MaxCompute provides flexible access control methods to meet your permission management requirements for projects. You can select an access control method based on your business requirements. This topic describes the access control methods that are supported by MaxCompute and the use scenario of each access control method.
The following table describes the access control methods that are supported by MaxCompute and their use scenarios.
| Access control method | Scenario |
|---|---|
| ACL-based access control | You can grant permissions by using access control lists (ACLs). This is a common access
control method and is suitable for managing the permissions of users in a MaxCompute
project. This access control method is implemented based on the whitelist mechanism
and can be used to grant users the permissions on projects, tables, resources, functions,
or instances to allow specified actions on these types of objects.
If you want to grant multiple users the same permissions, you can grant the permissions to a role and assign the role to the users. |
| Policy-based access control | This access control method is suitable for managing the permissions of users in a
MaxCompute project. This access control method supports the whitelist and blacklist
authorization mechanisms to allow or deny specified actions on projects, tables, resources,
functions, or instances for a role. You can assign the role to a user. This way, the
user is granted the permissions of the role.
This access control method resolves authorization issues that cannot be resolved by using ACL-based access control. For example, a user is assigned the developer role and has the permissions to drop tables by default. If you want to deny the role from dropping tables, you can use this access control method. |
| Download control | This access control method is suitable for managing the Download permission of users or roles on tables, resources, functions, or instances in a MaxCompute project. |
| Label-based access control | This access control method is suitable for managing the permissions of users in a MaxCompute project on sensitive data in specific columns in a table. You can use this access control method to implement column-level access control by specifying sensitivity levels for table data and data access levels for users. |
| Cross-project resource access based on packages | This access control method is suitable for managing permissions in scenarios where resource access across projects is required. You can package the resources that you want to share and the permissions that are required to access the resources. Then, you can allow the package to be installed and used in other projects. |