MaxCompute allows you to configure access-level labels for users and sensitivity-level labels for tables or columns in tables at the project level. After you configure these labels, users can access only the tables or columns whose sensitivity levels are lower than or equal to the user access levels.

Background information

Label-based access control is also called LabelSecurity. It is used as a mandatory access control (MAC) policy at the project level. Label-based access control is disabled for newly created MaxCompute projects by default. The project owner can execute the Set LabelSecurity=truefalse; statement at the project level to enable or disable label-based access control for the MaxCompute project.

If label-based access control is enabled for a MaxCompute project, the project owner must define the sensitivity levels of tables or columns in tables and access levels of users or roles, and configure sensitivity-level labels for tables or columns in tables and access-level labels for users or roles. If a user wants to access data with sensitivity levels, the user must have the SELECT permission on the table that stores the data and can access only the data of the table or columns whose sensitivity levels are lower than or equal to the user access level.

Label-based access control provides the following capabilities for sensitive data:
  • A column is the minimum supported granularity for configuring sensitivity levels.
  • Sensitivity-level labels can be configured for any column in a table. A table can contain columns with different sensitivity levels.
  • Sensitivity-level labels can be configured for views. The sensitivity-level labels of views are not related to the sensitivity-level labels of the source tables that correspond to the views.

Default policies for label-based access control

After you configure labels for tables or columns and users or roles, the following default policies for label-based access control are used:
  • No-ReadUp: Users cannot access the tables or columns whose sensitivity level are higher than the user access levels. If users want to access the tables or columns whose sensitivity levels are higher than the user access levels, explicit authorization operations are required. For more information about explicit authorization operations, see GRANT LABEL.
  • Trusted-User: Users can write data whose sensitivity level is lower than or equal to the user access levels. The default sensitivity level of a newly created table or view is 0. This indicates that all users or roles can access the table or view. The default access level of a newly added user is 0.

Prerequisites

Before you perform label-based access control, make sure that the following information is obtained:
  • The account of the user to which you want to grant permissions or the name of the role to which you want to grant permissions is obtained. The role or account is added to your MaxCompute project. If the account of the user is an Alibaba Cloud account, record the Alibaba Cloud account in the format of ALIYUN$Alibaba Cloud account. If the account of the user is a RAM user, record the RAM user in the format of RAM$Alibaba Cloud account to which the RAM user belongs:Name of the RAM user.

    You can run the list users; or list roles; command on the MaxCompute client to query the account or role name.

    If you want to add a user or role, see User planning and management or Role planning.

  • The name of the object. The object can be a table or column.

    You can execute the show tables; statement on the MaxCompute client to obtain the name of a table or view and the names of columns in the table or view.

Limits

You cannot configure sensitivity-level labels for partition key columns.

Usage notes

Take note of the following items when you use label-based access control:
  • In some traditional MAC systems, you can use complex security policies when you perform label-based access control. This prevents data from being distributed by unauthorized users in a project. For example, the No-WriteDown policy prohibits a user from writing data whose sensitivity level is lower than or equal to the user access level. By default, MaxCompute does not support the No-WriteDown policy. This reduces the costs of managing data sensitivity levels. If your project has similar requirements, you can execute the Set ObjectCreatorHasGrantPermission=false; statement to modify the security configurations of the project.
  • To prevent data transfer across projects, you can execute the set ProjectProtection=true; statement to enable project data protection. This way, users can access only data in their projects. This prevents users from transferring data across projects. For more information about project data protection, see Project data protection.
  • If you delete an object, MaxCompute automatically revokes all labels that are associated with the object.
  • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

Configure sensitivity-level labels for data in tables or columns

The project owner or a user who is assigned the Admin role configures sensitivity-level labels for data in tables or columns in a table.

  • Syntax
    set Label <number> to table <table_name>[(<column_list>)];
  • Usage notes
    • If you configure a sensitivity-level label for a table and you do not configure sensitivity-level labels for columns in the table, the sensitivity levels of all columns in the table are the same as the sensitivity level of the table. For example, if the sensitivity level of a table is 2 and no sensitivity level is configured for any column in the table, the sensitivity level of all the columns in the table is 2.
    • The labels that you configured for columns in a table overwrite the label that you configured for the table no matter whether the sensitivity levels of the columns are higher or lower. The label that you configured for a table does not overwrite the labels that you configured for columns in the table. For example, if the initial sensitivity level that you configured for a table is 2 and the sensitivity level that you configured for column col1 in the table is 3, the sensitivity level of all the columns except col1 is 2.
    • If you want to modify the sensitivity-level labels that you configured for tables or columns, you can execute the statement again to configure sensitivity-level labels.
  • Parameters
    Parameter Required Description
    number Yes The sensitivity level. Valid values: 0-9. A larger value indicates a higher security level.
    table_name Yes The name of the table or view.

