Control data outflow with project protection - MaxCompute

When a user has access to multiple MaxCompute projects, they can transfer data between them using SQL statements, Tunnel downloads, or compute jobs — regardless of whether that data is sensitive. Project data protection blocks all data outflows from a project by default, giving you a hard boundary you can then open selectively through exception policies or trusted projects.

Use cases

Sensitive data isolation: Projects that hold personal data, financial records, or regulated data need a hard boundary to prevent accidental or unauthorized export.
Production-development separation: Keep production data from being copied into development or test projects by users who have access to both.
Compliance enforcement: Meet data residency or contractual requirements that prohibit data from leaving a designated project boundary.

How it works

Project data protection intercepts outflows at the project level, regardless of the individual permissions the user holds. A user with the Select permission on a table can still read that table — but when project data protection is enabled, they cannot move the data out of the project.

Important

Project data protection controls data *flows*, not access *permissions*. A user still needs the appropriate permissions on the data for any operation to succeed. Protection only becomes meaningful when users already have access.

Package-based resource sharing across projects operates independently of project data protection. If a user in Project B is granted access to an object in Project A through a package, that access is not blocked by Project A's data protection setting — package-based resource sharing takes precedence.

Enable project data protection

Project data protection is disabled by default. The project owner runs the following command to enable it:

set projectProtection=true;

To confirm the current security configuration, run show SecurityConfiguration;.

Important

Once enabled, all cross-project data outflows from this project are blocked. Users who previously transferred data between projects will lose that capability until you configure an exception policy or add trusted projects.

Operations blocked by project data protection

The following operations are blocked when project data protection is enabled:

CREATE TABLE <other_project.table> AS SELECT * FROM <this_project.table>
INSERT OVERWRITE TABLE <other_project.table> SELECT * FROM <this_project.table>
Tunnel downloads to a local machine (via SDK Tunnel or JDBC driver)
Spark, MapReduce, Graph, Proxima CE, and Machine Learning Platform for AI (PAI) jobs that write data to another project
CLONE TABLE copying data to a table in another project
UDFs writing data to tables in other projects or to MaxCompute external tables

Allow data outflows

Two methods let you allow specific data outflows after project data protection is enabled.

Method	Best for
Exception policy	Granting precise, auditable outflow permissions to specific users, objects, and job types
Trusted project	Allowing unrestricted data exchange between a fixed set of projects

Exception policy

An exception policy controls data outflow across four dimensions: who can transfer data (Principal), what action is permitted (Action), which object the data comes from (Resource), and what job type is used (Tasktype). This gives you fine-grained control over exactly what can leave the project and how.

Configure an exception policy

Enable project data protection and attach an exception policy in a single command:

set ProjectProtection=true with exception <policyfile>;

<policyfile> is the name of a TXT file stored in the bin directory of your MaxCompute client installation. The file uses the following structure:

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Principal": "<Principal>",
        "Action": ["odps:<Action1>[, <Action2>, ...]"],
        "Resource": "acs:odps:*:<Resource>",
        "Condition": {
            "StringEquals": {
                "odps:TaskType": ["<Tasktype>"]
            }
        }
    }]
}

Parameter	Description
`Effect`	Set to `Allow`. This is the only valid value for an exception policy.
`Principal`	The Alibaba Cloud account or RAM user permitted to transfer data out.
`Action`	The operation permitted. For a list of actions by object type, see MaxCompute permissions.
`Resource`	The object from which data can flow out, in the format `projects/<project_name>/{tables\|resources\|functions\|instances}/<name>`. For more information, see MaxCompute permissions.
`Tasktype`	The job type permitted. Valid values: `DT` (Tunnel), `SQL`, `MapReduce`.

Example

The following policy_file allows Alice to run a Select operation on project_test.table_test through SQL jobs or Tunnel downloads:

{
    "Version": "1",
    "Statement": [{
        "Effect": "Allow",
        "Principal": "ALIYUN$Alice@aliyun.com",
        "Action": ["odps:Select"],
        "Resource": "acs:odps:*:projects/project_test/tables/table_test",
        "Condition": {
            "StringEquals": {
                "odps:TaskType": ["DT", "SQL"]
            }
        }
    }]
}

Enable protection with this policy:

set ProjectProtection=true with exception policy_file;

Note

The exception policy grants the right to transfer data out. Alice still needs the Select permission on project_test.table_test — without it, the transfer fails even with the policy in place.

TOCTOU risk

Exception policies carry a time-of-check to time-of-use (TOCTOU) race condition risk:

Check stage: A user requests permission to export table t1. The project owner reviews t1, confirms it contains no sensitive data, and configures an exception policy.
Between stages: Another user writes sensitive data to t1.
Use stage: The user exports t1, which now contains the sensitive data written in step 2.

To reduce this risk:

Create a snapshot of the table at the check stage and attach the exception policy to the snapshot rather than the live table.
Make sure no other users hold the Update, Drop, or CreateTable permissions on the table during the review period.
Do not assign the Admin role to users who should not have broad write access.

Trusted projects

Designate specific projects as trusted to allow unrestricted data exchange between them. Data flows freely between a project and all its trusted projects. When multiple projects are mutually trusted, they form a trusted project group, and data flows only within that group.

Manage trusted projects

Operation	Command
Add a trusted project	`add trustedproject <project_name>;`
Remove a trusted project	`remove trustedproject <project_name>;`
List all trusted projects	`list trustedprojects;`

Verify your configuration

After enabling project data protection, verify the following to make sure the configuration is complete:

Check trusted projects: Run list trustedprojects;. Remove any trusted projects that are not intentional by running remove trustedproject <project_name>;. An unexpected trusted project opens a data outflow path that bypasses protection.
Check data sharing packages: Run show packages;. Confirm that any packages in use do not expose sensitive data, then remove unneeded packages by running delete package <package_name>;. Package-based resource sharing takes precedence over project data protection, so any data shared through a package can still flow out.

Download permission requirements

The Download access control feature interacts with project data protection. The combination of both settings determines what permissions a user needs to download data.

Project data protection	Download access control	Required permissions
Enabled	Enabled	Download + Describe
Enabled	Disabled	Select + exception policy configured for download
Disabled	Enabled	Download + Describe
Disabled	Disabled	Select