If multiple users in your organization need to use Data Lake Analytics (DLA) after you activate DLA by using your Alibaba Cloud account, these users must share the AccessKey pair of your Alibaba Cloud account. This increases the risk of data leaks for your AccessKey pair and makes it difficult to control which operations a specific user can perform in the DLA console. To avoid these issues, you can create RAM users and grant specific permissions to each RAM user. Users can then use the RAM users to access or manage DLA.

Create a RAM user

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User. On the Create User page, specify Logon Name and Display Name.
  4. In the Access Mode section, select Console Access or Programmatic Access.
    • Console Access: If you select this access mode, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset on the next logon, and whether to enable multi-factor authentication (MFA).
    • Programmatic Access: If you select this access mode, an AccessKey pair is automatically generated for the RAM user. The RAM user can use other development tools to access DLA.
    Note To ensure account security, we recommend that you select only one access mode for RAM users. This prevents RAM users from being able to use their AccessKey pairs to access DLA after they leave your organization.
  5. Click OK.

Grant permissions to a RAM user

RAM provides two system policies for DLA:

  • AliyunDLAFullAccess: After the AliyunDLAFullAccess policy is granted to a RAM user, the RAM user has the same permissions as the Alibaba Cloud account in DLA. Exercise caution when you grant this policy to a RAM user.
  • AliyunDLAReadOnlyAccess: After the AliyunDLAReadOnlyAccess policy is granted to a RAM user, the RAM user has only the read-only permissions on DLA.

Note The system policies are created and updated by Alibaba Cloud. You can use these policies but cannot modify them.
  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user that you want to authorize and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, select System Policy and enter the policy name to search for the policy. Click the policy to add it to the Selected section on the right.
  5. Click OK.

    After authorization, you can use the RAM user to access or manage DLA.