How MaxCompute Revamped Enterprise Permissions for Secure Data Migration

Background

This is the fourth part of a series that follows the real migration of a leading Southeast Asian technology group, GoTerra, from Google BigQuery to Alibaba Cloud MaxCompute. The focus is on the enterprise‑level permission management upgrade and data security enhancements required for the migration.

Challenges in Heterogeneous Migration

Complex organizational structure with multiple business lines and diverse data roles.

Need for strict least‑privilege access across projects, schemas, and tables.

Cross‑account data sharing requirements.

Compatibility with BigQuery IAM features such as resource‑level policies, predefined and custom roles, and column‑level permissions.

Limitations of MaxCompute’s Original Model

Permissions are scoped only to projects; no native support for organization‑wide or hierarchical inheritance.

Granularity limited to project‑level Read/Write/Select/Describe operations.

Lacks fine‑grained inheritance across projects, schemas, and tables.

New Resource Hierarchy

A five‑level hierarchy was introduced:

Resource Directory (RD) : Top‑level container for multiple Alibaba Cloud accounts.

Namespace : Logical boundary larger than a project, linked to a single cloud account.

Project : Core unit where all MaxCompute operations occur.

Schema : Logical grouping of tables within a project.

Table : Physical storage of structured data.

Extended Role and Permission Inheritance

Permissions granted at a higher level automatically inherit to all lower‑level objects, while fine‑grained permissions can be set on specific tables or columns without affecting other objects. Example DCL statements illustrate granting a Developer role to user alice on user_project, which then gives her full access to all schemas and tables under that project.

GRANT `namespaces/40822/roles/Developer` ON PROJECT user_project TO RAM$company:alice

Similar grants are shown for users bob and carol, demonstrating cross‑project and cross‑schema inheritance.

Dynamic Data Masking with Policy Tags

A policy‑tag system, inspired by BigQuery, was added to enable column‑level security and dynamic masking without changing user queries. Core concepts include:

Policy Tag : Metadata label attached to table columns (e.g., PII, Confidential, Financial).

Taxonomy : Tree‑structured hierarchy of policy tags.

Data Policy : Rules that define who can read a tag and how data should be masked (e.g., ALWAYS_NULL, SHA256).

Predefined Roles : MaskedReader (reads masked data) and FineGrainedReader (reads raw data).

Workflow:

Define taxonomy and tags in a namespace.

Create data policies for each tag.

Assign roles to RAM users on specific tags.

Apply tags to table columns.

When a user queries the table, the system returns raw or masked values based on the assigned role.

Example table proj1.schema1.user_profiles shows columns tagged with ID, Contact, Financial, etc. Role assignments produce different query results for users user1 – user4, illustrated with result screenshots.

Cross‑Account User Management

Using the Resource Directory, MaxCompute can enforce that only RAM users belonging to the same RD can be added to a MaxCompute project, eliminating the need for delegated authorizations. The following policy denies cross‑account additions unless the user is in the same RD:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": ["odps:AllowCrossAccountAddUser"],
      "Resource": "*",
      "Condition": {"Bool": {"odps:InSameRD": ["false"]}}
    }
  ]
}

Benefits and Business Value

Unified hierarchical management (RD → Namespace → Project → Schema → Table) simplifies permission administration.

Inheritance reduces repetitive grants while allowing precise overrides.

Policy‑tag driven masking enhances compliance and protects sensitive data.

Cross‑account boundaries improve security in multi‑account enterprises.

Conclusion and Outlook

The system was launched in Indonesia in March, supporting GoTerra’s production workloads. Future directions include AI‑assisted permission recommendations and automated detection of sensitive data for dynamic masking.