A tenant administrator controls permissions for tenant resources using Resource Access Management (RAM) policies. Tenant resources include external data sources, network connections, custom images, and quota groups. A project administrator controls permissions for project-owned objects, such as schemas, tables, roles, instances, resources, functions, and views, using the MaxCompute authorization model. Tenant resource objects can be used across projects. If a resource manager wants to prevent a project from using a tenant resource they created, they can enable project-level access control. This feature defines the authorization relationship between the tenant resource and the project.
Usage instructions
Two security management modes determine whether a project can use a tenant object and how permissions are delegated within the project.
Mode one: Enable project-level access control for tenant resources
NoteThis feature is in preview and the check cannot be enabled.
The creator of a tenant resource can specify which projects can use the resource by attaching it to them. The project administrator can then grant permissions to users within the project to use the resource using the authorization model.
Enabling project-level access control for tenant resources lets you control which projects can use a resource manager's tenant objects. You can choose the mode that meets your security requirements. Currently, a tenant administrator cannot enforce project-level access control for all projects. If you need this feature, you can contact MaxCompute technical support by submitting a ticket.
ImportantThe project-level access control switch controls all tenant resource objects. When you enable this switch, permission checks are performed for all tenant resource objects.
Mode two: Do not enable project-level access control for tenant resources
Any user who has permission to run jobs in a project can use the tenant resources related to the job.
Enable project-level access control for tenant resources
To enable project-level access control for tenant resources, perform the following steps:
Attach tenant objects to projects.
In the Operation column for a tenant object, such as an external data source, click Attach Project. Select the projects to attach, and then click OK.
To view the attached tenant objects:
Log on to the MaxCompute console and select a region in the upper-left corner.
In the Operation column of the target project, click Manage.
On the Parameter Settings tab, in the Permission Properties area, click View Tenant Resources Attached to Project. You can then view the network connections, external data sources, images, and quota groups attached to the project.
Configure a policy for the tenant objects that are attached to the project. For more information, see Policy-based access control.
In the navigation pane on the left of the MaxCompute console, choose Workspace > Project Management. In the Operation column of the target project, click Manage.
On the Project Configuration page, on the Role Permissions tab, find the target role and click Edit Role in the Operation column.
In the Edit Role dialog box, set Authorization Method to Policy.
Modify the role policy in the Policy Authorization script box.
Example: The following policy allows user `a` in project `project_a` to use a quota of 500 CUs.
{ "Statement":[ { "Action":[ "odps:Usage" ], "Effect":"Allow", "Resource":[ "acs:odps:*:regions/*/quotas/500cu" ] } ], "Version":"1" }After user `a` is granted permission to use tenant resources in `project_a`, you can control tenant resource usage at the user or role level when project-level access control is enabled.
Enable project-level access control for tenant resources.
NoteThis feature is in preview and the check cannot be enabled.
On the Workspace > Project Management page of the MaxCompute console, find the target project and click Manage in the Operation column.
On the Parameter Settings tab, in the Permission Properties area, click Edit.
Turn on the Enable project-level access control for tenant resources switch, and then click Submit.
ImportantAfter you enable this switch, the project immediately verifies permissions for all current and future uses of tenant objects. These objects include external data sources, network connections, custom images, and quota groups. Do not enable this switch until you have configured the required attachments and policy authorizations. If permissions are missing, jobs that depend on them may fail.
References
For more information about tenant resources, see the following topics: