This topic describes how to create a project and manage members in the project in two common scenarios.

Scenario 1: Create an extract, transform, load (ETL) project

Scenario requirements

  • Collaborative development is required.
  • The division of member responsibilities is clear.
  • Standard development, debugging, and publishing processes are required, and strict access control is imposed on production data
Requirement analysis
  • MaxCompute supports collaborative development of projects.
  • MaxCompute provides built-in roles and custom roles. You can grant different permissions to members by assigning the members different roles. DataWorks also provides multiple roles to meet the permission requirements.
  • You can create MaxCompute projects that are isolated between the development and production environments in the DataWorks console. This meets the development, debugging, and publishing requirements and isolates data of different projects.
Procedure
  1. Create a project in the development and production environments.

    When you create a project, set Mode to Standard Mode (Development and Production Environments). For more information about how to create a project, see Create a MaxCompute project.

  2. Add members to the project.

    Create a RAM user and add the user as a member of the project. Then, assign a role to the user, such as the Development or O&M role, based on your business requirements.

    For more information about how to create a RAM user, see Create a RAM user.

    For more information about how to add a project member and assign a role to the project member, see Add a workspace member and configure roles.

  3. Create and debug tasks.

    Members that are assigned the Development role can use Data Analytics of DataWorks to create and debug tasks. If you want to use a table that is generated in the production environment of the project, you can apply for the required permissions in Data Governance of DataWorks.

    Data Analytics of DataWorks supports collaborative development. All project members can view the task code, and all members that are granted the edit permissions can edit the task code. As a result, sensitive code cannot be protected in a secure manner. To resolve this issue, you can create separate projects and grant fixed members the permissions to develop tasks and data that require high confidentiality.

  4. Publish a task to the production environment.

    Members that are assigned the Development role can debug and package a task. Members that are assigned the O&M role can review the code and publish the task to the production environment. Tasks cannot be published to the production environment if they are not reviewed by code reviewers.

    In the production environment, only the member that is assigned the Project Owner role can access MaxCompute. This member is the owner of all tables, functions, and resources. As a result, other members may find that they are not the owner of the tables that they create, or that they do not have the permissions to view the tables that they create.

  5. Test the task.

    After the task is published to the production environment, we recommend that you perform a test on the task in Operation Center as a member that is assigned the Development role. This way, you can check whether the task runs as expected. If the task succeeds, you must check the log to determine whether the task runs as expected and check whether a normal result table is generated. By default, you do not have the permissions to query the tables that are generated in the production environment. You must apply for the required permissions in Data Governance of DataWorks.

    The same account is used as the project owner in both the development and production environments. The following operations must be forbidden after a task is published to the production environment: Read data in the tables that are generated in the production environment and write the data to the development environment to obtain production data in the development environment.

Scenario 2: Create a project only to query and download business data

Scenario requirements

  • Business is limited and does not need to be extended. Project members require only a few roles.
  • Project members need only to query and download business data for analysis.
Requirement analysis
  • For a project that does not require code development, the data used for analysis can be obtained only from other projects where the data is developed. Resources of different Alibaba Cloud accounts are isolated. Therefore, you must make sure that the owner of the current project uses the same account as the owner of the project in which the data is developed.
  • Each member requires permissions to query and download data. Access Identity must be set to Task Owner for the current project.
  • After you set Access Identity to Task Owner, you must assign the related MaxCompute role to each project member. To meet the requirement that each member can perform operations only on tables that they create, you must process the default permissions based on your business requirements.
Procedure
  1. Create a project.

    When you create a project, set Mode to Basic Mode (Production Environment Only). For more information about how to create a project, see Create a MaxCompute project.

  2. Create a custom MaxCompute role and grant permissions to the role.
    Run the following commands on the MaxCompute client by using an Alibaba Cloud account:
    -- Create a custom role. 
    create role custom_dev;
    -- Grant permissions to the custom role. 
    grant List, CreateInstance,CreateTable,CreateFunction,CreateResource on project prj_name to role custom_dev;
  3. Configure ObjectCreatorHasAccessPermission for the project.
    Run the following commands on the MaxCompute client by using an Alibaba Cloud account:
    set ObjectCreatorHasAccessPermission=true;
    -- The default value of this parameter is true. You can run the following command to view the configuration of this parameter: 
    show SecurityConfiguration;
  4. Add members to the project.

    Create a RAM user and add the RAM user as a project member.

    For more information about how to create a RAM user, see Create a RAM user.

    For more information about how to add a project member, see Add a workspace member and configure roles.

    When you add a member, you must select a role for the member. For example, if you select the Development role when you add a member, the member is automatically assigned the Role_Project_Dev role in the MaxCompute project. You can run the show grants for ram$Alibaba Cloud account:RAM user; command by using an Alibaba Cloud account to view the permissions of the member.
  5. Modify the permissions of a project member.
    Run the following commands on the MaxCompute client by using an Alibaba Cloud account to modify the permissions of a member.
    -- Revoke the default role from a member. 
    revoke role_project_dev from ram$Alibaba Cloud account:RAM user;
    -- Assign the custom role that you created to a member. 
    grant custom_dev to ram$Alibaba Cloud account:RAM user;

    If you assign the Development role to the member again, the member is reassigned the Role_Project_Dev role.

Note Task-level access control is not supported. After the preceding configurations are complete, the members cannot view the tables (objects) that are created by others, but they can view the tasks that are created by others.