All Products
Search

This Product

    MaxCompute:Permission-related command set

    Document Center

    MaxCompute:Permission-related command set

    Last Updated:Apr 02, 2024

    This topic describes a set of permission-related commands in MaxCompute projects, including commands for user management, role management, role authorization, user authorization, and permission query.

    Commands for role management

    • Create a project-level role

      • Syntax

        create role <role_name> [privilegeproperties("type"="admin|resource")];

      • Example

        • Create a resource role named Worker. Sample statement: 

          create role Worker;

        • Create an administrator role named sale_admin. Sample statement: 

           create role sale_admin privilegeproperties("type"="admin");

    • Query project-level roles

      list roles;

    • Drop a project-level role

      • Syntax

        drop role <role_name>;

      • Example

        drop role Worker;

    Commands for user management

    Commands for role authorization

    • Grant the operation permissions on an object to a role

      • Grant permissions on a specified project to a role

        • Syntax

          • ACL-based access control

            grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
      on project <project_name> 
      to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

          • Policy-based access control by using the ACL syntax

            grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
      on project <project_name> 
      to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);

        • Example

          -- Perform ACL-based access control. 
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
-- Perform policy-based access control. 
grant CreateTable, CreateFunction, CreateInstance, List 
      on project test_project_a  
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

      • Grant permissions on a specified table to a role

        • Syntax

          • ACL-based access control

            grant Describe|Select|Alter|Update|Drop|ShowHistory|All 
      on table <table_name> [(<column_list>)] 
      to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

          • Policy-based access control by using the ACL syntax

            grant Describe|Select|Alter|Update|Drop|ShowHistory|All 
      on table <table_name> [(<column_list>)] 
      to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);

        • Example

          -- Perform ACL-based access control. 
grant Describe, Select on table sale_detail to ROLE Worker;
-- Perform policy-based access control. 
grant Describe, Select  
      on table sale_detail   
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

      • Grant permissions on a specified resource to a role

        • Syntax

          • ACL-based access control

            grant Read|Write|Delete|All 
      on resource <resource_name> 
      to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

          • Policy-based access control by using the ACL syntax

            grant Read|Write|Delete|All 
      on resource <resource_name> 
      to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);

        • Example

          -- Perform ACL-based access control. 
grant Read, Write on resource udtf.jar to ROLE Worker;
-- Perform policy-based access control. 
grant Read, Write   
      on resource udtf.jar  
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

      • Grant permissions on a specified function to a role

        • Syntax

          grant Read|Write|Delete|Execute|All 
      on function <function_name> 
      to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

        • Example

          -- Perform ACL-based access control. 
grant Read, Write on function udf_test to ROLE Worker;
-- Perform policy-based access control. 
grant Read, Write   
      on function udf_test  
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

      • Grant permissions on a specified instance to a role

        • Syntax

          • ACL-based access control

            grant Read|Write|All 
      on instance <instance_id> 
      to ROLE <role_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];

          • Policy-based access control by using the ACL syntax

            grant Read|Write|All  
      on instance <instance_id>   
      to ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}"[, "conditions"= "<conditions>", "expires"="<days>"]);

        • Example

          -- Perform ACL-based access control. 
grant All on instance 202112300224**** to ROLE Worker;
-- Perform policy-based access control. 
grant All    
      on instance 202112300224****   
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

    • Revoke the operation permissions on an object from a role

      • Revoke permissions on a specified project from a role

        • Syntax

          • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

            revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
      on project <project_name> 
      from ROLE <role_name>;

          • Revoke the operation permissions that are granted by using the policy-based access control method from a role

            revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
      on project <project_name> 
      from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");

        • Example

          -- Revoke ACL-based access control. 
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
-- Revoke policy-based access control. 
revoke CreateTable, CreateFunction, CreateInstance, List 
      on project test_project_a  
      from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

      • Revoke permissions on a specified table from a role

        • Syntax

          • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

            revoke Describe|Select|Alter|Update|Drop|ShowHistory|All 
      on table <table_name> [(<column_list>)] 
      from ROLE <role_name>;

          • Revoke the operation permissions that are granted by using the policy-based access control method from a role

            revoke Describe|Select|Alter|Update|Drop|ShowHistory|All 
      on table <table_name> [(<column_list>)] 
      from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");

        • Example

          -- Revoke ACL-based access control. 
revoke Describe, Select on table sale_detail to ROLE Worker;
-- Revoke policy-based access control. 
revoke Describe, Select  
      on table sale_detail   
      from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

      • Revoke permissions on a specified resource from a role

        • Syntax

          • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

            revoke Read|Write|Delete|All 
      on resource <resource_name> 
      from ROLE <role_name>;

          • Revoke the operation permissions that are granted by using the policy-based access control method from a role

            revoke Read|Write|Delete|All 
      on resource <resource_name> 
      from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");

        • Example

          -- Revoke ACL-based access control. 
revoke Read, Write on resource udtf.jar from ROLE Worker;
-- Revoke policy-based access control. 
revoke Read, Write   
      on resource udtf.jar  
      from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

