Policy-based access control - MaxCompute - Alibaba Cloud Documentation Center

The policy-based access control method of MaxCompute provides more complex and flexible permission settings. This method is suitable for large enterprises and complex scenarios that require fine-grained permission management. Compared with ACL-based access control, policy-based access control also supports the blacklist mechanism. When you perform policy-based access control, you can specify a policy to allow a role to perform specified operations on specified objects or deny a role from performing specified operations on specified objects. Then, you can assign the role to a user to make the permissions of the user take effect. This topic describes the syntaxes of commands that you can use to perform policy-based access control. This topic also provides examples on how to perform policy-based access control.

Background information

The policy-based access control method supports the whitelist mechanism to allow a role to take a specified action on a specified object and the blacklist mechanism to deny a role from taking a specified action on a specified object.

This access control method resolves authorization issues that cannot be resolved by using ACL-based access control. For example, a user is assigned the developer role and has the permissions to drop tables by default. If you want to deny the role from dropping tables, you can use this access control method.

After a MaxCompute project is created, policy-based access control is enabled for the project by default. The owner of a MaxCompute project can run the set CheckPermissionUsingPolicy=true; or set CheckPermissionUsingPolicy=false; command to enable or disable policy-based access control for the project.

The following table describes the use scenarios of the policy-based access control method.

Scenario	Description	Authorized by	Operation platform
Use a role to grant permissions to a user	You can grant permissions on an object to a role to allow or deny one or more specified actions on an object. Then, you can assign the role to a user. This way, the user is granted the permissions of the role.	For more information about the identities that can be used to perform policy-based access control, see the Authorized by column in the Permission list section in Permissions on projects and objects in projects.	MaxCompute client MaxCompute Studio DataWorks console
Use a custom role to perform finer-grained permission management on a user that is assigned a built-in role	Access control lists (ACLs) cannot be used to perform finer-grained permission management on a user that is assigned a built-in role. If you want to perform such management, you can use the policy-based access control method. You can create a role, and use the method to grant permissions on objects in a MaxCompute project to the role to allow or deny actions on the objects. Then, you can assign the role to a user.		MaxCompute client MaxCompute Studio DataWorks console

Prerequisites

Before you use the policy-based access control method, make sure that the following conditions are met:

The name of the role to which you want to grant permissions is obtained, and the role is added to your MaxCompute project.
You can run the list roles; command on the MaxCompute client to query the name of the role.
For more information about how to create a role, see Role planning.
The type of the object on which you want to grant permissions, the name of the object, and the actions that you want to allow on the object are obtained.
For more information about object types and actions supported for each type of object, see MaxCompute permissions.

Limits

You can use the policy-based access control method to grant permissions only to existing roles.

Precautions

Before you use the policy-based access control method, take note of the following items:

If both the whitelist and blacklist mechanisms are used, the blacklist mechanism takes precedence.
You can use the policy-based access control method to grant a role the permissions on an object that does not exist. If you delete an existing object whose permissions are granted to a role, the permission information related to the object is retained. As a result, if you create an object that has the same name as the deleted object, security risks may exist.
After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

Syntaxes of commands

The following code provides the syntaxes of the commands that you can use to perform policy-based access control:

Grant permissions

grant <actions> on <object_type> <object_name> 
to ROLE <role_name> 
privilegeproperties("policy" = "true", "allow"="{true|false}"[, "conditions"= "<conditions>"]);

Revoke permissions

revoke <actions> on <object_type> <object_name> 
from ROLE <role_name> 
privilegeproperties ("policy" = "true", "allow"="{true|false}");

The following table describes the parameters used in the preceding syntaxes.

