Resource Access Management (RAM) is a permission management system provided by Alibaba Cloud. You can use RAM to create RAM users within the scope of permissions under your Alibaba Cloud account. You can also grant different permissions to different RAM users to allow or reject their access to cloud resources.

Note: RAM users are created by Alibaba Cloud accounts to fulfill specific functions. RAM users do not own resources. All resources belong to Alibaba Cloud accounts.

If multiple users in your organization need to use Data Lake Analytics (DLA) after you activate DLA by using your Alibaba Cloud account, these users must share the AccessKey pair of your Alibaba Cloud account. This may cause the following two issues:

  • The AccessKey pair of your Alibaba Cloud account is shared by multiple users, which increases the risk of data leak.

  • You cannot control which operations a specific user can perform in the DLA console. For example, you cannot control which user can manage DLA, such as create a data warehouse with one click or which user only has the read-only permissions on DLA.

To avoid the preceding issues, you can create RAM users and grant specific permissions to each RAM user. Users can use the RAM users instead of your Alibaba Cloud account to access or manage your DLA.

Implementation

To allow RAM users to access or manage DLA, you must complete the following steps:

  1. Create a RAM user.

  2. Grant permissions to a RAM user.

Step 1: Create a RAM user

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User. On the Create User page, specify Logon Name and Display Name.

    Note: You can click Add User to create multiple RAM users at a time.

  4. In the Access Mode section, select Console Password Logon or Programmatic Access.

    • Console Password Logon: If you select this access mode, you must also complete the basic logon security settings, including whether to automatically generate or customize a logon password, whether to reset the password upon next logon, and whether to enable multi-factor authentication.

    • Programmatic Access: If you select this access mode, an AccessKey pair is automatically generated for the RAM user. The RAM user can use other development tools to access DLA.

      Note: To ensure account security, we recommend that you select only one access mode for each RAM user. This prevents RAM users from being able to use their AccessKey pairs to access DLA after they leave your organization.

  5. Click OK.

Step 2: Grant permissions to the RAM user.

RAM provides two system policies for DLA:

  • AliyunDLAFullAccess: After the AliyunDLAFullAccess permission is granted to a RAM user, the RAM user has the same permissions as the Alibaba Cloud account in DLA. Exercise caution when you grant this permission to a RAM user.

  • AliyunDLAReadOnlyAccess: After the AliyunDLAReadOnlyAccess permission is granted to a RAM user, the RAM user only has the read-only permissions on DLA.

System policies are created by Alibaba Cloud. You can use these policies. However, you cannot modify these policies. The policy updates are maintained by Alibaba Cloud.

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the RAM user that you want to authorize and click Add Permissions in the Actions column.

  4. In the Add Permissions pane, select System Policy in the Select Policy section and enter the policy name to search for the permission policy. Click the permission policy to add it to the Selected section on the right.

  5. Click OK.

    After authorization, you can use the authorized RAM user to access or manage DLA.

Related operations

You can revoke permissions from a RAM user when the RAM user no longer requires these permissions or if the user leaves your organization. For more information, see Remove permissions from a RAM user and Delete a RAM user.