin]
      A       projects/mcproject_name: *
      A       projects/mcproject_name/instances/*: *
      A       projects/mcproject_name/jobs/*: *
      A       projects/mcproject_name/offlinemodels/*: *
      A       projects/mcproject_name/packages/*: *
      A       projects/mcproject_name/registration/functions/*: *
      A       projects/mcproject_name/resources/*: *
      A       projects/mcproject_name/tables/*: *
      A       projects/mcproject_name/volumes/*: *
      
      Authorization Type: ObjectCreator
      AG      projects/mcproject_name/tables/local_test: All
      AG      projects/mcproject_name/tables/mr_multiinout_out1: All
      AG      projects/mcproject_name/tables/mr_multiinout_out2: All
      AG      projects/mcproject_name/tables/ramtest: All
      AG      projects/mcproject_name/tables/tb_test: All
      AG      projects/mcproject_name/tables/wc_in: All
      AG      projects/mcproject_name/tables/wc_in1: All
      AG      projects/mcproject_name/tables/wc_in2: All
      AG      projects/mcproject_name/tables/wc_out: All

      For more information about how to view user permissions, see View permissions of a specified user.

    4. Log on to the MaxCompute client as Alice and execute the DROP TABLE statement to delete the tables whose names start with tb_.

      Sample statement:

      drop table tb_test;
      If OK is returned, the permission is revoked.
  • Revoke the role from the user and delete the role if required

    Perform the following steps:

    1. Start the MaxCompute client.
    2. Execute the REVOKE statement to revoke the delete_test role from Alice.
      Sample statement:
      revoke delete_test from ram$bob@aliyun.com:Alice;

      For more information about how to revoke a role from a user, see Revoke the role granted to a user.

    3. Execute the SHOW GRANTS statement to view the permissions of the RAM user Alice. Sample statement:
      show grants for ram$bob@aliyun.com:Alice; 
      The following results are returned:
      [roles]
      role_project_admin                                           -- The delete_test role is revoked. 
      
      Authorization Type: Policy
      [role/role_project_admin]
      A       projects/mcproject_name: *
      A       projects/mcproject_name/instances/*: *
      A       projects/mcproject_name/jobs/*: *
      A       projects/mcproject_name/offlinemodels/*: *
      A       projects/mcproject_name/packages/*: *
      A       projects/mcproject_name/registration/functions/*: *
      A       projects/mcproject_name/resources/*: *
      A       projects/mcproject_name/tables/*: *
      A       projects/mcproject_name/volumes/*: *
      
      Authorization Type: ObjectCreator
      AG      projects/mcproject_name/tables/local_test: All
      AG      projects/mcproject_name/tables/mr_multiinout_out1: All
      AG      projects/mcproject_name/tables/mr_multiinout_out2: All
      AG      projects/mcproject_name/tables/ramtest: All
      AG      projects/mcproject_name/tables/wc_in: All
      AG      projects/mcproject_name/tables/wc_in1: All
      AG      projects/mcproject_name/tables/wc_in2: All
      AG      projects/mcproject_name/tables/wc_out: All
    4. Log on to the MaxCompute client as Alice and execute the DROP TABLE statement to delete the tables whose names start with tb_.

      Sample statement:

      drop table tb_test;
      If OK is returned, the permission is revoked.
    5. Optional. Execute the DROP ROLE statement to delete the delete_test role.
      Sample statement:
      drop role delete_test;

      If OK is returned, the role is deleted. For more information about how to delete a role, see Delete a role.