After a project is created in MaxCompute, the project owner and two default management roles (Super_Administrator and Admin) are provided. This topic describes the two management roles of a MaxCompute project.

The following roles have the management permissions:
  • Project owner: has all project permissions.
  • Super_Administrator: has permissions on all types of resources in a project and all management permissions. This is a built-in management role.
  • Admin: has permissions on all types of resources in a project and certain basic management permissions. This is also a built-in management role.

Management role permissions

The following table describes the permissions of management roles.
Permission type Object Action Description Project owner Super_Administrator Admin
Project security configuration Project SetSecurityConfiguration Set the project security configuration. Yes Yes N/A
Project GetSecurityConfiguration Query the project security configuration. Yes Yes Yes
Protected project management Project AddTrustedProject Add a protected project. Yes Yes N/A
Project RemoveTrustedProject Delete a protected project. Yes Yes N/A
Project ListTrustedProjects List protected projects. Yes Yes Yes
User management Project AddUser Add a user. Yes Yes Yes
Project RemoveUser Remove a user. Yes Yes Yes
Project ListUsers List users. Yes Yes Yes
Project ListUserRoles List the roles assigned to a user. Yes Yes Yes
Role management Project CreateRole Create a role. Yes Yes Yes
Project DescribeRole Query a role. Yes Yes Yes
Project AlterRole Modify role properties. Yes Yes Yes
Project DropRole Delete a role. Yes Yes Yes
Project ListRoles List roles. Yes Yes Yes
Role authorization Role GrantRole Grant a role to a user. Yes Yes Yes
Role RevokeRole Revoke a role from a user. Yes Yes Yes
Role ListRolePrincipals List the roles assigned to a user. Yes Yes Yes
Package management Project CreatePackage Create a package. Yes Yes N/A
Project ShowPackages List packages. Yes Yes N/A
Package DescribePackage Query a package. Yes Yes Yes
Package DropPackage Delete a package. Yes Yes N/A
Package InstallPackage Install a package. Yes Yes Yes
Package UninstallPackage Uninstall a package. Yes Yes Yes
Package AllowInstallPackage Allow other projects to use a package. Yes Yes N/A
Package DisallowInstallPackage Disallow other projects to use a package. Yes Yes N/A
Package AddPackageResource Add resources to a package. Yes Yes N/A
Package RemovePackageResource Remove resources from a package. Yes Yes N/A
Label authorization control Table GrantLabel Grant a label. Yes Yes Yes
Table RevokeLabel Revoke a label. Yes Yes Yes
Table ShowLabelGrants Query label authorization. Yes Yes Yes
Table SetDataLabel Set labels for users and roles. Yes Yes Yes
Expired permission clearance Project ClearExpiredGrants Clear expired permissions. Yes Yes Yes

Grant a management role to a user

The project owner only needs to grant the Super_Administrator or Admin role to a specific RAM user. Then, that RAM user has all permissions of this role. Two methods are available:
  • Grant a role by using the MaxCompute client.
    Assume that the bob@aliyun.com user is the owner of the project_a project, and the Allen user is a RAM user under bob@aliyun.com.
    1. Open the project_a project.
      use project_a;
    2. Add the RAM user, Allen, to the project_a project.
      add user ram$bob@aliyun.com:Allen;
    3. Grant the Allen user the Super_Administrator role.
      grant super_administrator TO ram$bob@aliyun.com:Allen;
      Grant the Allen user the Admin role.
      grant admin TO ram$bob@aliyun.com:Allen;
  • Grant a role in the DataWorks console.
    1. Log on to the DataWorks console and click Workspace Management.
    2. Add a RAM user as a member of the project.
      1. In the left-side navigation pane, click User Management to navigate to the Members pane.
      2. In the upper-right corner, click Add Member.
      3. In the Add Member dialog box, select the members you want to add from the Available Accounts section and click the rightwards arrow to add them to the Added Accounts section.
      4. Select a role and click OK.
    3. Grant the RAM user the Super_Administrator or Admin role.
      1. In the left-side navigation pane, click Maxcompute Management.
      2. On the pane that appears, click Custom User Roles.
      3. Select the role that you want to grant to the user and click Members. In the dialog box that appears, select the members you want to add from the Available Accounts section and click the rightwards arrow to add them to the Added Accounts section.
      4. Click OK.
Note Only the project owner can perform this operation.