All Products
Search
Document Center

MaxCompute:Manage user permissions by using commands

最終更新日:Oct 17, 2023

After you add a user to a MaxCompute project, you must grant the required permissions to the user. This way, the user can perform operations in the project. MaxCompute allows you to directly grant permissions to a user or grant permissions to a user by assigning a role to the user. This topic describes how to grant permissions to a user and provides examples.

Grant permissions to a user by assigning a project-level role to the user

We recommend that you assign a project-level custom role or built-in administrator role to a user. After you assign a role to a user, the user has the same permissions as the role. This helps you modify or remove permissions for multiple users at a time.

Note

Assign a project-level role to a user

After you assign a project-level built-in role or custom role to a user, the user is granted the permissions of the role.

  • Syntax

    grant <role_name> to <user_name>;
  • Precautions

    Multiple users can be assigned the same project-level role, and a user can be assigned multiple project-level roles.

  • Parameters

    Parameter

    Required

    Description

    role_name

    Yes

    The name of the role that you want to assign to the user.

    You can run the list roles; command on the MaxCompute client to query the name of the role.

    user_name

    Yes

    The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

    You can run the list users; command on the MaxCompute client to query the name of the user.

  • Examples

    Assign the project-level role Worker to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788, the RAM user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649, and the RAM role RAM$5527xxxxxxxx5788:role/ram_role.

    -- Go to the test_project_a project. 
    use test_project_a;
    -- Assign the project-level role Worker to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788. 
    grant Worker to ALIYUN$5527xxxxxxxx5788;
    -- Assign the project-level role Worker to the RAM user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649. 
    grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    -- Assign the project-level role Worker to the RAM role `RAM$5527xxxxxxxx5788:role/ram_role`. 
    grant Worker to `RAM$5527xxxxxxxx5788:role/ram_role`;

Revoke the project-level role that is assigned to a user from the user

After you revoke a role from a user, the user no longer has the permissions of the role.

  • Syntax

    revoke <role_name> from <user_name>;
  • Parameters

    Parameter

    Required

    Description

    role_name

    Yes

    The name of the role that you want to revoke from the user.

    You can run the list roles; command on the MaxCompute client to query the name of the role.

    user_name

    Yes

    The name of the user from which you want to revoke the role. The name of the user can be in one of the following formats:

    You can run the list users; command on the MaxCompute client to query the name of the user.

  • Examples

    Revoke the project-level role Worker from the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788, the RAM user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649, and the RAM role RAM$5527xxxxxxxx5788:role/ram_role.

    -- Go to the test_project_a project. 
    use test_project_a;
    -- Revoke the project-level role Worker from the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788. 
    revoke Worker from ALIYUN$5527xxxxxxxx5788;
    -- Revoke the project-level role Worker from the RAM user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649. 
    revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    -- Revoke the project-level role Worker from the RAM role `RAM$5527xxxxxxxx5788:role/ram_role`. 
    revoke Worker from `RAM$5527xxxxxxxx5788:role/ram_role`;

Common authorization scenarios

Scenario

Method

Authorized by

Operation platform

Grant the operation permissions on an object to a user by assigning a role to the user

Grant permissions to a role by using ACL-based access control or policy-based access control and then assign the role to the user.

For more information, see the content of the Authorized by column in the Permission list section of Permissions on projects and objects in projects.

Revoke the operation permissions on an object from a user that is assigned a specific role

Grant the Download permission to a user by assigning a role to the user

Grant permissions to a role by using download control and then assign the role to the user.

Revoke the Download permission that is granted by assigning a role to the user

Grant the permissions to access highly sensitive data to a user by assigning a role to the user

Grant permissions to a role by using label-based access control and then assign the role to the user.

Revoke the permissions to access highly sensitive data from a user by assigning a role to the user

Grant the operation permissions on an object to a user by assigning a role to the user

You can grant a role the permissions by using ACL-based access control or policy-based access control and then assign the role to multiple users.

For more information about how to grant permissions to a role, see Grant the operation permissions on an object to a role.

