After you install a package in your project, apply fine-grained access control to restrict which users or roles can access specific resources within the package. MaxCompute supports two complementary policies: access control list (ACL)-based access control for object-level permissions, and LabelSecurity for column-level data sensitivity enforcement. Apply ACL-based access control first, then optionally layer on LabelSecurity to restrict access by security level.
Prerequisites
Before you begin, ensure that you have:
A package installed in your project. See Cross-project resource access based on packages
The project owner role or the admin role in the project where the package is installed
ACL-based access control
ACL-based access control lets the project owner or a user with the admin role grant or revoke permissions on specific objects in a package. Users in the installing project can then perform only the operations that were explicitly granted on those objects.
Run these commands from the MaxCompute client, MaxCompute Studio, or the DataWorks console.
Grant permissions
To grant permissions on a specific object in the package:
grant <actions> on <object_type> <object_name> to [user|role] <name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");To grant permissions on specific columns in a table:
-- Column-level grant: specify the column list after the table name
grant <actions> on table <table_name>[(<column_list>)] to [user|role] <name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");| Parameter | Required | Description |
|---|---|---|
actions | Yes | The permissions to grant. Run describe package <project_name>.<package_name>; to see available permissions for each object. |
object_type | Yes | The type of the object. Run describe package <project_name>.<package_name>; to see object types included in the package. |
object_name | Yes | The name of the object. Run describe package <project_name>.<package_name>; to see object names. |
name | Yes | The name of the user or role. See View users or View roles. |
table_name | Yes (column-level) | The name of the table. Run describe package <project_name>.<package_name>; to see tables in the package. |
column_list | No | One or more column names, separated by commas. |
"refobject"="true" | Yes | Enables fine-grained access control for the package. |
"refproject"="<project_name>" | Yes | The name of the MaxCompute project that owns the package. |
"package"="<package_name>" | Yes | The name of the package. |
View permissions
To view the current ACL-based permissions on an object in the package:
show grants on <object_type> <object_name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Revoke permissions
To revoke permissions from a specific object:
revoke <actions> on <object_type> <object_name> from [user|role] <name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");To revoke permissions from specific columns in a table:
revoke <actions> on table <table_name>[(<column_list>)] from [user|role] <name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Example: Grant and revoke table permissions
The following example uses the scenario from Cross-project resource access based on packages. John (project owner of prj2) grants Bob SELECT permission on the sampletable table in the datamining package (owned by prj1), then revokes it.
use prj2;
-- Grant SELECT on the table to Bob
grant Select on table sampletable to user aliyun$bob@aliyun.com
privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
-- Verify the grant
show grants on table sampletable
privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
-- Revoke the permission
revoke Select on table sampletable from user aliyun$bob@aliyun.com
privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");Label-based access control
LabelSecurity adds a second layer of control on top of ACL-based access control. After granting ACL permissions, enable LabelSecurity to restrict access further by data sensitivity level. Users can then only read data whose security level is at or below the level you specify.
Perform ACL-based access control before applying LabelSecurity. LabelSecurity applies only to table resources in the package.
Grant label-based permissions
grant label <number> on table <table_name>[(<column_list>)] to [user|role] <name>
[with exp <days>]
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");| Parameter | Required | Description |
|---|---|---|
number | — | The security level for sensitive data. See Label-based access control. |
table_name | Yes | The name of the table. Run describe package <project_name>.<package_name>; to see tables in the package. |
column_list | No | One or more column names, separated by commas. |
name | Yes | The name of the user or role. See View users or View roles. |
days | No | The number of days the permission is valid. Default: 180 days. |
"refobject"="true" | Yes | Enables fine-grained access control for the package. |
"refproject"="<project_name>" | Yes | The name of the MaxCompute project that owns the package. |
"package"="<package_name>" | Yes | The name of the package. |
View label-based permissions
show label grants on table <table_name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Revoke label-based permissions
revoke label on table <table_name>[(<column_list>)] from [user|role] <name>
privilegeproperties ("refobject"="true", "refproject"="<project_name>", "package"="<package_name>");Example: Layer ACL and label-based access control
The following example continues from the ACL example above. The sampletable table has three columns with different security levels: t1 (level 1), t2 (level 2), and t3 (level 3). John grants Bob access to data up to security level 2, valid for 7 days.
use prj2;
-- Step 1: Enable LabelSecurity
set LabelSecurity=true;
-- Step 2: Assign security levels to each column
set label 1 to table sampletable(t1);
set label 2 to table sampletable(t2);
set label 3 to table sampletable(t3);
-- Step 3: Grant Bob label 2 access on t2, valid for 7 days
-- Bob already has SELECT on the table from the ACL grant above.
-- After this, Bob can read t2 (level 2) but not t3 (level 3).
grant label 2 on table sampletable(t2) to user aliyun$bob@aliyun.com with exp 7
privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
-- Verify the label grant
show label grants on table sampletable
privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");
-- Revoke label access
revoke label 2 on table sampletable(t2) from user aliyun$bob@aliyun.com
privilegeproperties ("refobject"="true", "refproject"="prj1", "package"="datamining");When the package owner (in prj1) grants another project the right to install the package, they must also specify the label if label-based access control is required:allowproject <project_name> to install package <package_name> using label <number>;What's next
Cross-project resource access based on packages — create, install, and manage packages
Label-based access control — understand how LabelSecurity works in MaxCompute
View users and View roles — look up user and role information before granting permissions