      • Revoke permissions on a specified function from a role

        • Syntax

          • Revoke the operation permissions that are granted by using the ACL-based access control method from a role

            revoke Read|Write|Delete|Execute|All 
      on function <function_name> 
      from ROLE <role_name>;

          • Revoke the operation permissions that are granted by using the policy-based access control method from a role

            revoke Read|Write|Delete|Execute|All 
      on function <function_name>  
      from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");

        • Example

          -- Revoke ACL-based access control. 
revoke Read, Write on function udf_test from ROLE Worker;
-- Revoke policy-based access control. 
revoke Read, Write   
      on function udf_test  
      from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

      • Revoke permissions on a specified instance from a role

        • Syntax

          revoke Read|Write|All  
      on instance <instance_id>   
      from ROLE <role_name> privilegeproperties("policy" = "true", "{allow}"="{true|false}");

        • Example

          -- Revoke ACL-based access control. 
revoke All on instance 202112300224**** from ROLE Worker;
-- Revoke policy-based access control. 
revoke All    
      on instance 202112300224****   
      from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");

    • Grant the Download permission to a role

      • Syntax

        grant Download on {Table|Resource|Function|Instance} <object_name> to ROLE <role_name>;

      • Example

        grant download on table sale_detail to ROLE Worker;

    • Revoke the Download permission from a role

      • Syntax

        revoke Download on {Table|Resource|Function|Instance} <object_name> from ROLE <role_name>;

      • Example

        revoke download on table sale_detail from ROLE Worker;

    • Grant the access permissions on data that has a high sensitivity level to a role

      • Syntax

        grant Label <number> on table <table_name> [(<column_list>)] to ROLE <role_name> [with exp <days>];

      • Example

        grant Label 4 on table sale_detail to ROLE Worker;

    • Revoke the access permissions on data that has a high sensitivity level from a role

      • Syntax

        revoke Label on table <table_name> [(<column_list>)] from ROLE <role_name>;

      • Example

        revoke Label on table sale_detail from ROLE Worker;

    • Assign a role to a user

      • Syntax

        grant <role_name> to <user_name>;

      • Example

        grant Worker to ALIYUN$Kate@aliyun.com;
grant Worker to RAM$Bob@aliyun.com:Allen;

    • Revoke a role from a user

      • Syntax

        revoke <role_name> from <user_name>;

      • Example

        revoke Worker from ALIYUN$Kate@aliyun.com;
revoke Worker from RAM$Bob@aliyun.com:Allen;

    Commands for user authorization

    • Manage user permissions by using commands

      • Grant permissions on a specified project to a user

        • Syntax

          grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All
      on project <project_name>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>",

        • Example

          grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user RAM$Kate@aliyun.com:Lily;

      • Grant permissions on a specified table to a user

        • Syntax

          grant Describe|Select|Alter|Update|Drop|ShowHistory|All
      on table <table_name> [(<column_list>)]
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>"

        • Example

          grant Describe, Select on table sale_detail to USER RAM$Bob@aliyun.com:Allen;

      • Grant permissions on a specified resource to a user

        • Syntax

          grant Read|Write|Delete|All
      on resource <resource_name>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>",

        • Example

          grant Read, Write on resource udtf.jar to USER RAM$Bob@aliyun.com:Alice;

      • Grant permissions on a specified function to a user

        • Syntax

          grant Read|Write|Delete|Execute|All
      on function <function_name>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>"

        • Example

          grant Read, Write on function udf_test to USER RAM$Bob@aliyun.com:Tom;

      • Grant permissions on a specified instance to a user

        • Syntax

          grant Read|Write|All
      on instance <instance_id>
      to USER <user_name> [privilegeproperties("conditions" = "<conditions>"

        • Example

          grant All on instance 202112300224**** to USER RAM$Bob@aliyun.com:Tom;

    • Manage user permissions by using commands

      • Revoke permissions on a specified project from a user

        • Syntax

          revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All
      on project <project_name>
      from USER <user_name>;

        • Example

          revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user RAM$Kate@aliyun.com:Lily;

      • Revoke permissions on a specified table from a user

        • Syntax

          revoke Describe|Select|Alter|Update|Drop|ShowHistory|All
      on table <table_name> [(<column_list>)]
      from USER <user_name>;

        • Example

          revoke Describe, Select on table sale_detail from USER RAM$Bob@aliyun.com:Allen;

      • Revoke permissions on a specified resource from a user

        • Syntax

          revoke Read|Write|Delete|All
      on resource <resource_name>
      from USER <user_name>;

        • Example

          revoke Read, Write on resource udtf.jar from USER RAM$Bob@aliyun.com:Alice;

      • Revoke permissions on a specified function from a user

        • Syntax

          revoke Read|Write|Delete|Execute|All
      on function <function_name>
      from USER <user_name>;

        • Example

          revoke Read, Write on function udf_test from USER RAM$Bob@aliyun.com:Tom;

      • Revoke permissions on a specified instance from a user

        • Syntax

          revoke Read|Write|All
      on instance <instance_id>
      from USER <user_name>;

        • Example

          revoke All on instance 202112300224**** from USER RAM$Bob@aliyun.com:Tom;

    • Manage user permissions by using commands

      • Syntax

        For more information, see Grant permissions on an object to a role and Assign a role to a user.