For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. To grant the RAM users the permissions to create a table, a function, and an instance and query the list of all types of objects in the project, run the following commands:

-- Go to the test_project_a project. 
use test_project_a;
-- Add the RAM users Allen, Alice, and Tom to the test_project_a project. 
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
-- Create a role named Worker. 
create role Worker;
-- Grant the Worker role the required permissions. 
   -- Method 1: Grant the Worker role the permissions by using ACL-based access control. 
grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to ROLE Worker;
   -- Method 2: Grant the Worker role the permissions by using policy-based access control. 
grant CreateTable, CreateFunction, CreateInstance, List 
      on project test_project_a  
      to ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
-- Assign the Worker role to the RAM users. 
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;

Revoke the operation permissions on an object from a user that is assigned a specific role

You can revoke the permissions from a user in one of the following ways:

  • Revoke the permissions from a role

    All users that are assigned the role no longer have the permissions of this role.

  • Revoke the role that is assigned to a user from the user

    Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.

For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. You have granted the RAM users the permissions to create a table, a function, and an instance and query the list of all types of objects in the project by assigning the Worker role to the RAM users. To revoke the operation permissions from the RAM users, you can use the following methods:

  • Method 1: Revoke the permissions from the Worker role.

    -- Go to the test_project_a project. 
    use test_project_a;
    -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom no longer have the CreateTable, CreateFunction, CreateInstance, and List permissions on the project. 
       -- Revoke permissions that are granted by using ACL-based access control. 
    revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from ROLE Worker;
       -- Revoke permissions that are granted by using policy-based access control. 
    revoke CreateTable, CreateFunction, CreateInstance, List 
          on project test_project_a  
          from ROLE Worker privilegeproperties("policy" = "true", "allow"="true");
  • Method 2: Revoke the Worker role that is assigned to the RAM user Allen.

    -- Go to the test_project_a project. 
    use test_project_a;
    -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, only the RAM user Allen no longer has the CreateTable, CreateFunction, CreateInstance, and List permissions on the project. 
    revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

Grant the Download permission to a user by assigning a role to the user

Grant a role the Download permission by using the download control mechanism and then assign the role to a user.

For more information about how to grant the Download permission to a role, see Grant the Download permission to a role.

For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. To grant the RAM users Allen, Alice, and Tom the permissions to download data from a specified table, run the following commands:

-- Go to the test_project_a project by using the Alibaba Cloud account Bob@aliyun.com. 
use test_project_a;
-- Add the RAM users Allen, Alice, and Tom to the test_project_a project. 
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
-- Create a role named Worker. 
create role Worker;
-- Grant the Worker role the required permissions. 
grant download on table sale_detail to ROLE Worker;
-- Assign the Worker role to the RAM users. 
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;

Revoke the Download permission that is granted by assigning a role to a user

You can revoke the permissions from a user in one of the following ways:

  • Revoke the permissions from a role

    All users that are assigned the role no longer have the permissions of this role.

  • Revoke the role that is assigned to a user from the user

    Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.

For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. You have granted the RAM users the permissions to download all table data by assigning the Worker role to the RAM users. To revoke the Download permission from the RAM users, you can use one of the following methods:

  • Method 1: Revoke the permissions from the Worker role.

    -- Go to the test_project_a project. 
    use test_project_a;
    -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom no longer have the Download permission. 
    revoke Download on table sale_detail from ROLE Worker;
  • Method 2: Revoke the Worker role that is assigned to the RAM user Allen.

    -- Go to the test_project_a project. 
    use test_project_a;
    -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, only the RAM user Allen no longer has the Download permission. 
    revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

Grant the permissions to access highly sensitive data to a user by assigning a role to the user

Grant the permissions to a role by using label-based access control or policy-based access control and then assign the role to multiple users.

For more information about how to grant permissions to a role, see Grant the access permissions on data that has a high sensitivity level to a role.

For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. The data access level of the RAM users Allen, Alice, and Tom is 2. To grant the permissions to access data whose sensitivity level is 4 in the destination table in the project to the RAM users, run the following commands:

-- Go to the test_project_a project. 
use test_project_a;
-- Create a role named Worker. 
create role Worker;
-- Grant the Worker role the required permissions. 
grant Label 4 on table <table_name> to ROLE Worker;  -- table_name is the name of the destination table.
-- Assign the Worker role to the RAM users. 
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
grant Worker to RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;

Revoke the permissions to access highly sensitive data from a user by assigning a role to the user

You can revoke the permissions from a user in one of the following ways:

  • Revoke the permissions from a role

    All users that are assigned the role no longer have the permissions of this role.

