MaxCompute provides flexible authorization methods to meet the permission management needs of your project. This topic describes the authorization methods supported by MaxCompute and their use scenarios to help you choose a suitable method for your permission allocation plan.
The following table describes the access control methods that are supported by MaxCompute and their use scenarios.
Authorization policy | Scenario |
Access control lists (ACLs) are a common authorization method for managing permissions of users within a MaxCompute project. This method uses a whitelist to grant users permissions to operate on projects, tables, models, resources, functions, or instances. If you want to grant multiple users the same permissions, you can grant the permissions to a role and assign the role to the users. | |
This method manages permissions for users within a MaxCompute project. It uses whitelists to allow roles to operate on projects, tables, resources, functions, or instances. It can also use blacklists to deny roles from operating on projects, tables, models, resources, functions, or instances. You then assign the roles to users. This access control method resolves authorization issues that cannot be resolved using ACL-based access control. For example, a user is assigned the developer role and has the permissions to drop tables by default. If you want to deny the role from dropping tables, you can use this access control method. | |
This access control method is suitable for managing the Download permission of users or roles on tables, resources, functions, or instances in a MaxCompute project. | |
This access control method is suitable for managing the permissions of users in a MaxCompute project on sensitive data in specific columns in a table. You can use this access control method to implement column-level access control by specifying sensitivity levels for table data and data access levels for users. | |
This access control method is suitable for managing the permissions of users or roles to access specific data in MaxCompute tables. You can define matching rules between users and data that is allowed to access in the original table to allow specific users or roles view only the data that they have permissions to access. This improves data security and compliance. | |
This access control method is suitable for managing permissions in scenarios where resource access across projects is required. You can package the resources that you want to share and the permissions that are required to access the resources. Then, you can allow the package to be installed and used in other projects. |