Parameter		Required	Description
actions		Yes	The action that is allowed or denied. You can specify multiple actions in a single command. If you specify multiple actions, separate the actions with commas (,). For more information about the supported actions, see MaxCompute permissions.
object_type		Yes	The type of object whose permissions are granted or revoked. You can specify only one type of object in a single command. For more information about the supported object types, see MaxCompute permissions.
object_name		Yes	The name of the object whose permissions are granted or revoked. The method of obtaining the name of an object varies based on the object type. Project: To obtain the name of a MaxCompute project, log on to the MaxCompute console. In the top navigation bar, select the region in which the project resides. On the Project management tab, view the name of the project. Table or view: To obtain the name of a table or view, run the `show tables;` command on the MaxCompute client. Resource: To obtain the name of a resource, run the `list resources;` command on the MaxCompute client. Function: To obtain the name of a function, run the `list functions;` command on the MaxCompute client. Instance: To obtain the name of an instance, run the `show instances;` command on the MaxCompute client. Instance names are the same as instance IDs in MaxCompute. You can use asterisks () when you configure this parameter. For example, if you set this parameter to `table taobao`, all tables whose names start with `taobao` are matched. Note You can use asterisks (*) only when the value of subject_type is ROLE.
role_name		Yes	The name of the role to which permissions are granted or from which permissions are revoked. You can specify only one role in a single command. You can run the `list roles;` command on the MaxCompute client to query the name of the role.
privilegeproperties	policy	Yes	Set the value to true. The value true indicates that policy-based access control is used.
	allow	Required if you want to use the whitelist mechanism	Specifies whether to allow the specified action on the specified object. Valid values: true: The specified action on the specified object is allowed. false: The specified action on the specified object is not allowed. This value indicates the blacklist mechanism.
	conditions	No	The conditions used for policy-based access control, such as the source of a request message and the access method. For more information about the configurations of this parameter, see Conditions.

Examples

For example, the Alibaba Cloud account Bob@aliyun.com is the owner of the project test_project_a. Allen and Tom are the RAM users of Bob@aliyun.com. The RAM user Allen is assigned the Admin role of the project test_project_a. In the following examples, all the authorization operations are performed on the MaxCompute client.

Example 1: Use a role to grant permissions to a user based on the blacklist mechanism

In this example, the Drop permission is granted to the RAM user Tom. This way, the RAM user Tom is denied from dropping tables whose names start with tb_ from the project test_project_a.

Use ACL-based commands to perform policy-based access control:

-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a; 
-- Create a role named Worker. 
create role Worker; 
-- Add the RAM user Tom to the project as a member. 
add user RAM$Bob@aliyun.com:Tom;
-- Assign the role Worker to the RAM user Tom. 
grant Worker TO RAM$Bob@aliyun.com:Tom; 
-- Deny the role Worker from dropping tables whose names start with tb_ from the project test_project_a. 
grant Drop on table tb_* to ROLE Worker privilegeproperties("policy" = "true", "allow"="false");
-- Query the permissions of the RAM user Tom. 
show grants for RAM$Bob@aliyun.com:Tom; 
-- The following authorization result is returned. The result D indicates Deny. The RAM user Tom is denied from dropping tables whose names start with tb_ from the project. 
Authorization Type: Policy
[role/worker]
D      projects/test_project_a/tables/tb_*: Drop

Perform policy-based access control in the MaxCompute console.
1. Log on to the MaxCompute console, and select a region in the top navigation bar.
2. In the left-side navigation pane, click Projects.
3. On the Projects page, find the desired project and click Manage in the Actions column.
4. On the Role Permissions tab, click Create Project-level Role.
5. In the Create Role dialog box, set Role Type to Resource, configure the Role Name parameter, and then set Authorization Method to Policy.
  Enter the following policy document:
```
{
    "Statement":[
        {
            "Action":[
                "odps:Drop"
            ],
            "Effect":"Deny",
            "Resource":[
                "acs:odps:*:projects/test_project_a/tables/tb_*"
            ]
        }
    ],
    "Version":"1"
}
```
6. On the Role Permissions tab, find the role that you created and click Manage Members in the Actions column. In the dialog box that appears, select RAM$Bob@aliyun.com:Tom from the Accounts to Be Added section, click the rightwards arrow to add the selected object to the Added Accounts section, and then click OK.

Example 2: Revoke the permissions that are granted by using the policy-based access control method based on the blacklist mechanism from a user

In this example, the Drop permission that is granted to the RAM user Tom in Example 1 is revoked.