  • Revoke the role that is assigned to a user from the user

    Only the user from which you revoked the role no longer has the permissions of this role. The permissions of other users that are assigned the role are not affected.

For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. You have granted the RAM users the permissions to access data whose sensitivity level is 4 in all tables in the project. To revoke the permissions to access highly sensitive data from a user, you can use one of the following methods:

  • Method 1: Revoke the permissions from the Worker role.

    -- Go to the test_project_a project. 
    use test_project_a;
    -- Revoke the permissions from the Worker role. In this case, the RAM users Allen, Alice, and Tom can access only data whose sensitivity level is 2. 
    revoke Label 4 on table * from ROLE Worker;
  • Method 2: Revoke the Worker role that is assigned to the RAM user Allen.

    -- Go to the test_project_a project. 
    use test_project_a;
    -- Revoke the Worker role that is assigned to the RAM user Allen. In this case, the RAM user Allen can access only data whose sensitivity level is 2 and the RAM users Alice and Tom can still access data whose sensitivity level is 4. 
    revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

Directly grant permissions to a user

MaxCompute allows you to directly grant permissions to a user. The following table describes the common authorization scenarios.

Note

Scenario

Method

Authorized by

Operation platform

Grant the operation permissions on an object to a user

ACL-based access control

For more information, see the content of the Authorized by column in the Permission list section of Permissions on projects and objects in projects.

Revoke the operation permissions on an object from a user

Grant the Download permission to a user

Download control

Revoke the Download permission from a user

Grant the permissions to access highly sensitive data to a user

Label-based access control

Revoke the permissions to access highly sensitive data from a user

Grant the operation permissions on an object to a user

Grant a user the operation permissions on a project, a table, a resource, a function, or an instance by using ACL-based access control.

  • Grant permissions on a specified project to a user

    • Syntax

      grant Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
            on project <project_name> 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Parameters

      Parameter

      Required

      Description

      project_name

      Yes

      The name of the project. To view the name of a MaxCompute project, log on to the MaxCompute console. In the top navigation bar, select a region. Then, view the name of the MaxCompute project on the Project management tab.

      user_name

      Yes

      The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Grant permissions on a table to a user

    • Syntax

      grant Describe|Select|Alter|Update|Drop|ShowHistory|All 
            on table <table_name> [(<column_list>)] 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Parameters

      Parameter

      Required

      Description

      table_name

      Yes

      The name of the table or view. You can run the show tables; command on the MaxCompute client to obtain the table or view name.

      user_name

      Yes

      The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Grant permissions on a resource to a user

    • Syntax

      grant Read|Write|Delete|All 
            on resource <resource_name> 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Parameters

      Parameter

      Required

      Description

      resource_name

      Yes

      Resource name: You can run the list resources; command on the MaxCompute client to obtain the name of the resource.

      user_name

      Yes

      The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Grant permissions on a function to a user

    • Syntax

      grant Read|Write|Delete|Execute|All 
            on function <function_name> 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Parameters

      Parameter

      Required

      Description

      function_name

      Yes

      The name of the function. You can run the list functions; command on the MaxCompute client to obtain the function name.

      user_name

      Yes

      The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Grant permissions on an instance to a user

    • Syntax

      grant Read|Write|All 
            on instance <instance_id> 
            to USER <user_name> [privilegeproperties("conditions" = "<conditions>", "expires"="<days>")];
    • Parameters

      Parameter

      Required

      Description

      instance_id

      Yes

      The ID of the instance. You can run the show instances; command on the MaxCompute client to obtain the ID of an instance.

      user_name

      Yes

      The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Examples

    For example, the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 is the owner of the test_project_a project. Users Allen, Alice, and Tom are RAM users that belong to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. RAM$5527xxxxxxxx5789:role/ram_role is the RAM role that belongs to the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. The Alibaba Cloud account ALIYUN$5527xxxxxxxx5788 needs to be added to the test_project_a project.

