If a user is assigned a built-in role in MaxCompute, the user has the permissions of the built-in role. For example, if a user is assigned the Development role, the user is granted the operation permissions on tables and resources. In actual business scenarios, you may need to manage the operation permissions of such users in a fine-grained manner. For example, you may need to prohibit the users from deleting important tables. This topic describes how to perform policy-based permission management for users assigned built-in roles.
Prerequisites
Background information
If a user is assigned a built-in role and you want to manage the permissions of the user in a fine-grained manner, we recommend that you use the policy-based permission management mechanism instead of the access control list (ACL) mechanism. For more information about built-in roles, see Users and roles. For more information about the policy-based permission management mechanism, see Policy-based access control and download control.
The policy-based access control mechanism is used to manage permissions based on roles. This mechanism allows you to grant or revoke operation permissions on project objects, such as tables, for roles. The operations include read and write operations. After you assign a role to a user, the permissions granted to or revoked from the role also take effect on the user. For more information about the GRANT and REVOKE syntax, see Policy-based access control and download control.
Grant permissions by using the policy-based access control mechanism
In the following example, the RAM user Alice is assigned the Development role of a MaxCompute project. You need to prohibit the RAM user Alice from deleting all tables whose names start with tb_. The RAM user Alice belongs to the Alibaba Cloud account Bob@aliyun.com.
This operation can be performed only by the project owner or users assigned the Super_Administrator or Admin role.
Revoke permissions by using the policy-based access control mechanism
The RAM user Alice is not allowed to delete the tables whose names start with tb_, as described in Grant permissions by using the policy-based access control mechanism. If the tables are no longer required and you want to allow the RAM user Alice to delete the tables, you can revoke the related permission from the RAM user Alice.
- Revoke the permission that is granted to the role and retain the role
Perform the following steps:
- Start the MaxCompute client.
- Execute the
REVOKE
statement to revoke the permission that is granted to the delete_test role. This way, the delete_test role is allowed to delete the tables whose names start with tb_.Sample statement:revoke drop on table tb_* from role delete_test privilegeproperties("policy" = "true", "allow"="false");
For more information about the REVOKE syntax, see the "Policy-based access control by using the GRANT statement" section in Policy-based access control and download control.
- Execute the
SHOW GRANTS
statement to view the permissions of the RAM user Alice. Sample statement:
The following results are returned:show grants for ram$bob@aliyun.com:Alice;
[roles] role_project_admin, delete_test -- The delete_test role is retained. Authorization Type: Policy -- The permission is revoked. [role/role_project_admin] A projects/mcproject_name: * A projects/mcproject_name/instances/*: * A projects/mcproject_name/jobs/*: * A projects/mcproject_name/offlinemodels/*: * A projects/mcproject_name/packages/*: * A projects/mcproject_name/registration/functions/*: * A projects/mcproject_name/resources/*: * A projects/mcproject_name/tables/*: * A projects/mcproject_name/volumes/*: * Authorization Type: ObjectCreator AG projects/mcproject_name/tables/local_test: All AG projects/mcproject_name/tables/mr_multiinout_out1: All AG projects/mcproject_name/tables/mr_multiinout_out2: All AG projects/mcproject_name/tables/ramtest: All AG projects/mcproject_name/tables/tb_test: All AG projects/mcproject_name/tables/wc_in: All AG projects/mcproject_name/tables/wc_in1: All AG projects/mcproject_name/tables/wc_in2: All AG projects/mcproject_name/tables/wc_out: All
For more information about how to view user permissions, see View permissions of a specified user.
- Log on to the MaxCompute client as Alice and execute the
DROP TABLE
statement to delete the tables whose names start with tb_.Sample statement:
If OK is returned, the permission is revoked.drop table tb_test;
- Revoke the role from the user and delete the role if required
Perform the following steps:
- Start the MaxCompute client.
- Execute the
REVOKE
statement to revoke the delete_test role from Alice.Sample statement:revoke delete_test from ram$bob@aliyun.com:Alice;
For more information about how to revoke a role from a user, see Revoke the role granted to a user.
- Execute the
SHOW GRANTS
statement to view the permissions of the RAM user Alice. Sample statement:
The following results are returned:show grants for ram$bob@aliyun.com:Alice;
[roles] role_project_admin -- The delete_test role is revoked. Authorization Type: Policy [role/role_project_admin] A projects/mcproject_name: * A projects/mcproject_name/instances/*: * A projects/mcproject_name/jobs/*: * A projects/mcproject_name/offlinemodels/*: * A projects/mcproject_name/packages/*: * A projects/mcproject_name/registration/functions/*: * A projects/mcproject_name/resources/*: * A projects/mcproject_name/tables/*: * A projects/mcproject_name/volumes/*: * Authorization Type: ObjectCreator AG projects/mcproject_name/tables/local_test: All AG projects/mcproject_name/tables/mr_multiinout_out1: All AG projects/mcproject_name/tables/mr_multiinout_out2: All AG projects/mcproject_name/tables/ramtest: All AG projects/mcproject_name/tables/wc_in: All AG projects/mcproject_name/tables/wc_in1: All AG projects/mcproject_name/tables/wc_in2: All AG projects/mcproject_name/tables/wc_out: All
- Log on to the MaxCompute client as Alice and execute the
DROP TABLE
statement to delete the tables whose names start with tb_.Sample statement:
If OK is returned, the permission is revoked.drop table tb_test;
- Optional. Execute the
DROP ROLE
statement to delete the delete_test role.Sample statement:drop role delete_test;
If OK is returned, the role is deleted. For more information about how to delete a role, see Delete a role.