To make sure that your Resource Access Management (RAM) users can use the E-MapReduce console, you must access the RAM console by using your Alibaba Cloud account and grant the required permissions to the RAM users. This topic describes how to use RAM to control access to E-MapReduce cluster resources at the account level. Detailed operations include creating RAM users or user groups and granting specific permissions.

Background information

RAM is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM? The following examples describe how RAM is used to implement access control.

  • RAM users: You can purchase multiple Elastic Compute Service (ECS) instances to build E-MapReduce clusters. Your organization may have multiple users who need to access the instances, for example, users who are responsible for O&M, development, and data analysis. You can create multiple RAM users and use policies to control the permissions of these users. This eliminates the risk of disclosing your AccessKey pair of your Alibaba Cloud account and helps maintain account security.
  • RAM user groups: You can create multiple user groups and grant different permissions to them. The authorization process is the same as that for RAM users. The user groups can be used to manage RAM users in batches.


Policies are categorized to system policies and custom policies.

  • System policies: the default policies provided by Alibaba Cloud. The following system policies are frequently used in E-MapReduce:
    • AliyunEMRFullAccess: provides RAM users with full access to E-MapReduce, including all permissions on all E-MapReduce resources.
    • AliyunEMRDevelopAccess: provides RAM users with the developer permissions of E-MapReduce. This policy does not authorize RAM users to perform some operations such as creating and releasing clusters.
    • AliyunEMRFlowAdmin: provides RAM users with the administrator permissions of E-MapReduce. This policy allows RAM users to create projects, and develop and manage jobs. It does not allow RAM users to add members to projects or manage clusters.
  • Custom policies: the user-defined policies. These policies are suitable for users who are familiar with various Alibaba Cloud service APIs and require fine-grained access control. For more information, see Policy structure and syntax.


To grant permissions on E-MapReduce to RAM users in the RAM console, follow these steps:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the target RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions pane, click the policy you want to attach to the RAM user and click OK.
    For more information about policies, see Policy.
  5. Click Complete.
    After authorization is completed, the granted permissions take effect immediately. The authorized RAM users can log on to the RAM console to check their permissions.