    • Example 1: Grant the Alibaba Cloud account Kate@aliyun.com the permissions to create a table, a function, and an instance and query the list of all types of objects in a project. Sample commands:

      -- Go to the test_project_a project by using the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789. 
      use test_project_a;
      -- Add the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788 to the test_project_a project. 
      add user ALIYUN$5527xxxxxxxx5788;
      -- Use the Alibaba Cloud account ALIYUN$5527xxxxxxxx5789 to grant the Alibaba Cloud account ALIYUN$5527xxxxxxxx5788 the required permissions on the project. 
      grant CreateTable, CreateFunction, CreateInstance, List on project test_project_a to user ALIYUN$5527xxxxxxxx5788;
    • Example 2: Grant the RAM user Allen and the RAM role BI_Analyst the permissions to create a table, query the list of all types of objects in a project, and read metadata and table data on a table. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Add the RAM user Allen to the test_project_a project. 
      add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
      -- Add the RAM role BI_Analyst to the test_project_a project. 
      add user `RAM$5527xxxxxxxx5789:role/ram_role`;
      -- Grant the RAM user Allen the required permissions. 
      grant CreateTable, List on project test_project_a to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
      grant Describe, Select on table sale_detail to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1649;
      -- Grant the RAM role RAM$5527xxxxxxxx5789:role/ram_role the required permissions. 
      grant CreateTable, List on project test_project_a to USER `RAM$5527xxxxxxxx5789:role/ram_role`;
      grant Describe, Select on table sale_detail to USER `RAM$5527xxxxxxxx5789:role/ram_role`;
    • Example 3: Grant the RAM user Alice the permissions to read data from a resource and update a resource. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Add the RAM user Alice to the test_project_a project. 
      add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1650;
      -- Grant the RAM user Alice the required permissions on a resource. 
      grant Read, Write on resource udtf.jar to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1650;
    • Example 4: Grant the RAM user Tom the permissions to read data from a function and update a function. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Add the RAM user Tom to the test_project_a project. 
      add user RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;
      -- Grant the RAM user Tom the required permissions on a function. 
      grant Read, Write on function udf_test to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;
    • Example 5: Grant the RAM user Tom all permissions on an instance. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Add the RAM user Tom to the test_project_a project. 
      add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
      -- Grant the RAM user Tom the required permissions on a function. 
      grant All on instance 202112300224**** to USER RAM$5527xxxxxxxx5789:2763xxxxxxxxxx1651;

Revoke the operation permissions on an object from a user

Revoke the operation permissions on a project, a table, a resource, a function, or an instance from a user.

  • Revoke permissions on a project from a user

    • Syntax

      revoke Read|Write|List|CreateTable|CreateInstance|CreateFunction|CreateResource|All 
            on project <project_name> 
            from USER <user_name>;
    • Parameters

      Parameter

      Required

      Description

      project_name

      Yes

      The name of the project. To view the name of a MaxCompute project, log on to the MaxCompute console. In the top navigation bar, select a region. Then, view the name of the MaxCompute project on the Project management tab.

      user_name

      Yes

      The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Revoke permissions on a table from a user

    • Syntax

      revoke Describe|Select|Alter|Update|Drop|ShowHistory|All 
            on table <table_name> [(<column_list>)] 
            from USER <user_name>;
    • Parameters

      Parameter

      Required

      Description

      table_name

      Yes

      The name of the table or view. You can run the show tables; command on the MaxCompute client to obtain the table or view name.

      user_name

      Yes

      The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Revoke permissions on a resource from a user

    • Syntax

      revoke Read|Write|Delete|All 
            on resource <resource_name> 
            from USER <user_name>;
    • Parameters

      Parameter

      Required

      Description

      resource_name

      Yes

      The name of the resource. You can run the list resources; command on the MaxCompute client to obtain the name of the resource.

      user_name

      Yes

      The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Revoke permissions on a specified function from a user

    • Syntax

      revoke Read|Write|Delete|Execute|All 
            on function <function_name> 
            from USER <user_name>;
    • Parameters

