To ensure the security of data in a MaxCompute project, the project owner or users with the authorization capability must manage the permissions of members in the project. This topic describes the permission management system of MaxCompute.

Permission management system

Category Description
Principals MaxCompute supports the following principals:
  • Users: include Alibaba Cloud accounts, RAM users, and RAM roles. MaxCompute allows you to manage users, such as adding, deleting, and querying users. For more information about how to manage users, see User planning and management.
  • Roles: MaxCompute has built-in administrator roles and supports custom roles. MaxCompute allows you to manage custom roles, such as adding, deleting, and querying custom roles. For more information about how to manage roles, see Role planning and management.
Objects MaxCompute supports fine-grained access control on projects, tables, resources, functions, and instances. You can manage user permissions on the objects in a fine-grained manner based on the authorization solutions that are provided by MaxCompute. For more information about the permissions on each object, see Permissions.
Access control MaxCompute provides the following authorization solutions to meet different authorization requirements:
  • ACL-based access control: grants a user or role the operation permissions on projects, tables, resources, functions, or instances.
  • Policy-based access control: grants a role the operation permissions on projects, tables, resources, functions, or instances. After the role is assigned to a user, the user is granted the related permissions.
  • Download control: grants a user or role the permissions to download tables, functions, or resources.
  • Label-based access control: provides access control on sensitive data. Users or roles can access data based on their access levels. If users or roles want to access data with high sensitivity levels, you must perform label-based access control for these users or roles.
  • Cross-project resource access based on packages: allows you to package the resources of a project and then allows other projects that want to access the resources to install the package. This solution is suitable for scenarios in which cross-project resource access is required.
Role-based authorization If you want to grant the same operation permissions to multiple users, you can grant the permissions to the users based on a role. This simplifies authorization operations. For more information about role-based authorization, see Perform role-based access control.
User authorization You can grant permissions to users by using one of the following methods:
  • Direct authorization: allows you to grant operation permissions to a single user.
  • Role-based authorization: allows you to grant the same operation permissions to multiple users.

For more information about user authorization, see Grant permissions to users.

Permission information acquisition You can query the permission information of project personnel to check whether the granted permissions take effect. For more information about how to query permission information, see Check permissions.

DataWorks also has a permission system. If you use DataWorks to maintain a MaxCompute project, you can use the user and role management capabilities that are provided by DataWorks to manage user permissions by assigning roles to the users. For more information about the permission relationships between DataWorks and MaxCompute, see Permission relationships between MaxCompute and DataWorks.

Authorization methods

The following content describes the common authorization methods that are supported in MaxCompute.

  • Method 1: Grant a user the operation permissions on objects.

    After the project owner or a user with a built-in administrator role adds a user to the MaxCompute project, a user with the required authorization capability grants the added user the operation permissions on objects by using access control lists (ACLs).

    Method 1
  • Method 2: Grant multiple users the operation permissions on objects based on a role.

    After the project owner or a user with a built-in administrator role adds users and a role to the MaxCompute project, a user with the required authorization capability grants the operation permissions on objects to the role by using ACLs, policies, or the download control solution and assigns the role to the users.

    Method 2
  • Method 3: Grant a user the permissions to access data with high sensitivity levels.

    After a project owner or a user with a built-in administrator role adds a user to the MaxCompute project, the project owner or a user with the Admin role can add an access level label to the user. If a user wants to access data with high sensitivity levels, the project owner or a user with the Admin role can also use label-based access control to authorize the user to access the data.

    Method 3
  • Method 4: Grant multiple users the permissions to access data with the same high sensitivity level based on a role.

    After a project owner or a user with a built-in administrator role adds users to the MaxCompute project, the project owner or the user with the Admin role can add access level labels to the users. If you want multiple users to access data with the same high sensitivity level, you can create a role, enable the project owner or a user with the Admin role to grant the role the permissions to access the data by using label-based access control, and then assign the role to the users.

    Method 4
  • Method 5: Grant users in a project the permissions to access resources in a package in cross-project resource access scenarios.

    After the owner of a project to which resources belong creates a package and adds the resources to the package, the project owner authorizes another project to install the package. Then, the owner of the project in which the package is installed grants the permissions on the resources to other users in the project by using ACLs or label-based access control.

    Method 5
  • Method 6: Grant users the permissions to access resources in a package based on a role in cross-project resource access scenarios.

    After the owner of a project to which resources belong creates a package and adds the resources to the package, the owner authorizes another project to install the package. Then, the owner of the project in which the package is installed grants the permissions on the resources to a role by using ACLs or label-based access control and assigns the role to other users in the project.

    Method 6

Permission relationships between MaxCompute and DataWorks

Before you understand the permission relationships between MaxCompute and DataWorks, you must understand the relationships between MaxCompute projects and DataWorks workspaces.
  • When you create MaxCompute projects, if you select the basic mode for a DataWorks workspace, the DataWorks workspace is associated with a MaxCompute project.
  • When you create MaxCompute projects, if you select the standard mode for a DataWorks workspace, the DataWorks workspace is associated with a MaxCompute project in the development environment and a MaxCompute project in the production environment.
You must also configure the visitor identities of a MaxCompute project to determine the policies of accounts in the MaxCompute project.

If you use the permission management system of MaxCompute to control permissions, user operations in the DataWorks console are not affected. DataWorks allows you to manage permissions of MaxCompute projects in a visualized manner. However, if you use DataWorks to assign roles to users, the operation permissions on MaxCompute resources may be affected.

The concepts of users and roles exist in both DataWorks and MaxCompute. The following content describes the permission relationships between DataWorks and MaxCompute.
  • Roles and their permissions

    DataWorks uses built-in roles to provide permissions on resources in a MaxCompute project for project members to develop data.

  • Users and their permissions
    • In a DataWorks workspace, the workspace owner must be an Alibaba Cloud account, and the workspace members must be the RAM users of the Alibaba Cloud account to which the workspace belongs. You can use the workspace management capability that is provided by DataWorks to add users and assign roles to the users.
    • In a MaxCompute project, an Alibaba Cloud account can be the owner or a member of the project. A RAM user of an Alibaba Cloud account can also be a project member. You can run the add user xxx; command to add a user, and run the add role xxx; and grant role xxx to user xxx; commands in sequence to add a role and assign the role to the user.

    The following figure shows the relationships between users and permissions in different workspace modes and supported visitor identities.

    Relationships between users and permissions
    Note For DataWorks roles, permissions on MaxCompute objects are fixed. After you grant a user the permissions on MaxCompute objects by assigning a DataWorks role and grant the user other MaxCompute permissions by using the command-line interface (CLI), the user permissions on MaxCompute objects may be different from the user permissions that are queried from the DataWorks console.