This topic describes how to set a RAM user as the super administrator for a MaxCompute project, and provides suggestions on how to manage members and permissions.

Background information

To ensure data security, the Alibaba Cloud account of a project is managed only by authorized personnel. Common users can only log on to MaxCompute as RAM users. A project owner must be the Alibaba Cloud account, and some operations can only be performed by the project owner, such as setting a project flag and configuring cross-project resources sharing by using packages. If you use a RAM user, ensure that it has the super administrator role granted.

The built-in management role Super_Administrator has been added to MaxCompute. This role has all permissions on all types of resources in a project and project management permissions. For more information about permissions, see Management roles.

A project owner can grant the Super_Administrator role to a RAM user. As the Super_Administrator, the RAM user has the permissions needed to manage the project, such as the common project flag setting permissions and management permissions on all resources.

Authorization methods

We recommend that you grant the Super_Administrator role to a RAM user that has the permissions to create a project. This way, the RAM user can manage both DataWorks workspaces and the MaxCompute projects associated with those DataWorks workspaces.
Note
  • For more information about how to grant a RAM user the permissions to create a project, see Grant permissions to the RAM user.
  • To ensure data security, we recommend that you clarify the responsibilities of owners of RAM users. Ensure that each RAM user corresponds to one developer.
  • Only one RAM user can be granted the Super_Administrator role in a project. You can grant the Admin role to other RAM users that require basic management permissions.
Although you select a RAM user to create a project, the project owner is still the owner of the Alibaba Cloud account, who can grant the Super_Administrator role to the RAM user in the following ways:
  • Grant the Super_Administrator role on the MaxCompute client.
    Assume that the bob@aliyun.com user is the owner of the project_a project, and the Allen user is a RAM user under bob@aliyun.com.
    1. Run the following commands to grant the Super_Administrator and Admin roles as bob@aliyun.com:
      -- Open project_a.
      use project_a;
      -- Add the RAM user, Allen, to project_a.
      add user ram$bob@aliyun.com:Allen;
      -- Grant the Super_Administrator role to Allen.
      grant super_administrator TO ram$bob@aliyun.com:Allen;
      -- Grant the Admin role to Allen.
      grant admin TO ram$bob@aliyun.com:Allen;
    2. Run the following command to view the permissions as the authorized RAM user:
      show grants;

      If the Super_Administrator role is returned, the authorization succeeded.

  • Grant the Super_Administrator role in the DataWorks console.
    1. Log on to the DataWorks console and choose Workspace Management.
    2. (Optional) Add a RAM user as a project member. Skip this step if the RAM user is already a project member.
      1. On the Workspace Management page that appears, click User Management in the left-side navigation pane to navigate to the Members pane.
      2. In the upper-right corner, click Add Member.
      3. In the Add Member dialog box that appears, select the members you want to add from the Available Accounts section and click the rightwards arrow to add them to the Added Accounts section.
        Note In the note block, click Refresh to synchronize the RAM users under the current Alibaba Cloud account to the Available Accounts section.Refresh
      4. Select required roles and click OK.
    3. Grant the Super_Administrator role to the RAM user.
      1. On the Workspace Management page, click Maxcompute Management in the left-side navigation pane.
      2. In the pane that appears, click Custom User Roles.
      3. Select the role that you want to grant to the user and click Members. In the dialog box that appears, select the members you want to add from the Available Accounts section and click the rightwards arrow to add them to the Added Accounts section.Members
      4. Click OK.
    4. Run the following command on the MaxCompute client to view the permissions as the authorized RAM user:
      show grants;

      If the Super_Administrator role is returned, the authorization succeeded.

Instructions

  • Member management
    • MaxCompute supports the Alibaba Cloud account and RAM users. To ensure data security, we recommend that you only add RAM users under the project owner as project members.

      The Alibaba Cloud account is used to control RAM users, such as revoking or updating the credentials of RAM users. This ensures data security in the case of personnel transfers and resignations.

      Note If you use DataWorks to manage project members, you can only add RAM users under the project owner as project members.
    • RAM users can be added by the Alibaba Cloud account and the super administrator. If you add RAM users to a project as the super administrator, you must wait until the RAM users are created by the Alibaba Cloud account for them to be officially added to a project.
    • We recommend that you only add the users who need to develop data, namely, users who will run jobs, in the current project as project members. For users who require data interaction, you can use packages to share resources across projects. This reduces the complexity of member management as more users are added to the project.
    • If an employee who has a RAM user is transferred to another position or resigns, the RAM user with the Super_Administrator role needs to remove the RAM user of the employee from the project, and then notify the project owner to revoke the credentials. If an employee who has a RAM user with the Super_Administrator role is transferred to another position or resigns, both the remove and revoke operations must be performed by using the Alibaba Cloud account.
  • Permission management
    • We recommend that you manage permissions by role. Permissions are associated with roles, and roles are associated with users.
    • We recommend that you use the principle of least privilege to avoid security risks caused by excessive permissions.
    • If you need to use cross-project data, we recommend that you share resources by using packages. In this way, resource providers only need to manage packages, which avoids extra costs associated with the management of additional members.
    Note A RAM user granted the Super_Administrator role has the permissions to query and manage all resources in a project. Therefore, no additional permissions need to be granted to the RAM user.
  • Permission audit

    You can use the view provided by the MaxCompute metadata service Information Schema to audit permissions.

  • Cost management
    For more information, see View billing details. RAM users can query the billing details only after the Alibaba Cloud account grants them the permissions to access Billing Management. For more information about how to grant permissions, see Grant permissions to a RAM role. The required permissions are as follows:
    • AliyunBSSFullAccess: the permissions to manage Billing Management.
    • AliyunBSSReadOnlyAccess: the ACCESS and READ-ONLY permissions on Billing Management.
    • AliyunBSSOrderAccess: the permissions to view, pay for, and cancel orders in Billing Management.
    Note Permissions on Billing Management are independent of the Super_Administrator role of a MaxCompute project. You must grant these permissions separately to the user.
  • Resource usage management
    • If you use subscription MaxCompute computing resources, you can view the usage of computing resources and manage all computing resources on MaxCompute Management.
    • If you use pay-as-you-go MaxCompute computing resources, you can view the usage of computing resources in the view provided by the MaxCompute metadata service Information Schema. For example, TASKS_HISTORY allows you to view the execution details of audit jobs, such as the time, content, and resource consumption.
      Note The view provided by the metadata service only retains data from the last 15 days. If you need to store data for a longer period of time, we recommend that you regularly read and save the data locally.