To ensure the security of data in a MaxCompute project, the project owner or users with the authorization capability must manage the permissions of members in the project. This topic describes the permission management system of MaxCompute.
Permission management system
Item | Description |
Principals | MaxCompute supports the following principals:
|
Objects | MaxCompute supports fine-grained access control on projects, tables, resources, functions, and instances. You can manage user permissions on the objects in a fine-grained manner based on the authorization solutions that are provided by MaxCompute. For more information about the permissions on each object, see MaxCompute permissions. |
Access control | MaxCompute provides the following authorization solutions to meet different authorization requirements:
|
Role-based authorization | If you want to grant the same operation permissions to multiple users, you can grant the permissions to the users based on a role. This simplifies authorization operations. For more information about role-based authorization, see Perform access control based on project-level roles. |
User authorization | You can grant permissions to users by using one of the following methods:
For more information about user authorization, see Manage user permissions by using commands. |
Permission information acquisition | You can query the permission information of project personnel to check whether the granted permissions take effect. For more information about how to query permission information, see Check permissions. |
DataWorks also has a permission system. If you use DataWorks to maintain a MaxCompute project, you can use the user and role management capabilities that are provided by DataWorks to manage user permissions by assigning roles to the users. For more information about the permission relationships between DataWorks and MaxCompute, see Permission relationships between MaxCompute and DataWorks.
Authentication process
When MaxCompute users perform operations on different types of MaxCompute objects, the users must be authenticated. Resource owners (Alibaba Cloud accounts) have the highest permissions and can perform all operations on MaxCompute objects. Resource owners can also grant management permissions to RAM users or RAM roles. Alibaba Cloud accounts and users with management permissions can grant permissions to other users. The authorization operation determines the users to which permissions are granted, the objects on which permissions are granted, and the operations that users can perform on objects.
The authentication process of MaxCompute is divided into RAM authentication and MaxCompute service authentication based on objects and operations. The following figure shows the authentication process that is required before a user can perform operations. 
RAM authentication
If a user needs to activate services, purchase resources, and manage quotas, projects, or tenants in the MaxCompute console, Alibaba Cloud performs RAM authentication for the user to check whether the user is granted relevant permissions. If the user is not granted relevant permissions, the user cannot perform the operations.
For a list of operations that require RAM authentication, see RAM permissions.
For more information about how to attach system policies to RAM users or RAM roles, see Grant permissions to the RAM user.
MaxCompute service authentication
Authentication for operations at the MaxCompute project level
Operation permissions at the MaxCompute project level include permissions on object operations at the project level and permissions on management operations at the project level.
Permissions on object operations at the project level: permissions to perform operations on objects such as projects, tables, functions, and resources. The permissions include CreateTable, CreateInstance, and SelectTable. For more information, see Permissions on projects and objects in projects.
Permissions on management operations at the project level: permissions to configure project security settings, manage project-level user and role permissions, manage packages, manage labels, and clear expired permissions. For more information, see Permissions on project management.
The following content describes the authentication procedure for operations on MaxCompute projects.
User authentication. For more information about user authentication, see User authentication.
Log on to the MaxCompute console by using an Alibaba Cloud account or a RAM user of an Alibaba Cloud account.
If you use a tool such as odpscmd or JDBC to connect to MaxCompute, the AccessKey ID and AccessKey secret are required.
If you use an account to connect to MaxCompute, the system determines whether the account of the current project user is used. Users can perform operations in a project only if the administrator of the project runs the
add user "xxx"command for the users.
Request source check: Check IP address whitelists. For more information, see Manage IP address whitelists.
Project status check: Check whether the project is in the normal state.
MaxCompute permission check: After a user is added to a project, the user must be granted the relevant permissions to perform operations within the scope of permissions. The permissions include the permissions that are granted by using different authorization methods, such as ACL-based access control, Policy-based access control, Download control, Label-based access control, and Cross-project resource access based on packages. For more information about how to manage project-level users, see Manage user permissions by using commands.
