The permissions of the members of a MaxCompute project are continuously changed during project development. To improve project data security, you must check the permissions of project members in a timely manner. This topic describes the key points that you must take note of when you check permissions and provides suggestions on permission adjustment.

Background information

During the early stage of a project, to improve the service processing efficiency, you can manage users and permissions in a relatively loose manner. However, after the project enters the stable development stage, data security becomes an extremely important part of project management. Therefore, you must check and adjust permissions to improve project data security.

Permission self-check

The following table describes the check items about permissions.

Category Check item Description
Account and permission Number of accounts Check the number of accounts and make sure that each member of your MaxCompute project owns only one account. This way, you can manage users in an efficient manner.
Statistics about abandoned accounts and the permissions of these accounts
  • You can run the list users; command on the MaxCompute client to view the list of users and check whether abandoned accounts exist.

    For an abandoned RAM user that is assigned a role in an existing MaxCompute or DataWorks project, you must revoke the role from the RAM user in the project and then delete the RAM user from the project. Otherwise, the RAM user is displayed as p4_xxxxxxxxxxxxxxxxxxxx and cannot be removed from the project. The project is not affected.

  • Review the permission information of each member of the project. If the position of a project member changes, you must revoke the permissions that are no longer needed from the member. You can send notifications to related members and delete the accounts that have not been used for a long period of time based on a survey. You can apply for new accounts later based on your business requirements.
Personal account survey and analysis Query the data that is submitted by personal accounts in the development phase within the last three months, collect statistics about top N users, and select typical accounts to analyze the daily tasks of these accounts. The submitted data includes data that is involved in SQL tasks, such as retrieval and computing tasks. You can use the TASKS_HISTORY view that is provided by the MaxCompute metadata service Information Schema to analyze the data. Example:
  • An account belongs to a member of an algorithm development project. Most of the daily tasks of the account are SQL tasks, and the SQL tasks mainly involve queries and table write operations in the development environment. The numbers of algorithm tasks and MapReduce tasks are less than the number of SQL tasks. This is normal in data development because SQL tasks are preferentially used to process data in normal cases.
  • Many tasks are submitted by the same account. This is because the owner of the account uses an SDK to design a program that allows other users to query the AccessKey pair of this account. This way, the users can use this account to submit tasks. We recommend that you do not allow multiple members to use the same account. Exercise caution when you use this method.
Data flow Data download statistics Collect the statistics about data download request tasks for each project and analyze and plan projects that can download data. You can use the TUNNELS_HISTORY view that is provided by the MaxCompute metadata service Information Schema to analyze and collect statistics about these tasks.

Suggestions on permission adjustment

The following table describes the suggestions on permission adjustment.

Item Description
Allocation of accounts and permissions Each member of a project must have its own account.

Grant different data access permissions to different members based on their business development teams and roles. Account sharing is not allowed. Prevent data security risks that are caused by excessive user permissions.

For example, you can allocate accounts by business group in the data development process. Business groups include the management group, data integration group, data model group, algorithm group, analysis group, O&M group, and security group.

Data throttling
  • Restrict the export of data from specific projects and control the permissions of specific members. Free data flowing among projects may affect the data architecture of the cloud platform and increase the risk of data leaks. Therefore, cross-project data throttling is required for most projects.

    For example, to prevent risks that are caused by unknown data flows, you can allow data to flow only to specified projects or locations at the MaxCompute level.

  • If data is exported from MaxCompute as files, the transmission of data is uncontrollable. Therefore, we recommend that you minimize the possibility of data export from MaxCompute. You can prohibit specific business groups from exporting data based on the division of user roles. This does not affect the daily development work of the users.