-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a; 
-- Revoke the role Worker from the RAM user Tom. 
revoke Worker from RAM$Bob@aliyun.com:Tom;
-- Query the permissions of the RAM user Tom. The RAM user Tom does not have the Drop permission. 
show grants for RAM$Bob@aliyun.com:Tom;

Example 3: Use a role to grant permissions to a user based on the whitelist mechanism

In this example, the Update permission is granted to the RAM user Tom to allow Tom to update tables whose names start with tb_ in the project test_project_a.

Use ACL-based commands to perform policy-based access control:

-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a; 
-- Create a role named Worker. 
create role Worker; 
-- Add the RAM user Tom to the project as a member. 
add user RAM$Bob@aliyun.com:Tom;
-- Assign the role Worker to the RAM user Tom. 
grant Worker TO RAM$Bob@aliyun.com:Tom; 
-- Allow the role Worker to update tables whose names start with tb_ in the project test_project_a. 
grant Update on table tb_* to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Query the permissions of the RAM user Tom. 
show grants for RAM$Bob@aliyun.com:Tom; 
-- The following authorization result is returned. The result A indicates Allow. The RAM user Tom is allowed to update the tables whose names start with tb_ in the project. 
Authorization Type: Policy
[role/worker]
A       projects/test_project_a/tables/tb_*: Update

Perform policy-based access control in the MaxCompute console.
1. Log on to the MaxCompute console, and select a region in the top navigation bar.
2. In the left-side navigation pane, click Projects.
3. On the Projects page, find the desired project and click Manage in the Actions column.
4. On the Role Permissions tab, click Create Project-level Role.
5. In the Create Role dialog box, set Role Type to Resource, specify the Role Name parameter, and set Authorization Method to Policy.
  Enter the following policy document:
```
{
    "Statement":[
        {
            "Action":[
                "odps:Update"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:projects/test_project_a/tables/tb_*"
            ]
        }
    ],
    "Version":"1"
}
```
6. On the Role Permissions tab, find the role that you created and click Manage Members in the Actions column. In the dialog box that appears, select RAM$Bob@aliyun.com:Tom from the Accounts to Be Added section, click the rightwards arrow to add the selected object to the Added Accounts section, and then click OK.

Example 4: Revoke the permissions that are granted by using the policy-based access control method based on the whitelist mechanism from a user

In this example, the Update permission that is granted to the RAM user Tom in Example 3 is revoked.

-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a; 
-- Revoke the role Worker from the RAM user Tom. 
revoke Worker from RAM$Bob@aliyun.com:Tom;
-- Query the permissions of the RAM user Tom. The RAM user Tom does not have the Update permission. 
show grants for RAM$Bob@aliyun.com:Tom;

Example 5: Grant finer-grained permissions to a user that is assigned a built-in role

In this example, the RAM user Allen is denied from dropping any table from the project test_project_a.

Use ACL-based commands to perform policy-based access control:

-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a; 
-- Create a role named Worker. 
create role Worker; 
-- Assign the role Worker to the RAM user Allen. 
grant Worker TO RAM$Bob@aliyun.com:Allen; 
-- Deny the role Worker from dropping any table from the project test_project_a. 
grant Drop on table * to ROLE Worker privilegeproperties("policy" = "true", "allow"="false");
-- Query the permissions of the RAM user Allen. 
show grants for RAM$Bob@aliyun.com:Allen; 
-- The following authorization result is returned. The RAM user Allen is denied from dropping any table from the project. 
[roles]
role_project_admin, worker

Authorization Type: Policy
[role/role_project_admin]
A       projects/test_project_a: *
A       projects/test_project_a/instances/*: *
A       projects/test_project_a/jobs/*: *
A       projects/test_project_a/offlinemodels/*: *
A       projects/test_project_a/packages/*: *
A       projects/test_project_a/registration/functions/*: *
A       projects/test_project_a/resources/*: *
A       projects/test_project_a/tables/*: *
A       projects/test_project_a/volumes/*: *

