Implementation examples for user authorization - MaxCompute

This topic covers common authorization scenarios for MaxCompute, including policy-based and package-based access control. Each scenario describes the business context, the recommended solution, and step-by-step instructions for both the MaxCompute client and the MaxCompute console.

Choose an access control mechanism

Use the following table to identify which mechanism fits your scenario before you start.

Scenario	Recommended mechanism
Grant or deny specific actions on project resources to a role	Policy-based access control
Apply time- or IP-based conditions to permissions	Policy-based access control
Share selected tables across projects within the same Alibaba Cloud account	Package-based access control
Share selected tables across projects owned by different Alibaba Cloud accounts	Package-based access control
Restrict table access to specific rows per user (row-level isolation)	Package-based access control (via views)

Policy-based access control

Allow a role to perform specific actions

Scenario: A group of project members needs to create tables, upload resource files, create functions, run tasks, and query tables whose names start with t_app_.

Solution: Create a role, attach a policy that grants the required actions, and assign the role to the users.

Use the MaxCompute client

Create a role.
```
create role <role_name>;
```

Create a policy file named policy_1.json and place it in the bin directory of the MaxCompute client. The file grants project-level actions and full access to tables, functions, instances, and resources matching the specified prefixes.

{
  "Statement": [
    {
      "Action": [
        "odps:List",
        "odps:CreateTable",
        "odps:CreateInstance",
        "odps:CreateResource",
        "odps:CreateFunction"
      ],
      "Effect": "Allow",
      "Resource": ["acs:odps:*:projects/<project_name>"]
    },
    {
      "Action": ["odps:*"],
      "Effect": "Allow",
      "Resource": [
        "acs:odps:*:projects/<project_name>/tables/t_app_*",
        "acs:odps:*:projects/<project_name>/registration/functions/*",
        "acs:odps:*:projects/<project_name>/instances/*",
        "acs:odps:*:projects/<project_name>/resources/*"
      ]
    }
  ],
  "Version": "1"
}

Replace <project_name> with the name of your MaxCompute project.

Attach the policy to the role and assign the role to a user.
- Alibaba Cloud account: ALIYUN$<account>
- RAM user: RAM$<account>:<ram_username>
```
-- Attach the policy to the role.
put policy policy_1.json on role <role_name>;

-- Assign the role to the user.
grant <role_name> to <user_name>;
```
For <user_name>, use one of the following formats:

Use the MaxCompute console

Log on to the MaxCompute console and select a region in the top navigation bar.
In the left-side navigation pane, choose Workspace > Projects.
Find the target project and click Manage in the Actions column.
On the Role Permissions tab, click Create Project-level Role.

In the Create Role dialog box, select Resource from the Role Type drop-down list, enter a role name in the Role Name field, and select Policy for Authorization Method. Enter the following policy document:

{
  "Statement": [
    {
      "Action": [
        "odps:List",
        "odps:CreateTable",
        "odps:CreateInstance",
        "odps:CreateResource",
        "odps:CreateFunction"
      ],
      "Effect": "Allow",
      "Resource": ["acs:odps:*:projects/<project_name>"]
    },
    {
      "Action": ["odps:*"],
      "Effect": "Allow",
      "Resource": [
        "acs:odps:*:projects/<project_name>/tables/t_app_*",
        "acs:odps:*:projects/<project_name>/registration/functions/*",
        "acs:odps:*:projects/<project_name>/instances/*",
        "acs:odps:*:projects/<project_name>/resources/*"
      ]
    }
  ],
  "Version": "1"
}

On the Role Permissions tab, find the role and click Manage Members in the Actions column to add the Alibaba Cloud account or RAM user to the role.

Deny a role from dropping tables

Scenario: Tables whose names start with tb_ are critical. Certain accounts must not be allowed to drop them.

Solution: Create a role with a Deny policy targeting the odps:Drop action on the protected tables, then assign the role to the relevant users.

