All Products
Search

This Product

    MaxCompute:Project-level tenant resource access control

    Document Center

    MaxCompute:Project-level tenant resource access control

    Last Updated:Jul 12, 2025

    Tenant resource permissions are controlled by the tenant administrator through Alibaba Cloud Resource Access Management (RAM) policy. Objects of tenant resources can be used across projects. Users who are granted permissions to execute tasks within a project can use the relevant tenant resource objects. This topic describes how to use project-level tenant resource access control to prevent other projects from unauthorized use of tenant resources.

    Note

    • Tenant resources include network connections, foreign servers, images, and quota groups.

    • Project resources include schemas, tables, roles, instances, resources, functions, and views. Project resource permissions are controlled by the project administrator through the MaxCompute authorization method.

    For more information about the concepts of MaxCompute, see Concept hierarchy

    Instructions

    You can decide whether to enable project-level tenant resource access control based on security management requirements.

    • Enable project-level tenant resource access control

      The creator of tenant resources can specify whether the resources are available for a project by setting the authorization relationship between tenant resources and projects. The project administrator grants permissions to users within the project through the MaxCompute authorization method.

      Important

      All tenant resource objects are controlled by the project-level tenant resource access control switch. Enabling this switch performs permission checks on all objects within tenant resources. If the configuration of the mount relationship between tenant objects and projects or the policy authorization is incorrect, tasks within the project may fail.

      Note

      The global switch that tenant administrators use to enable project-level tenant resource access control across all projects is not available. If needed, submit a ticket.

    • Do not enable project-level tenant resource access control

      Users who are granted permissions to execute tasks within a project can use the relevant tenant resource objects.

    References

    For more information about tenant resources, see: