MaxCompute and DataWorks Security Management Guide: Basics (2)

Join us at the Alibaba Cloud ACtivate Online Conference on March 5–6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.

In this guide, we will share the basics of security management for MaxCompute and DataWorks. This guide is aimed at facilitating and assisting the project owner or security administrator of MaxCompute in the daily security operations of projects to ensure data security.

User and Permission Management

User Management

Role Management

For more information about the action and subject types, refer to the official document.

Authorization Management of ACL (Object Actions)

For more information about the action and subject types, refer to the official document.

Role Authorization Management

Package Authorization Management

For more information about the action and subject types, refer to the official document.

Label Authorization Management

Enable the Security Feature

Set ProjectProtection (Data Outflow Protection Mechanism)

Project data protection is mainly to disallow users to transfer data from the project.

Turn on Label Security (Column and Security Control)

Label-based security (LabelSecurity) is a mandatory access control (MAC) policy at the project level. It allows project administrators to control the user access to column-level sensitive data with improved flexibility.

Configure the Field Label Properly

Set a Whitelist of IPs That Are Allowed to Access a Project

Disallow the Results of “Select” in DataWorks to Be Downloaded to a Local Path

Improving Security Management with RAM

Since other cloud services may be used together with MaxCompute, we should consider how to improve security management in MaxCompute by using other cloud services. A Resource Access Management (RAM) user is required when a project member is added if MaxCompute is used with DataWorks. This section mainly describes how to improve security management on a RAM user.

For MaxCompute user authentication, the preceding “MaxCompute security model” section mentions “two account systems, cloud accounts and RAM accounts, are supported. For RAM accounts, any RAM user of the primary account can be added to a certain project of MaxCompute only by identifying the account system but not the RAM permission system. However, MaxCompute does not consider the permission definition in RAM when verifying the permission of the RAM user.” Therefore, we can implement security control simply by using the RAM user login verification.

RAM User Password Strength Settings

If you allow a RAM user to change his or her logon password, you should require the user to create a strong logon password and encourage frequent password rotation.

You can create password policies, such as the minimum length, whether non-letter characters are required, and the rotation cycle, for RAM users on the RAM console.

RAM User Login Mask Settings

Set a netmask to determine which IP addresses will be influenced by the login console. Sub-users can only log on from the specified IP.

Revoke Permissions That Are No Longer Needed

If the employee owner of a RAM user no longer requires original permissions due to change in duties and responsibilities, the original permissions granted to the RAM user should be revoked in a timely manner.


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.