[role/worker]
A       projects/test_project_a/tables/tb_*: Update
D       projects/test_project_a/tables/*: Drop
-- A in AG indicates Allow. G in AG indicates With Grant Option, which authorizes the account to grant permissions on objects.
Authorization Type: ObjectCreator
AG      projects/test_project_a/tables/local_test: All
AG      projects/test_project_a/tables/mr_multiinout_out1: All
AG      projects/test_project_a/tables/mr_multiinout_out2: All
AG      projects/test_project_a/tables/ramtest: All
AG      projects/test_project_a/tables/wc_in: All
AG      projects/test_project_a/tables/wc_in1: All
AG      projects/test_project_a/tables/wc_in2: All
AG      projects/test_project_a/tables/wc_out: All

Perform policy-based access control in the MaxCompute console.
1. Log on to the MaxCompute console, and select a region in the top navigation bar.
2. In the left-side navigation pane, click Projects.
3. On the Projects page, find the desired project and click Manage in the Actions column.
4. On the Role Permissions tab, click Create Project-level Role.
5. In the Create Role dialog box, set Role Type to Resource, specify the Role Name parameter, and set Authorization Method to Policy.
  Enter the following policy document:
```
{
    "Statement":[
        {
            "Action":[
                "odps:Drop"
            ],
            "Effect":"Deny",
            "Resource":[
                "acs:odps:*:projects/test_project_a/tables/*"
            ]
        }
    ],
    "Version":"1"
}
```
6. On the Role Permissions tab, find the role that you created and click Manage Members in the Actions column. In the dialog box that appears, select RAM$Bob@aliyun.com:Allen from the Accounts to Be Added section, click the rightwards arrow to add the selected object to the Added Accounts section, and then click OK.

Example 6: Revoke permissions from a user that is assigned a built-in role

In this example, the Drop permission that is granted to the RAM user Allen in Example 5 is revoked. Sample statements:

-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a; 
-- Revoke the role Worker from the RAM user Allen. 
revoke Worker from RAM$Bob@aliyun.com:Allen;
-- Query the permissions of the RAM user Allen. The RAM user Allen does not have the Drop permission. 
show grants for RAM$Bob@aliyun.com:Allen;

Example 7: Assign a role to the RAM user Tom, and grant the permissions to query all tables to the role based on the whitelist mechanism.

Use ACL-based commands to perform policy-based access control:

-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a;
-- Create a role named Worker. 
create role Worker;
-- Add the RAM user Tom to the project as a member. 
add user RAM$Bob@aliyun.com:Tom;
-- Assign the role Worker to the RAM user Tom. 
grant Worker TO RAM$Bob@aliyun.com:Tom;
-- Grant the permissions to query all tables in the project test_project_a to the role Worker. 
grant Describe,select on table * to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Query the authorization result. 
show grants for RAM$Bob@aliyun.com:Tom;
-- The following authorization result is returned. The result A indicates Allow. The RAM user Tom is allowed to query all tables in the project. 
Authorization Type: Policy
[role/worker]
A      projects/test_project_a/tables/*: Describe | Select

Perform policy-based access control in the MaxCompute console.
1. Log on to the MaxCompute console, and select a region in the top navigation bar.
2. In the left-side navigation pane, click Projects.
3. On the Projects page, find the desired project and click Manage in the Actions column.
4. On the Role Permissions tab, click Create Project-level Role.
5. In the Create Role dialog box, set Role Type to Resource, specify the Role Name parameter, and set Authorization Method to Policy.
  Enter the following policy document:
```
{
    "Statement":[
        {
            "Action":[
                "odps:Describe",
                "odps:Select"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:projects/test_project_a/tables/*"
            ]
        }
    ],
    "Version":"1"
}
```
6. On the Role Permissions tab, find the role that you created and click Manage Members in the Actions column. In the dialog box that appears, select RAM$Bob@aliyun.com:Tom from the Accounts to Be Added section, click the rightwards arrow to add the selected object to the Added Accounts section, and then click OK.

What to do next

After you have a command of how the policy-based access control method works, you can perform the following operations based on your business requirements:

References

For more information about policy-based access control, see Authorization practices.
For more information about how to manage the permissions of users to which built-in roles are assigned in a fine-grained manner, see Policy-based permission management for users assigned built-in roles.
For more information about frequently asked questions related to permission management in MaxCompute, see FAQ about permission management.