Authentication for operations at the MaxCompute tenant level
Permissions on operations at the MaxCompute tenant level include permissions on object operations at the tenant level and permissions on management operations at the tenant level.
Permissions on object operations at the tenant level include the permissions on the tenant-level objects, such as the Usage permission on quotas and the CreateNetworkLink permission on network connections. For more information about permissions on objects at the tenant level, see Permissions on objects in a tenant.
Permissions on object operations at the tenant level also allow users to manage multiple projects by using one account. This facilitates permission management.
Permissions on management operations at the tenant level are granted to manage the permissions of users and roles at the tenant level. For example, after a user is granted the permissions, the user can add or delete tenant-level users, create or delete tenant-level roles, view the list of tenant-level users and roles and their permissions, attach tenant-level roles to users, detach tenant-level roles from users, add tenant-level roles to projects, and remove tenant-level roles from projects.
If a user needs to perform the preceding operations, MaxCompute performs authentication operations to check whether the user is granted relevant permissions. If the user is not granted relevant permissions, the operations cannot be performed.
Authorization methods
The following content describes the common authorization methods that are supported in MaxCompute.
Method 1: Grant a user the operation permissions on objects.
After the project owner or a user with a built-in administrator role adds a user to the MaxCompute project, a user with the required authorization capability grants the added user the operation permissions on objects by using access control lists (ACLs).
Method 2: Grant multiple users the operation permissions on objects based on a role.
After the project owner or a user with a built-in administrator role adds users and a role to the MaxCompute project, a user with the required authorization capability grants the operation permissions on objects to the role by using ACLs, policies, or the download control solution and assigns the role to the users.
Method 3: Grant a user the permissions to access data with high sensitivity levels.
After a project owner or a user with a built-in administrator role adds a user to the MaxCompute project, the project owner or a user with the Admin role can add an access level to the user. If a user wants to access data with high sensitivity levels, the project owner or a user with the Admin role can also use label-based access control to authorize the user to access the data.
Method 4: Grant multiple users the permissions to access data with the same high sensitivity level based on a role.
After a project owner or a user with a built-in administrator role adds users to the MaxCompute project, the project owner or the user with the Admin role can add access level labels to the users. If you want multiple users to access data with the same high sensitivity level, you can create a role, enable the project owner or a user with the Admin role to grant the role the permissions to access the data by using label-based access control, and then assign the role to the users.
Method 5: Grant users in a project the permissions to access resources in a package in cross-project resource access scenarios.
After the owner of a project to which resources belong creates a package and adds the resources to the package, the project owner authorizes another project to install the package. Then, the owner of the project in which the package is installed grants the permissions on the resources to other users in the project by using ACLs or label-based access control.
Method 6: Grant users the permissions to access resources in a package based on a role in cross-project resource access scenarios.
After the owner of a project to which resources belong creates a package and adds the resources to the package, the owner authorizes another project to install the package. Then, the owner of the project in which the package is installed grants the permissions on the resources to a role by using ACLs or label-based access control and assigns the role to other users in the project.
Permission relationships between MaxCompute and DataWorks
Before you understand the permission relationships between MaxCompute and DataWorks, you must understand the relationships between MaxCompute projects and DataWorks workspaces.
When you create MaxCompute projects, if you select the basic mode for a DataWorks workspace, the DataWorks workspace is associated with a MaxCompute project.
When you create MaxCompute projects, if you select the standard mode for a DataWorks workspace, the DataWorks workspace is associated with a MaxCompute project in the development environment and a MaxCompute project in the production environment. For MaxCompute projects in the development environment, the project names are suffixed with _dev.
You must also configure the visitor identities of a MaxCompute project to determine the policies of accounts in the MaxCompute project.
If you use the permission management system of MaxCompute to control permissions, user operations in the DataWorks console are not affected. DataWorks allows you to manage permissions of MaxCompute projects in a visualized manner. However, if you use DataWorks to assign roles to users, the operation permissions on MaxCompute resources may be affected.
The concepts of users and roles exist in both DataWorks and MaxCompute. The following content describes the permission relationships between DataWorks and MaxCompute.
