This topic describes how to manage permissions by row. This can allow you to enable specific users to only view specific data.

Example scenario

Project A has a table named table_order. This table contains information about the transaction orders of all merchants. Each merchant can view only their own transaction orders.


The table_order table contains merchant IDs, based on which the system can filter transaction orders. To enable each merchant to view their own transaction orders, the system must be able to manage permissions on the row level. MaxCompute provides the following two solutions to row-level permission management:
  • Solution 1: Create an independent downstream table for each merchant in the table_order table and grant the permissions for the independent table to the corresponding merchant. In this solution, duplicate data may be stored. Therefore, when the table_order table is updated, its downstream tables must also be updated to ensure data consistency.
  • Solution 2: Create an independent downstream view for each merchant in the table_order table and grant the permissions for the view to the corresponding merchant.The second solution is superior to the first solution in the regard that it does not incur duplicate data, therefore we recommend that you use the second solution.
To use the second solution, take these steps:
  1. Create a view for each merchant in project A.
    CREATE VIEW <viewname> as select * from table_order WHERE sellerid='xxxx';
  2. Create a package for each view in Project A and share the resources in this package to grant the merchant the viewing permissions for these resources.
    create package <packagename>;
    add table <viewname> to package <packagename>;
    allow project <Projectname_seller> to install package <packagename>;
  3. Allow each merchant to be able to use their view.
    --All commands are run the project for the merchant.
    install package <ProjectA>.<packagename>;
    grant read on package <ProjectA>.<packagename> to user <username>;--The username is the account that requests to query a view in the project.
Note You can also grant the select and describe permissions for a view to the corresponding merchant by using an ACL as follows:
grant select,describe on table <viewname> to user <username>;