To grant the same set of permissions to multiple users, use a role. A role is a set of permissions. Role-based authorization simplifies the authorization process and reduces authorization management costs. This topic describes the role types in MaxCompute and how to manage them.
Role types
MaxCompute has two types of roles: administrator and resource.
-
Administrator role: You can grant administrative permissions to this role by using a policy, but not an access control list (ACL). You cannot grant resource-related permissions to this role.
-
Resource role: You can grant resource-related permissions to this role by using a policy or an ACL. You cannot grant administrative permissions to this role.
Built-in roles
MaxCompute provides two built-in administrative roles, Super_Administrator and Admin, at both the project level and the tenant level.
|
Role level |
Role name |
Role type |
Description |
|
Project level |
Super_Administrator |
Admin |
A built-in administrative role in MaxCompute. This role grants permissions to operate on all resources and perform all administrative tasks within a project. For more information, see Permissions of project-level administrative roles. The project owner or a user with the |
|
Admin |
Admin |
A built-in administrative role in MaxCompute. This role grants permissions to operate on all resources within a project and includes some basic administrative permissions. For more information, see Permissions of project-level administrative roles. The project owner can assign the |
|
|
Tenant level |
Super_Administrator |
Admin |
A built-in administrative role in MaxCompute. This role grants tenant-level permissions to manage users and roles and to assign built-in tenant-level administrative roles to other users. An Alibaba Cloud account or a user with the Super_Administrator role can assign the Super_Administrator role to other users. |
|
Admin |
Admin |
A built-in administrative role in MaxCompute. This role grants tenant-level permissions for user and role management, but allows assigning only custom tenant-level roles to other users. An Alibaba Cloud account or a user with the Super_Administrator role can assign the Admin role to other users. |
At the project level, in addition to roles, the ProjectOwner (project owner) has all permissions for the project. Other users cannot access objects within the project unless authorized by the project owner.
Custom roles
MaxCompute lets you create custom administrator and resource roles. You can then assign these roles to users to group and manage them.
|
Level |
Name |
Type |
Description |
|
Project level |
Custom role |
Admin, Resource |
You can define this role as an administrator role to grant project control permissions, or as a resource role to grant permissions on object resources within a project. |
|
Tenant level |
Custom role |
Resource |
You can define it as a resource role to grant permissions on object resources such as quota, networklink, and project. |
Role management
This table lists the role management operations in MaxCompute.
|
Role type |
Actions |
Description |
Performed by |
Platform |
|
Project level |
Creates a new project-level role. |
A project owner or a user with a built-in project-level role in MaxCompute. |
||
|
Lists all roles in the project. |
||||
|
Deletes a role from a project. |
||||
|
Tenant level |
Create, read, update, or delete tenant-level custom roles. |
An Alibaba Cloud account, or a user with the Super_Administrator or Admin role at the tenant level. |
Project-level administrator permissions
This table lists the permissions for project-level administrator roles.
|
Type |
Object |
Actions |
Description |
Project owner |
Super_Administrator |
Admin |
|
project security configuration |
project |
SetSecurityConfiguration |
Configure security settings for a project. |
|
|
|
|
project |
GetSecurityConfiguration |
View the security settings for a project. |
|
|
|
|
|
protected project management |
project |
AddTrustedProject |
Add a protected project. |
|
|
|
|
project |
RemoveTrustedProject |
Remove a protected project. |
|
|
|
|
|
project |
ListTrustedProjects |
List protected projects. |
|
|
|
|
|
user management |
project |
AddUser |
Add a user. |
|
|
|
|
project |
RemoveUser |
Remove a user. |
|
|
|
|
|
project |
ListUsers |
List users. |
|
|
|
|
|
project |
ListUserRoles |
View the roles assigned to a user. |
|
|
|
|
|
role management |
project |
CreateRole |
Create a role. |
|
|
|
|
project |
DescribeRole |
View the permissions of a role. |
|
|
|
|
|
project |
AlterRole |
Modify the attributes of a role. |
|
|
|
|
|
project |
DropRole |
Drop a role. |
|
|
|
|
|
project |
ListRoles |
List roles. |
|
|
|
|
|
role authorization |
role |
GrantRole |
Assign a role to a user. |
|
|
|
|
role |
RevokeRole |
Revoke a role from a user. |
|
|
|
|
|
role |
ListRolePrincipals |
List users assigned to a role. |
|
|
|
|
|
package management |
project |
CreatePackage |
Create a package. |
|
|
|
|
project |
ShowPackages |
View packages. |
|
|
|
|
|
package |
DescribePackage |
View the details of a package. |
|
|
|
|
|
package |
DropPackage |
Drop a package. |
|
|
|
|
|
package |
InstallPackage |
Install a package. |
|
|
|
|
|
package |
UninstallPackage |
Uninstall a package. |
|
|
|
|
|
package |
AllowInstallPackage |
Allow other projects to install and use the package. |
|
|
|
|
|
package |
DisallowInstallPackage |
Disallow other projects to install and use the package. |
|
|
|
|
|
package |
AddPackageResource |
Add a resource to a package. |
|
|
|
|
|
package |
RemovePackageResource |
Remove a resource from a package. |
|
|
|
|
|
label management |
table |
GrantLabel |
Grant a label to a user or role. |
|
|
|
|
table |
RevokeLabel |
Revoke a label from a user or role. |
|
|
|
|
|
table |
ShowLabelGrants |
View the labels granted to a user or role. |
|
|
|
|
|
table |
SetDataLabel |
Configure labels for a user or role. |
|
|
|
|
|
Expired permission cleanup |
project |
ClearExpiredGrants |
Clear expired grants. |
|
|
|
indicates the permission is granted, and 
indicates it is not.
Create a project-level role
Create a new role in a MaxCompute project.
After you create a role, you must assign it to a user. The user then gains all permissions granted to the role. For more information, see Assign a role to a user.
-
Syntax
create role <role_name> [privilegeproperties("type"="admin|resource")]; -
Parameters
Parameter
Required
Description
role_name
Yes
The name of the role. The name must be unique within the project and meet the following requirements:
-
Start with a letter
-
Can contain only letters and digits.
-
Must not exceed 64 characters.
You can run the
list roles;command on the MaxCompute client to view existing roles.privilegeproperties
No
The type of the role.
-
"type"="admin": Creates an administrator role. You can grant permissions to this role only by using a policy. -
"type"="resource": Creates a resource role. This is the default type if you do not specify this parameter. You can grant permissions to this role by using access control lists (ACLs) or policies.
-
-
Examples
-
The following command creates a resource role named Worker.
create role Worker; -
The following command creates an administrator role named sale_admin.
create role sale_admin privilegeproperties("type"="admin");
-
List project-level roles
Lists the roles created in a MaxCompute project.
-
Syntax
list roles; -
Examples
The following example lists the roles in a MaxCompute project.
list roles;The command returns the following output:
admin super_administrator worker
Drop a project-level role
Drops a user-created role from a MaxCompute project.
-
Syntax
drop role <role_name>; -
Usage notes
You cannot drop a role that is assigned to one or more users. You must first revoke the role from all assigned users. For more information, see Revoke a role from a user.
-
Parameters
Parameter
Required
Description
role_name
Yes
The name of the role to drop.
Run the
list roles;command on the MaxCompute client to view existing roles. -
Example
Drop the Worker role.
drop role Worker;
Purge permissions
When you drop a role from a MaxCompute project, its associated permissions, such as ACLs, policies, and labels, remain in the project. If you later create a new role with the same name, the new role inherits these orphaned permissions. To prevent this, MaxCompute lets you purge the permissions of a dropped role. The project owner or a user with the Admin or Super_Administrator role can run the following command to purge these permissions.
-
Syntax
purge privs from role <role_name>; -
Parameters
Parameter
Required
Description
role_name
Yes
The name of the dropped role whose permissions you want to purge.
You can run the
list roles;command in the MaxCompute client to view existing roles.NoteEnsure the role is dropped before you purge its permissions. If the role still exists, the command fails and returns the error
"Principal <role_name> still exist in the project".
Tenant-level role management
To create a tenant-level role in the MaxCompute console, follow these steps:
-
Log on to the MaxCompute console, and select a region in the upper-left corner.
-
In the left-side navigation pane, click Tenants.
-
On the Tenants page, click Roles.
-
On the Roles tab, you can perform the following operations.
-
Create a tenant-level role.
Click Add Role. In the Add Role dialog box, configure the parameters described in the following table.
Parameter
Description
role name
Enter a name for the new tenant-level role. The name must be unique within your Alibaba Cloud account and meet the following requirements:
-
Must start with a letter.
-
Can contain only letters, underscores (_), and digits.
-
Must be 6 to 64 characters in length.
policy content
The permission policy for the role. You can use a policy template as a starting point and edit the code in the console.
Click OK. The new role then appears in the role list. For more information about how to grant permissions to a role, see Grant permissions to a tenant-level role.
-
-
Manage a tenant-level role.
In the Actions column of the target role, click Delete or Manage Permissions.
-
-
On the Tenants > Users page, you can add sub-accounts of the current primary account as users and grant them tenant-level roles.
Next steps
-
After planning roles, you can configure authorization. For more information, see Project-level role authorization.
-
After creating a role, you must assign it to a user. This grants the user the role's permissions. For more information, see Assign a role to a user.