      Parameter

      Required

      Description

      function_name

      Yes

      The name of the function. You can run the list functions; command on the MaxCompute client to obtain the function name.

      user_name

      Yes

      The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Revoke permissions on an instance from a user

    • Syntax

      revoke Read|Write|All 
            on instance <instance_id> 
            from USER <user_name>;
    • Parameters

      Parameter

      Required

      Description

      instance_id

      Yes

      The ID of the instance. You can run the show instances; command on the MaxCompute client to obtain the ID of an instance.

      user_name

      Yes

      The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      privilegeproperties

      conditions

      No

      The conditions used for the permissions, such as the source of a request message and the access method. Configure this parameter in the "<var_name> <Operation> Constant" and "<var_name> <Operation> Constant" and ... format. For more information about the valid values of the var_name and Operation parameters, see Conditions.

      days

      No

      The duration in which permissions are valid. Unit: days. If you do not configure this parameter, permissions are permanently valid. If you configure this parameter, MaxCompute clears information about the permissions after the duration specified by this parameter elapses.

  • Examples

    Revoke the operation permissions on an object from an Alibaba Cloud account and RAM users. Sample commands:

    • Example 1: Revoke the permissions to create a table, a function, and an instance and query the list of all types of objects in a project from the Alibaba Cloud account Kate@aliyun.com. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Revoke the permissions on the project from the Alibaba Cloud account Kate@aliyun.com. 
      revoke CreateTable, CreateFunction, CreateInstance, List on project test_project_a from user ALIYUN$5527xxxxxxxx5788;
    • Example 2: Revoke the permissions to read metadata and table data on a table from the RAM user Allen. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Revoke the permissions on the table from the RAM user Allen. 
      revoke Describe, Select on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
    • Example 3: Revoke the permissions to read data from a resource and update a resource from the RAM user Alice. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Revoke the permissions on the resource from the RAM user Alice. 
      revoke Read, Write on resource udtf.jar from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1650;
    • Example 4: Revoke the permissions to read data from a function and update a function from the RAM user Tom. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Revoke the permissions on the instance from the RAM user Tom. 
      revoke Read, Write on function udf_test from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
    • Example 5: Revoke all permissions on an instance from the RAM user Tom. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Revoke the permissions on the instance from the RAM user Tom. 
      revoke All on instance 202112300224**** from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1651;
  • Grant the Download permission to a user

    Grant a user the permissions to download table data, resources, functions, or instances.

    • Syntax

      grant Download on {Table|Resource|Function|Instance} <object_name> to USER <user_name>;
    • Parameters

      Parameter

      Required

      Description

      object_name

      Yes

      The name of the object whose permissions are granted. You can obtain the object name by using one of the following methods:

      • The name of the table or view. You can run the show tables; command on the MaxCompute client to obtain the table or view name.

      • The name of the resource. You can run the list resources; command on the MaxCompute client to obtain the name of the resource.

      • The name of the function. You can run the list functions; command on the MaxCompute client to obtain the function name.

      • The name of the instance. You can run the show instances; command on the MaxCompute client to obtain the ID of an instance. Instance names are the same as instance IDs in MaxCompute.

      user_name

      Yes

      The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

    • Examples

      Download control is enabled for the test_project_a project. To grant the RAM user Allen the permissions to download data from a specified table, run the following commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Grant the Download permission to the RAM user Allen. 
      grant Download on table sale_detail to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
  • Revoke the Download permission from a user

    Revoke the permissions to download table data, resources, functions, or instances from a user.

    • Syntax

      revoke Download on {Table|Resource|Function|Instance} <object_name> from USER <user_name>;
    • Parameters

      Parameter

      Required

      Description

      object_name

      Yes

      The name of the object on which the permissions you want to revoke from a user. You can obtain the object name by using one of the following methods:

      • The name of the table or view. You can run the show tables; command on the MaxCompute client to obtain the table or view name.

      • The name of the resource. You can run the list resources; command on the MaxCompute client to obtain the name of the resource.

      • The name of the function. You can run the list functions; command on the MaxCompute client to obtain the function name.