    You can execute the show tables; statement on the MaxCompute client to obtain the name of the table or view.

    column_list No The names of columns in the table. You can specify multiple column names. Separate column names with commas (,).

Configure access-level labels for users or roles

The project owner or a user who is assigned the Admin role configures access-level labels for other users or roles in the project.

  • Syntax
    set Label <number> to {USER|ROLE} <name>;
  • Usage notes
    • After you configure access-level labels for users, the users can access only the data whose sensitivity level is lower than or equal to the user access levels. For example, if the access level of a user is 3, the user can access tables or columns whose sensitivity levels range from 0 to 3.
    • If you want to modify the access-level label that is configured for a user or role, you must execute the statement again to configure a new access-level label.
  • Parameters
    Parameter Required Description
    number Yes The highest sensitivity level of data that the users or roles can access. The valid values range from 0 to 9 and correspond to sensitivity-level labels.
    name Yes The name of the user or role.

    You can execute the list users; or list roles; statement on the MaxCompute client to obtain the name of the user account or role.

Examples

In the following examples, the test_project_a project stores a table named sale_detail that contains the shop_name, customer_id, and total_price columns. The Alibaba Cloud account Bob@aliyun.com is the owner of the test_project_a project. Allen is a RAM user that belongs to the Alibaba Cloud account Bob@aliyun.com and is added to the test_project_a project.

  • Example 1: Configure sensitivity-level labels for the sale_detail table and columns in the sale_detail table. Sample statements: 
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
use test_project_a;
-- Set the sensitivity label of the sale_detail table to 1. In this case, the sensitivity level of all columns in the sale_detail table is 1. 
set Label 1 to table sale_detail; 
-- Set the sensitivity labels of the shop_name and customer_id columns in the sale_detail table to 2. In this case, the sensitivity labels of other columns are still 1. 
set Label 2 to table sale_detail(shop_name, customer_id); 
-- Change the sensitivity label of the sale_detail table to 3. In this case, the sensitivity labels of the shop_name and customer_id columns are still 2. The sensitivity labels of other columns in the sale_detail table are changed to 3. 
set Label 3 to table sale_detail; 
-- Change the labels of the shop_name and customer_id columns in the sale_detail table to 4. In this case, the labels of other columns are still 3. 
set Label 4 to table sale_detail(shop_name, customer_id); 
-- View the labels of the table. 
describe sale_detail;
-- The following result is returned: 
+------------------------------------------------------------------------------------+
| Owner: ALIYUN$****@test.aliyun.com | Project: ****                                 |
| TableComment:                                                                      |
+------------------------------------------------------------------------------------+
| CreateTime:               2021-12-13 11:27:04                                      |
| LastDDLTime:              2021-12-13 11:27:04                                      |
| LastModifiedTime:         2021-12-13 11:27:26                                      |
+------------------------------------------------------------------------------------+
| TableLabel:               3                                                        |  -- The table label is 3. 
| MaxLabel:                 L4                                                       |
+------------------------------------------------------------------------------------+
| InternalTable: YES      | Size: 784                                                |
+------------------------------------------------------------------------------------+
| Native Columns:                                                                    |
+------------------------------------------------------------------------------------+
| Field           | Type       | Label | Comment                                     |
+------------------------------------------------------------------------------------+
| shop_name       | string     | 4     |                                             |  -- The column label is 4. 
| customer_id     | string     | 4     |                                             |  -- The column label is 4. 
| total_price     | double     | 3     |                                             |  --The column label is 3. 
+------------------------------------------------------------------------------------+
| Partition Columns:                                                                 |
+------------------------------------------------------------------------------------+
| sale_date       | string     |                                                     |
| region          | string     |                                                     |
+------------------------------------------------------------------------------------+
  • Example 2: Configure access-level labels for the Alibaba Cloud account Kate@aliyun.com and RAM$Bob@aliyun.com:Allen in the test_project_a project. Sample statements: 
    -- Use the Alibaba Cloud account Bob@aliyun.com to access the project test_project_a. 
use test_project_a;
-- Set the access-level label of the Alibaba Cloud account Kate@aliyun.com to 3. This allows Kate@aliyun.com to access data whose sensitivity level is 0 to 3.  
set Label 3 to USER ALIYUN$Kate@aliyun.com; 
-- Set the access-level label of the RAM user Allen to 1. This allows Allen to access data whose sensitivity level is 0 or 1. 
set Label 1 to USER RAM$Bob@aliyun.com:Allen; 
-- View the information about the access level of Allen. 
show label grants for RAM$Bob@aliyun.com:Allen;
-- The following result is returned: 
User Label: 1

(granted label list is empty)

Related statements

  • GRANT LABEL: The project owner or a user who is assigned the Admin role authorizes users or roles with low access levels to access data with high sensitivity levels.
  • REVOKE: The project owner or a user who is assigned the Admin role revokes an explicitly configured label from a user or role.
  • CLEAR EXPIRED GRANTS: Clears expired permissions that are granted by using explicit authorization.