This topic describes other data security measures that are supported by MaxCompute.
Disable the download of the results of SELECT statements from DataWorks to an on-premises machine
Item | Description |
---|---|
Description | After developers analyze data by using DataWorks, the results are usually displayed in the integrated development environment (IDE) and can be downloaded. After you set ProjectProtection to True for a project, you can still download the results of a SELECT statement from DataWorks even if you have only the read permissions on the table in the project. |
Role | DataWorks administrator. |
Check whether Download SELECT Query Result is turned on | On the Workspaces page of the DataWorks console, find your workspace, and click Workspace Settings in the Actions column. In the Workspace Settings panel, check whether Download SELECT Query Result is turned on. |
Turn off Download SELECT Query Result | On the Workspaces page of the DataWorks console, find your workspace, and click Workspace Settings in the Actions column. In the Workspace Settings panel, turn off Download SELECT Query Result. |
Turn on Download SELECT Query Result | On the Workspaces page of the DataWorks console, find your workspace, and click Workspace Settings in the Actions column. In the Workspace Settings panel, turn on Download SELECT Query Result. |
Improve security management by using other cloud services
You may use other cloud services while you use MaxCompute. You can improve the security management of MaxCompute by using other associated cloud services. For example, when you use MaxCompute in the DataWorks console, you must use RAM users to add members to projects. This section describes how to improve security management by using RAM users.
You can use MaxCompute by using an Alibaba Cloud account or the credentials of a RAM user. MaxCompute can identify a RAM user but cannot identify the permissions of the RAM user. Therefore, you can add any RAM user of your Alibaba Cloud account to a project. When MaxCompute authenticates a RAM user, MaxCompute does not verify the permissions of the RAM user. Therefore, you need to only improve security management for the logons of RAM users.
- Configure the password strength for a RAM user
If you allow a RAM user to change the logon password, you must configure strong password policies and specify the intervals at which the RAM user must change the password.
You can configure password policies, such as the minimum length, whether non-letter characters are required, or the change frequency, in the Resource Access Management (RAM) console. - Configure the logon address masks for a RAM user
You can configure logon address masks to specify the IP addresses from which a RAM user can log on to the DataWorks console.
- Revoke the permissions that are no longer required from a RAM user
If the permissions of a RAM user are no longer used due to the changes in business requirements, you must revoke the permissions from the RAM user at the earliest opportunity.