A role is a set of defined access permissions. It can be used to grant the same set of permissions to a group of users. Role-based authorization greatly simplifies the authorization process and reduces authorization management costs. We recommend that you consider whether to use role-based authorization before you grant permissions to users.

When you create a project, the system automatically creates an Admin role for the project. This role is granted the permissions to access all objects in the project, manage users and roles, and authorize users and roles.

The Admin role cannot grant its Admin permissions to users, set security policies for the project, modify the authentication model of the project, or modify the Admin permissions. Only the project owner can perform these operations.

MaxCompute roles have a one-to-one mapping with the member roles in DataWorks. For more information about the member roles in DataWorks and their permissions, see Manage workspace members.

Create a role

CREATE ROLE <rolename>;


Run the following command to create a role named player:
create role player;
Note You can view the permissions of a specific role. For more information, see View permissions of a specified user.

Authorize a role

After you authorize a role, all users assigned this role are granted the same permissions. The method to authorize roles is similar to that used to authorize users. For more information, see Authorize users.


Jack is the administrator of the prj1 project. Users Alice, Bob, and Charlie need to be added to the project as data reviewers. Data reviewers require permissions to view table lists, submit jobs, and read data from the userprofile table.

The administrator can execute the following statements to add the users and grant them the required permissions:
-- Access the prj1 project.
use prj1;
-- Add users Alice, Bob, and Charlie to the project.
add user aliyun$alice@aliyun.com; 
add user aliyun$bob@aliyun.com;
add user aliyun$charlie@aliyun.com;
-- Create a role named tableviewer.
create role tableviewer;
-- Grant the required permissions to the role. 
grant List, CreateInstance on project prj1 to role tableviewer; 
grant Describe, Select on table userprofile to role tableviewer;
-- Assign the role to the added users.
grant tableviewer to aliyun$alice@aliyun.com; 
grant tableviewer to aliyun$bob@aliyun.com;
grant tableviewer to aliyun$charlie@aliyun.com;

Assign a role to a user

One user can have multiple roles, and multiple users can belong to the same role.

GRANT <roleName> TO <full_username> ;


Run the following command to assign the player role to bob@aliyun.com:
grant player to bob@aliyun.com;

Revoke a role from a user

REVOKE <roleName> FROM <full_username>;


Run the following command to revoke the player role from bob@aliyun.com:
revoke player from bob@aliyun.com;

Delete a role

DROP ROLE <roleName>;


Run the following command to delete the player role:
drop role player;
Note When you delete a role, MaxCompute checks whether the role is assigned to users. If the role is assigned to users, it cannot be deleted. To delete the role, you must first revoke the role from the users.