      • The name of the instance. You can run the show instances; command on the MaxCompute client to obtain the ID of an instance. Instance names are the same as instance IDs in MaxCompute.

      user_name

      Yes

      The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

    • Examples

      Revoke the permissions to download data from a specified table from the RAM user Allen. Sample commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Revoke the permissions on the table from the RAM user Allen. 
      revoke Download on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
  • Grant the permissions to access highly sensitive data to a user

    Grant the permissions to access highly sensitive data to a user by using label-based access control.

    • Syntax

      grant Label <number> on table <table_name> [(<column_list>)] to USER <user_name> [with exp <days>];
    • Parameters

      Parameter

      Required

      Description

      number

      Yes

      The highest sensitivity level of data that the users or roles can access.

      The valid values range from 0 to 9 and correspond to sensitivity-level labels of data.

      table_name

      Yes

      The name of the table or view.

      You can run the show tables; command on the MaxCompute client to obtain the name of the table or view.

      column_list

      No

      This parameter is required if you want to grant or revoke the permissions on a specific column in the table or view. You can specify multiple column names for a single authorization operation. Separate column names with commas (,).

      user_name

      Yes

      The name of the user to which you want to assign the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

      days

      No

      The duration in which permissions are valid. Unit: days. Valid values: 0 to 263 - 1. If you do not specify this parameter, the default expiration time is 180 days.

    • Examples

      The data access level of the RAM user Allen is 2 in the test_project_a project. To grant the permissions to access data whose sensitivity level is 4 in the sale_detail table to the RAM user Allen, run the following commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Grant the RAM user Allen the required permissions. 
      grant Label 4 on table sale_detail to USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
  • Revoke the permissions to access highly sensitive data from a user

    • Syntax

      revoke Label <number> on table <table_name> [(<column_list>)] from USER <user_name>;
    • Parameters

      Parameter

      Required

      Description

      number

      Yes

      The highest sensitivity level of data on which the access permissions you want to revoke from the users or roles.

      The valid values range from 0 to 9 and correspond to sensitivity-level labels of data.

      table_name

      Yes

      The name of the table or view on which the access permissions you want to revoke from the user.

      You can run the show tables; command on the MaxCompute client to obtain the name of the table or view.

      column_list

      No

      This parameter is required if you want to revoke the access permissions on a specified column in the table or view from a user or role. You can specify multiple column names for a single authorization operation. Separate column names with commas (,).

      user_name

      Yes

      The name of the user from which you want to revoke the role. The user is added to the MaxCompute project. The name of the user can be in one of the following formats:

      You can run the list users; command on the MaxCompute client to query the name of the user.

    • Examples

      To revoke the permissions to access data whose sensitivity level is 4 in the sale_detail table from the RAM user Allen, run the following commands:

      -- Go to the test_project_a project. 
      use test_project_a;
      -- Revoke the permissions from the RAM user Allen. 
      revoke Label 4 on table sale_detail from USER RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

Completely clear the residual permission information of a removed user

After a user is removed from a project, the permissions, such as ACL-based, label-based, and policy-based permissions, are retained in the project. If the removed user is added back to the project again, the user will have the original ACL-based, label-based, and policy-based permissions. If the user is removed by mistake and added back to the project, the user still has the original permissions. However, if the user is added back to the original project with a different role, the potential risk of data security may occur.

To prevent the potential risk, MaxCompute allows you to clear all permissions that are granted to a user. If a user is no longer in the project but still has ACL-based, label-based, and policy-based permissions, the project owner or a user that is assigned the Admin or Super_Administrator role can clear the residual permission information of the removed user. Sample command:

  • Syntax

purge privs from user <user_name>;
  • Parameters

    Parameter

    Required

    Description

    user_name

    Yes

    The name of the user of which you want to completely delete the residual permission information. The user is removed from the MaxCompute project. The name of the user can be in one of the following formats:

Note

If the user is not removed from the project and you run the preceding command, the error message "Principal <username> still exist in the project" is returned. Therefore, you need to run the remove user <user_name> command to remove the user from the project before you completely clear the residual permission information of the user.

What to do next

After user authorization is complete, you can query permissions that are granted to users. For more information, see Query permissions.