Use the MaxCompute client

Create a role.
```
create role <role_name>;
```

Create a policy file named policy_2.json in the bin directory of the MaxCompute client.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "odps:Drop",
      "Resource": "acs:odps:*:projects/<project_name>/tables/tb_*"
    }
  ]
}

Replace <project_name> with the name of your MaxCompute project.

Attach the policy to the role and assign the role to a user.
- Alibaba Cloud account: ALIYUN$<account>
- RAM user: RAM$<account>:<ram_username>
```
-- Attach the policy to the role.
put policy policy_2.json on role <role_name>;

-- Assign the role to the user.
grant <role_name> to <user_name>;
```
For <user_name>, use one of the following formats:

Use the MaxCompute console

Log on to the MaxCompute console and select a region in the top navigation bar.
In the left-side navigation pane, choose Workspace > Projects.
Find the target project and click Manage in the Actions column.
On the Role Permissions tab, click Create Project-level Role.
In the Create Role dialog box, select Resource from the Role Type drop-down list, enter a role name in the Role Name field, and select Policy for Authorization Method. Enter the following policy document:
```
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "odps:Drop",
      "Resource": "acs:odps:*:projects/<project_name>/tables/tb_*"
    }
  ]
}
```
On the Role Permissions tab, find the role and click Manage Members in the Actions column to add the Alibaba Cloud account or RAM user to the role.

Grant permissions with time and IP conditions

Scenario: The account a****@aliyunid.com needs CreateInstance, CreateTable, and List permissions on the project test_project, but only from the CIDR block 10.32.180.0/23 and only until November 11, 2018 at 23:59:59 UTC. The account must also be blocked from dropping any tables in the project.

Solution: Create a role with a policy that combines an Allow statement (with time and IP conditions) and a Deny statement for the Drop action.

Use the MaxCompute client

Create a role named policy_3.
```
create role policy_3;
```

Create a policy file named policy_3.json in the bin directory of the MaxCompute client.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["odps:CreateTable", "odps:CreateInstance", "odps:List"],
      "Resource": "acs:odps:*:projects/<project_name>",
      "Condition": {
        "DateLessThan": {
          "acs:CurrentTime": "2018-11-11T23:59:59Z"
        },
        "IpAddress": {
          "acs:SourceIp": "10.32.180.0/23"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "odps:Drop",
      "Resource": "acs:odps:*:projects/<project_name>/tables/*"
    }
  ]
}

Replace <project_name> with the name of your MaxCompute project.

Attach the policy to the role and assign the role to the user.

-- Attach the policy to the role.
put policy policy_3.json on role policy_3;

-- Assign the role to the user.
grant policy_3 to ALIYUN$a****@aliyunid.com;

Use the MaxCompute console

Log on to the MaxCompute console and select a region in the top navigation bar.
In the left-side navigation pane, choose Workspace > Projects.
Find the target project and click Manage in the Actions column.
On the Role Permissions tab, click Create Project-level Role.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["odps:CreateTable", "odps:CreateInstance", "odps:List"],
      "Resource": "acs:odps:*:projects/<project_name>",
      "Condition": {
        "DateLessThan": {
          "acs:CurrentTime": "2018-11-11T23:59:59Z"
        },
        "IpAddress": {
          "acs:SourceIp": "10.32.180.0/23"
        }
      }
    },
    {
      "Effect": "Deny",
      "Action": "odps:Drop",
      "Resource": "acs:odps:*:projects/<project_name>/tables/*"
    }
  ]
}

On the Role Permissions tab, find the role and click Manage Members in the Actions column to add the Alibaba Cloud account or RAM user to the role.

Package-based access control

Share tables across projects within the same account

Scenario: Business analysts need to query specific production tables but must not access production task code. The production data spans multiple projects.

Solution: Create a package in each production project, add the required tables to the package, install the package in a dedicated analysis project, and grant read access on the package to the analysts. This avoids adding analysts to every production project and limits their access to only the shared tables.

In this example:

Production project: Project_a
Analysis project: Project_analyze
Package: Package_test
Shared table: table_a
Analyst account: A*****@aliyunid.com

In the production project, create a package and add the table to share.

