Limiting Access for a DataWorks UDF to Specific Accounts

Join us at the Alibaba Cloud ACtivate Online Conference on March 5–6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.

Previously, I have written an article about “Troubleshooting MaxCompute and DataWorks Permission Problems”, which talks about setting permissions on MaxCompute. However, some people still want to know how to implement the permission control in DataWorks so that a specific resource, table or UDF can only be used by a specified user. The UDF may involve the encryption and decryption algorithm of data, which is within the scope of data security control.

Common Solutions

  1. The “package” solution, to perform fine-grained control of permissions through package authorization.
  2. Create a new role on DataWorks (Management > MaxCompute Advanced Configuration > Custom User Role) for advanced control.
  3. The “role policy” solution, to customize the permission set of a role through a role policy.

Solution Limitations

Package Solution

The package” solution, to perform fine-grained control of permissions through package authorization.
Package basics: It is often used to solve the problem of user authorization for sharing data and resources across projects. After packaging, we can see that the user has received all permissions after being given the role of DataWorks developer. This is uncontrollable.

  1. First, the permissions of the well-known DataWorks developer role are as follows:
  1. From the perspective of permission configuration, it obviously does not meet our requirements. It is obvious that the user has all permissions on packages, functions, resources and tables in the project by default.
  • A projects/sz_mc/packages/*: * A projects/sz_mc/registration/functions/*: * A projects/sz_mc/resources/*: * A projects/sz_mc/tables/*: *

Secondly, a RAM user has been added through DataWorks and the developer role has been given, as follows:

The information above should make it clear that the Package solution and default roles of DataWorks can not meet our requirements. For example, if I grant the developer role to the RAM user RAM$, then the account has all action permissions on all objects in the current project by default. See details.

New Role on DataWorks

Create a new role on DataWorks (Management > MaxCompute Advanced Configuration > Custom User Role) for advanced control. However, in the advanced configuration of DataWorks-MaxCompute, only a table or a project can be authorized, and the resource and UDF cannot be authorized.

Role Policy Solution

The “role policy” solution. Through a policy, we can finely manage the specific permission granularity of specific users for specific resources, which can meet our scenario requirements. However, the official documentation of the policy mechanism has not been disclosed, the main consideration of which is whether the user is familiar with the policy or not. If not, it will likely cause problems and reduce development efficiency.

Role Policy Solution Implementation Details

For security, it is recommended that beginners use a test project to verify the policy. The following operations are completed through MaxCompute console. For details, see the console configuration.

Step 1: Create a Default Deny UDF Role

Create a denyudfrole role, as follows:

Create a policy authorization file, as follows:

Set up and view the role policy. As follows:

Add users to the denyudfrole role.

Now, we verified whether the MaxCompute console can be logged in with the RAM user RAM$

Step 2: Verifying Role on Console

Log in to the console to confirm the role.

Check the permission of the current logged in user through “show grants”.

As you can see, this RAM user has two roles, one is role_project_dev, which is actually the default DataWorks developer role, and the other is denyudfrole that we just created by ourselves.

Verify the permissions of the self-built UDF and the dependent package.

The verification is successful. The RAM user does not have the read permission of self-built UDF “getregion” under the premise of having the DataWorks developer role. However, we are still one step away from our expectation that only specified users can access the UDF. This expectation can be achieved in conjunction with a project policy.

Step 3: Configure a Project Policy

Write a policy.

Set and view the policy.

To verify:

To run a SQL:

To view the dependent packages:

Now, we have fulfilled our requirements. Only the specified RAM user can access the specified UDF and dependent packages under the specified project.


At this point, some people may have a clear understanding of the security systems of DataWorks and MaxCompute, while others may still be confused. The summary is as follows:

  1. If you do not want an account to access specific resources, you can add the “Data Developer” permission to it in DataWorks, and then configure the “Deny Access” permission on MaxCompute console according to the role policy.
  2. If you want to specify an account to access the resources, you can configure the “Data Developer” permission in DataWorks, and then configure the “Allow Access” permission on the MaxCompute console according to the project policy.
  3. The specific examples are detailed above, which can meet our refined management requirements.


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store