MaxCompute supports column-level access control, but does not support row-level access control. This topic describes how to perform row-level access control.
Scenario
In this example, the table_order table in Project A is an order transaction information table for all merchants. This table can be accessed by all merchants. However, each merchant can view only the order transaction information of its own store.
Solution
- Method 1: Create a separate view for each merchant based on the table_order table, and grant permissions on the view to the related merchant. This method is recommended. This method can meet the requirements of row-level permission control.
- Method 2: Create a separate table for each merchant based on the table_order table, and grant permissions on the table to the related merchant. This method can meet the requirements of row-level access control. However, this method causes data to be repeatedly stored. In addition, to ensure data consistency, you must make sure that the tables are updated in real time with the table_order table.
Procedure
- Log on to the MaxCompute client by using an Alibaba Cloud account. For more information, see Start the MaxCompute client.
- Create a view for a specified merchant in Project A. Sample statement:
create view <view_name> as select * from table_order WHERE sellerid='xxxx';
For more information about how to create a view, see View-related operations.
- Create a package in Project A and grant the merchant the permissions on the view by
using the package. Sample statements:
-- Create a package. create package <package_name>; -- Add the view that you created to the package. add table <view_name> to package <package_name>; -- Use the package to share resources with merchants. allow project <project_name> to install package <package_name>;
For more information about how to share resources by using a package, see Cross-project resource access based on packages.
- Install the package in the MaxCompute project of the merchant and grant the merchant
the required permissions to use the view. Sample statements:
-- Install the package in the project of the merchant. install package <Project A>.<package_name>; -- Grant the merchant the read permission on the package. grant read on package <Project A>.<package_name> to user <user_name>;
grant select,describe on table <view_name> to user <user_name>;