Roles and their permissions
DataWorks uses built-in roles to provide permissions on resources in a MaxCompute project for project members to develop data. The following table describes the permission relationships between MaxCompute roles and DataWorks built-in roles.
DataWorks built-in workspace-level role MaxCompute role Permission on data in the development environment of a DataWorks workspace and data in the MaxCompute project that runs on the MaxCompute compute engine instance that is associated with the workspace Permission on data in the production environment of a DataWorks workspace and data in the MaxCompute project that runs on the MaxCompute compute engine instance that is associated with the workspace Permission on a DataWorks workspace Workspace Manager Role_Project_Admin - MaxCompute: all permissions on the project and the tables, functions, resources, instances, jobs, and packages of the project.
- DataWorks: permissions to develop data and deploy nodes to the production environment.
No permissions by default. You must apply for the required permissions in Security Center. The administrator of the workspace. Permissions to manage the basic properties, data sources, compute engine configurations, and members of the workspace and assign the Workspace Manager, Development, O&M, Deployment, or Visitor role to workspace members Development Role_Project_Dev - MaxCompute: all permissions on the project and the functions, resources, instances, jobs, packages, and tables of the project.
- DataWorks: permissions to develop data but no permissions to deploy nodes to the production environment.
Permissions to create workflows, script files, resources, user-defined functions (UDFs), tables, and deployment tasks, and delete tables, but no permissions to perform deployment operations O&M Role_Project_Pe Permissions on the project and the functions, resources, instances, and jobs of the project, Read permissions on packages, and Read and Describe permissions on the tables of the project. Note The O&M role has the permissions on the MaxCompute compute engine instance but does not have the permissions to run nodes in the DataWorks console.Deployment and online O&M permissions that are granted by the Workspace Manager role but no permissions to develop data Deploy Role_Project_Deploy No permissions by default. Same permissions as the O&M role, except for online O&M permissions Data Analyst Role_Project_Data_Analyst No permissions by default. Permissions only on DataAnalysis by default Visitor Role_Project_Guest No permissions by default. Permissions to view data but no permissions to edit workflows or code Safety Manager Role_Project_Security No permissions by default. Permissions to configure sensitivity rules and audit data risks in Data Security Guard Model Developer Role_Project_Erd No permissions by default. This role has permissions to view models and modify parameter configurations in the Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric modules. This role has no permission to publish models. N/A Project Owner All permissions on the project. This role has the same permissions as those in the development environment. N/A N/A Super_Administrator Management permissions on the project and all permissions on all types of resources in the project. This role has the same permissions as those in the development environment. N/A N/A Admin When you create a project, the system creates an Admin role for this project and grants permissions to the role. The Admin role has the permissions to access all objects in the project, manage users or roles, and grant permissions to users or roles. Unlike the Project Owner role, the Admin role does not have permissions to perform the following operations: assign the Admin role to users, configure security policies for projects, modify the authentication models of projects, and modify the permissions of the Admin role. The Project Owner role can assign the Admin role to a user and authorize the user to manage security configurations. This role has the same permissions as those in the development environment. N/A Users and their permissions
In a DataWorks workspace, the workspace owner must be an Alibaba Cloud account, and the workspace members must be the RAM users of the Alibaba Cloud account to which the workspace belongs. You can use the workspace management capability that is provided by DataWorks to add users and assign roles to the users.
In a MaxCompute project, an Alibaba Cloud account can be the owner or a member of the project. A RAM user of an Alibaba Cloud account can also be a project member. You can run the
add user xxx;command to add a user, and run theadd role xxx;andgrant role xxx to user xxx;commands in sequence to add a role and assign the role to the user.
The following figure shows the relationships between users and permissions in different workspace modes and supported visitor identities.
NoteFor DataWorks roles, permissions on MaxCompute objects are fixed. After you grant a user the permissions on MaxCompute objects by assigning a DataWorks role and grant the user other MaxCompute permissions by using the command-line interface (CLI), the user permissions on MaxCompute objects may be different from the user permissions that are queried from the DataWorks console.