If you want to allow a RAM user to use the E-MapReduce (EMR) console, you must grant the required permissions to the RAM user by using your Alibaba Cloud account in the Resource Access Management (RAM) console.

Background information

RAM is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM? The following examples describe how RAM is used to implement access control:
  • RAM users: If you purchased multiple instances for an EMR cluster, you can create a policy that allows some users who are responsible for O&M, development, or data analysis to use these instances. This eliminates the risk of AccessKey pair leaks and ensures account security.
  • RAM user groups: You can create multiple user groups and grant different permissions to them. The authorization process is the same as that for RAM users. The user groups can be used to manage multiple RAM users at the same time.

Policies

Policies are categorized into system policies and custom policies.

  • System policies: the default policies that Alibaba Cloud provides to meet various management purposes. The following system policies are frequently used in EMR:
    • AliyunEMRFullAccess: provides RAM users with full access to EMR. This policy allows RAM users to perform all operations on all EMR resources.
    • AliyunEMRDevelopAccess: provides RAM users with the developer permissions of EMR. This policy does not allow RAM users to create or release clusters.
    • AliyunEMRFlowAdmin: provides RAM users with the administrator permissions of the Data Platform module in EMR. This policy allows RAM users to create projects and develop and manage jobs. It does not allow RAM users to add members to projects or manage clusters.
  • Custom policies: the policies that you design based on your business requirements. Custom policies are suitable for users who are familiar with Alibaba Cloud service APIs and require fine-grained access control. For more information about how to create a custom policy, see Policy structure and syntax.

Grant permissions to a RAM user

Perform the following steps to grant permissions on EMR resources to a RAM user in the RAM console:

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, click the policies that you want to attach to the RAM user, and click OK.
    For more information about policies, see Policies.
  5. Click Complete.
    After authorization is complete, the granted permissions take effect immediately. The authorized RAM user can log on to the RAM console to check their permissions.