This topic describes how to grant access to a specific user-defined function (UDF) only to a specified user. This best practice relates to data security as it involves data encryption and decryption algorithms.
Prerequisites
Background information
- Create a package to include all objects in a workspace that are required by another
target workspace, and authorize use of the package in the target workspace.
This method applies to scenarios where you want to authorize shared access to resources across workspaces. However, after you grant access to the package to a user with the developer role, the user has full permissions on all objects in the package. This may incur uncontrollable risks. For more information, see Package-based resource sharing across projects.
- The following figure shows the permissions that the developer role has on a DataWorks
workspace.
As shown in the preceding figure, the developer role has full permissions on all packages, functions, resources, and tables in the workspace by default. This does not meet permission management requirements.
- The following figure shows the permissions that a Resource Access Management (RAM) user has on a DataWorks workspace after the RAM user is assigned the developer role.
In view of the above, you cannot precisely grant access to a specific UDF to a specified user by using package-based authorization or by assigning the default role of DataWorks to the user. For example, if you assign the developer role to the RAM user
RAM$xxxxx.pt@example.com:ramtest
, the RAM user has full permissions on all objects in the current workspace. For more information, see Authorize users. - The following figure shows the permissions that the developer role has on a DataWorks
workspace.
- Create a role in the DataWorks console for permission control.
Log on to the DataWorks console. In the left-side navigation pane, click Workspaces. On the page that appears, find the target workspace and click Data Analytics in the Actions column. On the DataStudio page that appears, click the MaxCompute Management in the left-side navigation pane and then Custom User Roles. On the Custom User Roles page that appears, click Create Role to create a role for permission control. This method, however, can only grant permissions on a table or workspace, but not on a specific UDF.
icon in the upper-right corner. On the page that appears, click - Use a role policy and a project policy to grant access to a specific UDF only to a
specified user.
Role and project policies allow you to grant a specific permission on a specific resource to a specified user.Note For security purposes, we recommend that you apply role and project policies in a test workspace if you are a beginner of DataWorks.
- To forbid users from accessing a specific resource in a workspace, follow these steps: Assign the developer role to the users and configure a role policy to deny the users' requests for accessing the resource on the MaxCompute client.
- To permit one of these forbidden users to access the resource, configure a project policy to allow the user's requests for accessing the resource on the MaxCompute client.
Procedure
- Create a role that is by default denied access to the UDF named getregion.
- Verify that the denyudfrole role is created.
- Configure a project policy.