This topic describes the permissions of Alibaba Cloud accounts and RAM users in MaxCompute and DataWorks.

After you create a project, you are the owner of the project, and you have all permissions on the tables, instances, resources, and UDFs in the project. Objects in a project can only be accessed by the owner and users authorized by the owner. Project is the foundation of the MaxCompute multi-tenant system, the basic unit of data management and computing, and the billing entity.

The following table describes the permissions of Alibaba Cloud accounts and RAM users in MaxCompute and DataWorks.
Operation Description Operated on Alibaba Cloud account Role RAM user Role Dependency
Project management Project creation and deletion DataWorks Supported Project owner Supported Project administrator The AccessKey pair is enabled for the Alibaba Cloud account.
Project creation and deletion MaxCompute CLI and MaxCompute Studio Not supported N/A Not supported N/A N/A
Cross-project access DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported All roles The Alibaba Cloud account authorizes this operation.
Project update DataWorks, MaxCompute CLI, and MaxCompute Studio Not supported N/A Not supported N/A N/A
Configuration of an IP address whitelist DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Not supported N/A The AccessKey pair is enabled for the Alibaba Cloud account.
Full table scan DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Not supported N/A The AccessKey pair is enabled for the Alibaba Cloud account.
Data protection DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Not supported N/A The AccessKey pair is enabled for the Alibaba Cloud account.
Addition and authorization of project members DataWorks Supported Project owner Supported Project administrator The AccessKey pair is enabled for the Alibaba Cloud account.
Addition and authorization of project members MaxCompute CLI and MaxCompute Studio Not supported N/A Not supported N/A N/A
Data integration Data source creation and modification DataWorks Supported Project owner Supported Project administrator N/A
Creation and modification of synchronization tasks DataWorks Supported Project owner Supported Project administrator and developer N/A
Release of synchronization tasks DataWorks Supported Project owner Supported Project administrator, developer, O&M and deployment personnel N/A
MaxCompute Management Quota change DataWorks Supported Project owner Not supported N/A The AccessKey pair is enabled for the Alibaba Cloud account.
Access and monitoring DataWorks Supported Project owner Supported All roles N/A
RAM user authorization DataWorks Not supported N/A Not supported N/A N/A
Code development Viewing of the code list and content DataWorks Supported Project owner Supported All roles N/A
Code building, deletion, update, or running DataWorks Supported Project owner Supported Project administrator and developer N/A
Java UDF DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator, developer, O&M and deployment personnel N/A
Python UDF DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator, developer, O&M and deployment personnel Submit a ticket to apply for the Python UDF function.
Operation Center Viewing and management of scheduling tasks DataWorks Supported Project owner Supported Project administrator, developer, O&M and deployment personnel N/A
Data management Table creation DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator and developer N/A
Table update DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator, developer, O&M and deployment personnel N/A
Table deletion DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator and developer N/A
Authorization of access to a single table (by configuring the ACL) DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator and developer N/A
Metadata preview by using the table query function DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported All roles N/A
Cross-project table preview by using the table query function DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported All The Alibaba Cloud account authorizes this operation.
Resource management Viewing of the resource list DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported All roles N/A
Resource creation and deletion DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator and developer N/A
Uploading of JAR, TEXT, or ARCHIVE resources DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator and developer N/A
Workflow development Viewing of the workflow list and content DataWorks Supported Project owner Supported All roles N/A
Workflow creation, deletion, and update DataWorks Supported Project owner Supported Project administrator and developer N/A
Folder creation, deletion, and update DataWorks Supported Project owner Supported Project administrator and developer N/A
Function development Viewing of the function list and details DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported All roles N/A
Function creation and deletion DataWorks, MaxCompute CLI, and MaxCompute Studio Supported Project owner Supported Project administrator and developer N/A
Sales Purchase, recharge, renewal, upgrade, and downgrade DTplus console and MaxCompute buy page Supported Project owner Not supported N/A N/A
Viewing of bills, billing details, and usage records Billing Management of the Alibaba Cloud console Supported Project owner Not supported N/A N/A
  • If you add and authorize users by using DataWorks, see Add workspace members.
  • If you add, delete, or authorize users (RAM users included) by using MaxCompute security management commands, see Manage users.
  • If you add, delete, or authorize roles by using MaxCompute security management commands, see Manage roles.
  • For more information about authorization and permission check, see Authorize users and Check permissions.
    Note For RAM users that have roles in a MaxCompute or DataWorks project, revoke the roles of the RAM users in the project and remove the users from the project before you delete them. Otherwise, the RAM user is displayed as "p4_xxxxxxxxxxxxxxxxxxxx" and cannot be removed from the project. This issue does not affect the use of the project. Example:
    -- The RAM user is displayed in a project as follows:
    odps@ MaxCompute>list users;
    p4_2652900xxxxxxxxxx
    -- The RAM user cannot be removed from the project.
    odps@ MaxCompute_DOC>remove user p4_2652900xxxxxxxxxx;
    Confirm to "remove user p4_2652900xxxxxxxxxx
    ;" (yes/no)? yes
    FAILED: lack of account provider
    -- You can still see the RAM user on the Members page of DataWorks. If you want to delete this RAM user, you must revoke all roles from the user.
    odps@ MaxCompute>revoke role_project_security, role_project_admin, role_project_dev, role_project_pe, role_project_deploy, role_project_guest from RAM$MainCount:hanmeimei;
    OK
    -- Run the following command to remove the RAM user so that it can be deleted:
    odps@ MaxCompute>remove user RAM$MainCount:hanmeimei;