      • Example

        -- Grant permissions to the Worker role. 
   -- Perform ACL-based access control. 
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
   -- Perform policy-based access control. 
grant CreateTable, CreateFunction, CreateInstance, List 
      on project test_project_a  
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Assign the Worker role to specified users. 
grant Worker to RAM$Bob@aliyun.com:Allen;
grant Worker to RAM$Bob@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;

    • Manage user permissions by using commands

      • Syntax

        For more information, see Revoke permissions on a specified object from a role or Revoke a role from a user.

      • Example

        -- Revoke the permissions from the Worker role. 
   -- Revoke ACL-based access control. 
revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
   -- Revoke policy-based access control. 
revoke CreateTable, CreateFunction, CreateInstance, List 
      on project test_project_a  
      from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Or
-- Revoke the Worker role that is assigned to a specified user. 
revoke Worker from RAM$Bob@aliyun.com:Allen;

    • Manage user permissions by using commands

      • Syntax

        grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;

      • Example

        grant Download on table sale_detail to USER RAM$Bob@aliyun.com:Allen;

    • Manage user permissions by using commands

      • Syntax

        revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;

      • Example

        revoke Download on table sale_detail from USER RAM$Bob@aliyun.com:Allen;

    • Manage user permissions by using commands

      • Syntax

        For more information, see Grant the Download permission to a role and Assign a role to a user.

      • Example

        -- Create a role named Worker in the project. 
create role Worker;
-- Grant permissions to the Worker role. 
grant download on table sale_detail to ROLE Worker;
-- Assign the Worker role to specified users. 
grant Worker to RAM$Bob@aliyun.com:Allen;
grant Worker to RAM$Bob@aliyun.com:Alice;
grant Worker to RAM$Bob@aliyun.com:Tom;

    • Manage user permissions by using commands

    • Manage user permissions by using commands

      • Syntax

        grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];

      • Example

        grant Label 4 on table sale_detail to USER RAM$Bob@aliyun.com:Allen;

    • Manage user permissions by using commands

      • Syntax

        revoke Label on table <table_name> [(<column_list>)] from USER <user_name>;

      • Example

        revoke Label on table sale_detail from ROLE Worker;

    • Manage user permissions by using commands

    • Manage user permissions by using commands

    • Completely delete the residual permission information about a removed user

      • Syntax

        purge privs from user <user_name>;

      • Example

        purge privs from user RAM$Bob@aliyun.com:Allen;

    Commands for querying permission information

    Query the permissions of a specified role and information about the users that are assigned the role

    For more information, see Query the permissions of a specified role and information about the users that are assigned the role.

    • Syntax

      describe role <role_name>;

    • Example

      describe role Worker;

    Query the permission information of a user

    Query the ACL-based permissions on an object

    For more information, see Query the ACL-based permissions on a specified object.

    • Syntax

      show acl for <object_name> [on type <object_type>];

    • Example

      show acl for test_project_a on type project;

    Query label-related permission information

    Commands for querying package authorization information

    • Query the permissions on a specified package

      • Syntax

        show acl for <project_name>.<package_name> on type package;

      • Example

        show acl for test_project_b.datashare on type package;

    • Query the permissions on an object in a specified package

      • Syntax

        show grants on <object_type> <object_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package
_name>");

      • Example

        show grants on Table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");

    • Query the label-based permissions on a table in a specified package

      • Syntax

        show label grants on table <table_name> privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");

      • Example

        show label grants on table sale_detail privilegeproperties ("refobject"="true", "refproject"="test_project_a", "package"="datashare");

    Commands for viewing security configurations of a project

    • Check the setting of project data protection

      • Enable or disable project data protection

        set ProjectProtection=true|false;

      • View the security configurations of a project

        show SecurityConfiguration;

        If the returned result contains ProjectProtection=true, project data protection is enabled for the project. If the returned result contains ProjectProtection=false, project data protection is disabled for the project.

    • View trusted projects that have been added

      list trustedprojects;

    • Check the setting of label-based access control

      • Enable or disable label-based access control

        set LabelSecurity=true|false;

      • View the security configurations of a project

        show SecurityConfiguration;

        If the returned result contains LabelSecurity=true, label-based access control is enabled for the project. If the returned result contains LabelSecurity=false, label-based access control is disabled for the project.

    • View the download control feature

      • Enable or disable the download control feature

        setproject odps.security.enabledownloadprivilege=true|false;

      • View the properties of a project

        setproject;

        If the returned result contains odps.security.enabledownloadprivilege=true, the download control feature is enabled for the project. If the returned result contains odps.security.enabledownloadprivilege=false, the download control feature is disabled for the project.