All Products
Search
Document Center

MaxCompute:User and role operations

Last Updated:Sep 06, 2023

If you want to develop a MaxCompute project with another user, you can add this user to the MaxCompute project. If you want to add multiple users to a project and grant them the same permissions, you can create a role and grant the role permissions to these users at a time. This topic describes common operations on users and roles, such as add, remove, and view users or roles.

The following table describes common statements that are used for user and role operations.

Operation

Description

Role

Operation platform

Add a user

Adds an Alibaba Cloud account or a Resource Access Management (RAM) user to a MaxCompute project.

A project owner or a user assigned the Super_Administrator role

You can execute the statements described in this topic on the following platforms:

Remove a user

Removes an Alibaba Cloud account or a RAM user from a MaxCompute project.

View users

Views user information in a MaxCompute project.

Create a role

Creates a role in a MaxCompute project.

View roles

Views the information of all roles in a MaxCompute project.

Grant a role to a user

Grants a role to a user.

Revoke a user from a role

Revokes a user from a specific role.

Delete a role

Deletes an existing role from a MaxCompute project.

Add a user

Adds an Alibaba Cloud account or a RAM user to a MaxCompute project.

  • Limits

    MaxCompute allows you to add only the RAM users that belong to your Alibaba Cloud account to a project. It does not allow you to add RAM users that belong to other Alibaba Cloud accounts.

  • Syntax

    add user <user_name>;
  • Parameter

    user_name: required. The name of the Alibaba Cloud account or RAM user that you want to add. The format of an Alibaba Cloud account is ALIYUN$****@aliyun.com;. The format of a RAM user is RAM$****.

  • Examples

    • Example 1: Add the Alibaba Cloud account test_user@aliyun.com to a MaxCompute project.

      add user ALIYUN$test_user@aliyun.com;
    • Example 2: Add the RAM user ram_test_user to a MaxCompute project.

      add user RAM$ram_test_user;

Remove a user

If a user leaves the MaxCompute project team, the user must be removed from the project. After the user is removed, the user is no longer authorized to access resources in the project.

  • Limits

    • Before you remove a user who is assigned a role, you must revoke the role.

    • MaxCompute does not support the complete removal of a user and the relevant authorization data. After a user is removed from a project, permissions related to the user are retained. If the user is added to the project again, the historical access permissions of the user will be activated again.

  • Syntax

    remove user <user_name>;
  • Parameter

    user_name: required. The name of the Alibaba Cloud account or RAM user that you want to remove. The format of an Alibaba Cloud account is ALIYUN$****@aliyun.com;. The format of a RAM user is RAM$****.

  • Examples

    • Example 1: Remove the Alibaba Cloud account test_user@aliyun.com.

      remove user ALIYUN$test_user@aliyun.com;
    • Example 2: Remove the RAM user ram_test_user.

      remove user RAM$ram_test_user;

View users

Views user information in a MaxCompute project. Syntax:

list users;

Create a role

Creates a role in a MaxCompute project.

  • Syntax

    create role <role_name>;
  • Parameter

    role_name: required. The name of the role that you want to add.

  • Example

    -- Create the player role.
    create role player;

View roles

Views the information of all roles in a MaxCompute project.

Syntax:

list roles;

Grant a role to a user

Grants a role to a user so that the user has all the permissions of the role.

  • Limits

    Before you grant a role to a user, you must grant the role the permissions on project objects. For more information, see Grant a role or user.

  • Syntax

    grant <role_name> to <user_name>;
  • Parameters

    • role_name: required. The name of the role that you want to grant to a user.

    • user_name: required. The name of the Alibaba Cloud account or RAM user to which you grant the role. The format of an Alibaba Cloud account is ALIYUN$****@aliyun.com;. The format of a RAM user is RAM$****.

  • Example

    -- Grant the player role to the Alibaba Cloud account test_user@aliyun.com.
    grant player to ALIYUN$test_user@aliyun.com;

Revoke a user from a role

Revokes a user from a specific role.

  • Syntax

    revoke <role_name> from <user_name>;
  • Parameters

    • role_name: required. The name of the role from which you want to revoke a user.

    • user_name: required. The name of the Alibaba Cloud account or RAM user that you want to revoke. The format of an Alibaba Cloud account is ALIYUN$****@aliyun.com;. The format of a RAM user is RAM$****.

  • Example

    -- Revoke the Alibaba Cloud account alice@aliyun.com from the player role.
    revoke player from ALIYUN$alice@aliyun.com;

Delete a role

Deletes an existing role from a MaxCompute project.

  • Limits

    Before you delete a role, you must make sure that no users are assigned this role.

  • Syntax

    drop role <role_name>;
  • Parameter

    role_name: required. The name of the role that you want to delete.

  • Example

    -- Delete the player role.
    drop role player;