USE Project_a;
CREATE PACKAGE Package_test;
ADD table table_a TO PACKAGE Package_test;

Allow the analysis project to install the package.

ALLOW PROJECT Project_analyze TO INSTALL PACKAGE Package_test;

In the analysis project, install the package.

USE Project_analyze;
INSTALL PACKAGE Project_a.Package_test;

Grant read access on the package to the analyst.

GRANT read on package Package_test TO USER ALIYUN$A*****@aliyunid.com;

The analyst can now query the shared table using the following syntax.
```
select * from Project_a.table_a;
```

Share tables across Alibaba Cloud accounts

Scenario: Two departments use separate Alibaba Cloud accounts to manage their MaxCompute environments due to internal cost allocation. They need to exchange data, but RAM users of one account cannot be added to projects owned by the other account.

Solution: Use a package in the provider account to share specific tables with the consumer account. RAM users of the consumer account are granted table-level access through the package, without being added to the provider project directly.

Important

After cross-account authorization, data can be read across accounts. However, if you use MaxCompute through the DataWorks console, scheduling dependencies between DataWorks workspaces of different Alibaba Cloud accounts are not supported.

In this example:

Account A owns Project_a; Account B owns Project_b
Package: a_to_b_pkg
b_user1 (RAM user of Account B) needs read access to t1 and t2
b_user2 (RAM user of Account B) needs read access to t3

Using Account A, create the package in Project_a and add the tables.

USE Project_a;
CREATE PACKAGE a_to_b_pkg;
ADD table t1 TO PACKAGE a_to_b_pkg;
ADD table t2 TO PACKAGE a_to_b_pkg;
ADD table t3 TO PACKAGE a_to_b_pkg;

Allow Project_b to install the package.

ALLOW Project_b TO INSTALL PACKAGE a_to_b_pkg;

Using Account B, install the package in Project_b.
```
INSTALL PACKAGE Project_a.a_to_b_pkg;
```

Add the RAM users of Account B to Project_b and grant them access to the specific tables in the package.

add user ram$B:b_user1;
add user ram$B:b_user2;

-- Grant b_user1 access to t1 and t2.
GRANT Describe, Select ON TABLE t1 TO USER ram$B:b_user1 PRIVILEGEPROPERTIES ("refobject"="true", "refproject"="project_a", "package"="project_a.a_to_b_pkg");
GRANT Describe, Select ON TABLE t2 TO USER ram$B:b_user1 PRIVILEGEPROPERTIES ("refobject"="true", "refproject"="project_a", "package"="project_a.a_to_b_pkg");

-- Grant b_user2 access to t3.
GRANT Describe, Select ON TABLE t3 TO USER ram$B:b_user2 PRIVILEGEPROPERTIES ("refobject"="true", "refproject"="project_a", "package"="project_a.a_to_b_pkg");

Implement row-level access control

Scenario: The table_order table in ProjectA contains orders for all merchants. Each merchant must be able to query only their own orders.

How it works: MaxCompute does not support native row-level access control. To achieve per-merchant row isolation, create a separate view for each merchant that filters table_order by merchant ID (sellerid). Grant each merchant access to their view through a package. Because merchants access a view rather than the base table directly, they can only see rows that match their own sellerid.

In ProjectA, create a filtered view for each merchant.
```
CREATE VIEW <viewname> AS SELECT * FROM table_order WHERE sellerid='<merchant_id>';
```
Replace <viewname> with the view name and <merchant_id> with the merchant's ID.
Create a package, add the view to it, and allow the merchant's project to install it.
- <packagename>: name of the package
- <Projectname_seller>: the MaxCompute project that belongs to the merchant
```
create package <packagename>;
add table <viewname> to package <packagename>;
allow project <Projectname_seller> to install package <packagename>;
```
In the merchant's project, install the package and grant the merchant read access.
```
USE <Projectname_seller>;
install package <ProjectA>.<packagename>;
grant read on package <ProjectA>.<packagename> to user <username>;
```
The merchant can then query their data with:
```
select * from <ProjectA>.<viewname>;
```
Replace <username> with the account used by the merchant to query the view.