How to Build a Multi‑Tenant Big Data Platform on MaxCompute: Lessons from a GCP Migration

Why Adopt a Multi‑Tenant Architecture

GoTerra, a leading Southeast Asian tech group, originally used BigQuery on GCP. Because each business entity must operate under a separate cloud account for compliance and cost accounting, a multi‑tenant design is required to handle cross‑account resource access, unified management, and cost control.

MaxCompute Multi‑Tenant Capabilities

MaxCompute supports multiple tenants within the same cluster/region, each tenant containing projects, quotas, and network resources. Projects manage data objects, job instances, and user roles, while quotas manage compute resources. Cross‑project data access and proxy authorization enable controlled data sharing between tenants.

Although MaxCompute provides isolation and security, its native multi‑tenant features lack fine‑grained access control and flexible metadata discovery needed for large enterprises like GoTerra.

Implementation on Alibaba Cloud

Create a control‑plane cloud account (A) and multiple data‑plane accounts (B1…Bn).

In the control‑plane account, create a RAM role dataplaform_controlplane that ECS/ACK services can assume.

In each data‑plane account, create a RAM role that the control‑plane account can assume and grant the necessary MaxCompute permissions.

Control‑plane resources assume the data‑plane roles to access MaxCompute resources across accounts.

Next Steps and Outlook

DataWorks, Alibaba Cloud’s data integration platform, needs to extend its multi‑tenant capabilities—such as flexible data source tenancy, cross‑tenant metadata discovery, and multi‑tenant data development—to provide a one‑stop control‑plane solution for enterprise customers lacking self‑built toolchains.