To ensure the security of project data, we recommend that you create Resource Access Management (RAM) users and assign the credentials of the RAM users to other members who participate in MaxCompute projects. This helps strictly control the permissions of personnel who participate in MaxCompute projects. This topic describes how to create a RAM user.

Prerequisites

An Alibaba Cloud account is created.

For more information about how to create an Alibaba Cloud account, see Create an Alibaba Cloud account.

Usage notes

  • RAM users belong to your Alibaba Cloud account. They do not own resources and are not separately charged.
  • All the fees incurred by the RAM users must be paid by your Alibaba Cloud account.

Procedure

  1. Step 1: Create a RAM user

    Create a RAM user by using your Alibaba Cloud account. For more information, see RAM.

  2. Step 2: Create an AccessKey pair

    Create an AccessKey pair for the RAM user by using your Alibaba Cloud account. This ensures that the jobs submitted by the RAM user can run normally.

  3. Step 3: Authorize the RAM user

    To allow the RAM user to create projects in DataWorks, you must attach the AliyunDataWorksFullAccess policy to the RAM user by using your Alibaba Cloud account.

  4. Step 4: Assign the credentials of the RAM user to other users

    Assign the credentials of the created RAM user to other users.

Step 1: Create a RAM user

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, click Users under Identities.
  3. Click Create User.
    Note To create multiple RAM users at a time, click Add User.
  4. Specify the Logon Name and Display Name parameters.
  5. Under Access Mode, select Console Password Logon.
  6. Click OK.
  7. On the Create User page, click Download CSV File or find an existing RAM user and click Copy in the Actions column to save the logon username and password of the RAM user.

Step 2: Create an AccessKey pair

Note
  • If you grant the RAM user the permission to manage AccessKey pairs, the RAM user can create AccessKey pairs in the RAM console. For more information about how to create AccessKey pairs, see Configure security policies for RAM users.
  • You can create a maximum of two AccessKey pairs for a RAM user.
  1. In the left-side navigation pane, click Users under Identities.
  2. In the User Logon Name/Display Name column, click the username of the target RAM user.
  3. In the User AccessKeys section, click Create AccessKey. The system automatically creates an AccessKey pair.
  4. In the Create AccessKey dialog box, click the Download or Copy icon, save the created AccessKey pair information, and click Close.
    You can also view the status of the created AccessKey pair in the User AccessKeys section, and disable or delete the AccessKey pair.
    Notice
    • To ensure the security of the AccessKey pair, we recommend that you do not share this information with others. If your AccessKey pair is susceptible to data leakage, disable or update it immediately.
    • The AccessKey pair is displayed only when you create the pair and unavailable for subsequent queries. We recommend that you record the AccessKey pair and keep it confidential for subsequent user.
    • After you disable an AccessKey pair, the service that uses the AccessKey pair fails to run and an error is reported. Proceed with caution when you perform this operation. If the status of the AccessKey pair changes, check the status of the services that use the AccessKey pair in a timely manner.

Step 3: Authorize the RAM user

  1. In the left-side navigation pane, click Users under Identities.
  2. In the User Logon Name/Display Name column, find the target RAM user.
  3. Click Add Permissions. On the page that appears, the principal is automatically filled in.
  4. Click the AliyunDataWorksFullAccess policy in the Authorization Policy Name column to add this permission to the list of selected permissions.
    Note If the RAM user needs to activate MaxCompute later, the Alibaba Cloud account must attach the AliyunBSSOrderAccess policy to the RAM user.
  5. Click OK.
  6. Click Finished.

Step 4: Assign the credentials of the RAM user to other users

To assign the credentials of the RAM user to another user, you must provide the following information of the RAM user to the user:
  • RAM user logon link

    Log on to the RAM console. In the Account Management section in the upper-right corner of the Overview page, the URL under RAM user logon is the logon link of the RAM user.

  • Domain name of the Alibaba Cloud account to which the RAM user belongs

    Log on to the RAM console. In the left-side navigation pane, click Settings under Identities. On the Settings page, click the Advanced tab. Then, you can view Default Domain and Domain Alias.

  • The account and password of the RAM user, which are the logon username and password of the RAM user saved in Step 1.
  • The AccessKey ID and AccessKey secret of the RAM user, which is the AccessKey pair created in Step 2.

What to do next

After you prepare the RAM user, you can activate MaxCompute. For more information, see Activate MaxCompute and DataWorks.