Community Blog Troubleshooting MaxCompute and DataWorks Permission Problems

Troubleshooting MaxCompute and DataWorks Permission Problems

In this article, we will share the recommendations for troubleshooting MaxCompute and DataWorks permission problems.

Join us at the Alibaba Cloud ACtivate Online Conference on March 5-6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.

Alibaba Cloud MaxCompute and DataWorks are two independent products, and their permission systems have similarities as well as differences. Before handling the permission problems, you must first understand the respective permission systems of these two products.

MaxCompute and DataWorks Permission Systems


MaxCompute has its own security systems, including ACL and policy authorization systems. For more information, visit https://www.alibabacloud.com/help/doc-detail/27924.htm



DataWorks is an upper-layer cloud warehouse development tool for MaxCompute. It has its own permission model and supports the MaxCompute underlying data authorization system. For more information, visit https://www.alibabacloud.com/help/product/72772.htm

Viewing Roles on MaxCompute

Run "list roles" on the MaxCompute console to view the MaxCompute role system. Items that start with "role_" are roles that are encapsulated by DataWorks based on MaxCompute. The roles are described as follows:


Role name Corresponding product and permission
admin Default MaxCompute admin role
role_project_admin DataWorks project administrator
role_project_deploy DataWorks deployer role
role_project_dev DataWorks developer role
role_project_guest DataWorks guest role
role_project_pe DataWorks O&M role
role_project_scheduler DataWorks scheduler account
role_project_security DataWorks security administrator

The admin role is the default admin role of MaxCompute. This role can access all objects in the project and manage and authorize users or roles. Compared with the project owner, the admin role cannot assign the admin permissions to any user, specify the security configurations of the project, or change the authentication model of the project. The permissions of the admin role cannot be modified. Generally, if the permissions are not modified, the user who is assigned the admin role has only one account "project owner".

odps@ clouder_bi>describe role admin;
Authorization Type: Admin

The MaxCompute project owner can assign the admin role to other sub-accounts, allowing them to perform permission model management for MaxCompute.

You can run "describe role" to view the permissions and user list of a role that starts with "role_". Using the role_project_dev as an example:

odps@ clouder_bi>describe role role_project_dev;


Authorization Type: Policy
A    projects/clouder_bi: *
A    projects/clouder_bi/instances/*: *
A    projects/clouder_bi/jobs/*: *
A    projects/clouder_bi/offlinemodels/*: *
A    projects/clouder_bi/packages/*: *
A    projects/clouder_bi/registration/functions/*: *
A    projects/clouder_bi/resources/*: *
A    projects/clouder_bi/tables/*: *
A    projects/clouder_bi/volumes/*: *

Troubleshooting Permission-related Problems

After learning the permission systems of the two products, you can troubleshoot permission-related problems in the following way:

Viewing the permissions granted to the current user or a specified user

By running the commands below, you can see the roles and permissions of the user.

show grants; --View permissions of the current user.
show grants for <username>; --View access permissions of a specified user. Only the project owner and admin are authorized to perform this operation.
show grants for RAM$Primary account:Sub-account;


Viewing the authorization list of a specified object

Generally, the list of users who are authorized to access the current table is displayed.

show acl for <objectName> [on type <objectType>];--View the list of authorized users and roles of a specified object
Supported object types: project, table, job, volume, instance, resource, function, package, topology, matrix, xflow, offline model, and stream job


Checking whether the ACL is effective

Permission verification often fails even if OK is returned after authorization.

show SecurityConfiguration;--View the security configuration of the project


In addition to the command line, you can check whether the ACL switch is enabled on the + +DataWorks > Project Management > MaxCompute Config+ + page.

Querying the policy configuration of the current project

There are two common types of policy authorization: project-level and role-level.

get policy;--Obtain the project-level policy configuration
get policy on role <rolename>;--Obtain the policy configuration of the specified role


0 0 0
Share on

Alibaba Cloud MaxCompute

117 posts | 18 followers

You may also like


Alibaba Cloud MaxCompute

117 posts | 18 followers

Related Products