All Products
Search

This Product

    MaxCompute:Project-level tenant resource access control

    Document Center

    MaxCompute:Project-level tenant resource access control

    Last Updated:Sep 12, 2024

    Tenant resource permissions are controlled by the tenant administrator through Alibaba Cloud Resource Access Management (RAM) policy. Objects of tenant resources can be used across projects. Users who are granted permissions to execute tasks within a project can use the relevant tenant resource objects. This topic describes how to use project-level tenant resource access control to prevent other projects from unauthorized use of tenant resources.

    Note

    • Tenant resources include network connections, foreign servers, images, and quota groups.

    • Project resources include schemas, tables, roles, instances, resources, functions, and views. Project resource permissions are controlled by the project administrator through the MaxCompute authorization method.

    For more information about the concepts of MaxCompute, see Concept hierarchy

    Instructions

    You can decide whether to enable project-level tenant resource access control based on security management requirements.

    • Enable project-level tenant resource access control

      The creator of tenant resources can specify whether the resources are available for a project by setting the authorization relationship between tenant resources and projects. The project administrator grants permissions to users within the project through the MaxCompute authorization method.

      Important

      All tenant resource objects are controlled by the project-level tenant resource access control switch. Enabling this switch performs permission checks on all objects within tenant resources. If the configuration of the mount relationship between tenant objects and projects or the policy authorization is incorrect, tasks within the project may fail.

      Note

      The global switch that tenant administrators use to enable project-level tenant resource access control across all projects is not available. If needed, submit a ticket.

    • Do not enable project-level tenant resource access control

      Users who are granted permissions to execute tasks within a project can use the relevant tenant resource objects.

    Procedure

    Important

    Best practice: we recommend that you complete the Step1: (Optional) Mount projects & Configure policies steps before doing Step2: Enable project-level tenant resource access control.

    Step1: (Optional) Mount projects & Configure policies

    1. Mount a project on the tenant resource object. The following steps use a foreign server as an example:

      1. Log on to the MaxCompute console, and choose Tenants > Foreign Server in the left-side navigation pane.

      2. Click Mount Project in the Actions column of the tenant resource object, select the project to be mounted, and click OK to complete the configuration of the mount relationship.

    2. Configure policy for tenant resource objects that are mounted to the project. For more information, see Policy-based access control.

      1. In the left-side navigation pane of the MaxCompute console, choose Workspace > Projects, click Manage in the Actions column of the target project.

      2. In the Role Permissions tab of the Project Configuration page, click Edit Role in the Actions column of the target role.

      3. In the Edit Role dialog box, select Authorization Method as Policy. Modify the role policy in the Policy-based Access Control script box.

        Policy example where a user uses a quota of 500 CUs in a project:

        {
    "Statement":[
        {
            "Action":[
                "odps:Usage"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:regions/*/quotas/500cu"
            ]
        }
    ],
    "Version":"1"
}

        When a user has the permission to use tenant resources within the project, they can control the use of tenant resources at the user or role granularity under the project-level tenant resource access control mode.

    Step2: Enable project-level tenant resource access control

    Note

    This feature is only available for preview and does not support enabling checks.

    1. Log on to the MaxCompute console, choose Workspace > Projects in the left-side navigation pane.

    2. On the Projects page, click Manage in the Actions column of the target project.

    3. On the Project Settings page, click the Parameter Configuration tab.

    4. On the Parameter Configuration tab, click Edit in the Permission Properties section.

    5. Turn on Enable Project-level Tenant Resource Access Control and click Submit.

    Related Steps

    View mounted tenant resouce objects:

    1. Log on to the MaxCompute console, and select a region in the upper-left corner of the console.

    2. In the left-side navigation pane, click Workspace > Projects.

    3. On the Projects page, click Manage in the Actions column of the target project.

    4. On the Project Settings page, click the Parameter Configuration tab.

    5. On the Parameter Configuration tab, click View Tenant Resources Bound to Projects in the Permission Properties section to view the binding status of the project with network connection, foreign servers, images, and quota groups.

    References

    For more information about tenant resources, see: