All Products
Search
Document Center

MaxCompute:Users and permissions

Last Updated:Jun 08, 2023

This topic describes the users and permissions related to MaxCompute.

Users and roles are closely related to permissions. A role is a collection of permissions.

  • You can add a user to a MaxCompute project and authorize the user to perform specific operations on specific objects. For more information about user management, see User planning and management. For more information about authorization operations, see MaxCompute permissions.

  • You can quickly assign roles that are defined in MaxCompute to users based on the operation scope of the users. For more information about authorization operations, see Assign a role to a user.

  • You can also create a role based on your business requirements and assign the role to users after you grant the role permissions. For more information about how to create a role, see Role planning.

  • For more information about how to view the permissions of a user or role, see View permissions.

Users and roles supported by MaxCompute

The following table describes the users and roles supported by MaxCompute.

Category

Item

Description

User

Alibaba Cloud account

An account that is created on the Alibaba Cloud official website.

RAM user

A user that you can create by using an Alibaba Cloud account. RAM users are used to assist Alibaba Cloud accounts in data processing.

RAM role

A RAM role is a virtual Resource Access Management (RAM) identity that you can create within your Alibaba Cloud account. A RAM role does not have a specific logon password or AccessKey pair. A RAM role can be used only after the RAM role is assumed by a trusted entity.

Role

Super_Administrator

A built-in management role of MaxCompute and the super administrator of a project. A user that is assigned the Super_Administrator role has operation permissions on all resources in the project and administrator permissions.

The project owner or users that are assigned the Super_Administrator role can assign the Super_Administrator role to other users.

Admin

A built-in management role of MaxCompute. A user that is assigned the Admin role has operation permissions and some basic administrator permissions.

The project owner can assign the Admin role to other users.

Custom role

A non-built-in role of MaxCompute. This role needs to be customized. You can define roles based on the roles whose names start with Role_ in DataWorks.

Only the owner of a project and the roles that are described in the preceding table have all operation permissions on the project. Only the owner of a project has the permissions to access objects in the project. Other users cannot access the objects in the project unless they are granted the required permissions by the project owner.

Note

DataWorks also has roles. For more information about the roles in DataWorks and MaxCompute, see Permission relationships between MaxCompute and DataWorks. If you want to add or grant permissions to users in the DataWorks console, you can perform the operations by following the instructions that are provided in Add a workspace member and configure roles.

Operations and related roles

The following table describes the operations that Alibaba Cloud accounts and RAM users or RAM roles can perform by using different tools or on different platforms. The following table also describes the required roles.

Operation Type

Operation

Supported tool or platform

Alibaba Cloud account

Role of Alibaba Cloud account

RAM user or RAM role

RAM user or RAM role in a MaxCompute project

Requirement

Activation of the MaxCompute service and resource purchase

Activate, purchase, renew, upgrade, and downgrade the MaxCompute service and top up your account

  • MaxCompute console (new version)

  • MaxCompute buy page

Supported. By default, only the Alibaba Cloud account has permissions to manage the MaxCompute service.

N/A

Supported

N/A.

  • If you use a RAM user, use your Alibaba Cloud account to attach the AliyunDataWorksFullAccession and liyunBSSOrderAccess system policies to the RAM user.

  • If you use a RAM role, use your Alibaba Cloud account to attach the AliyunDataWorksFullAccession and AliyunBSSOrderAccess system policies to the RAM role.

Project management

Create and delete a project

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

N/A.

If you use a RAM user, attach the CreateProject and DeleteProject policies to the RAM user.

Access data across projects

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted cross-project access permissions.

Use your Alibaba Cloud account to complete authorization.

Modify the default calculation quota for a project

MaxCompute console (new version)

Supported.

Project owner

Supported

N/A.

If you use a RAM user, attach the UpdateProjectDefaultQuota policy to the RAM user.

Configure an IP address whitelist

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: Super_Administrator and custom roles that are granted security configuration permissions across multiple projects. For more information, see Project security configuration permissions.

Use your Alibaba Cloud account to complete authorization.

Scan a full table

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute role: Super_Administrator.

Use your Alibaba Cloud account to complete authorization.

Protect project data

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute role: Super_Administrator.

Use your Alibaba Cloud account to complete authorization.

Change the project status

MaxCompute console (new version)

Supported.

Project owner

Supported

N/A.

If you use a RAM user, attach the UpdateProjectStatus policy to the RAM user.

Add, authorize, and manage project members

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: Super_Administrator and custom roles that are granted project management permissions across projects. For more information, see Permissions on project management.

Use your Alibaba Cloud account to complete authorization.

Quota management

Modify a level-1 or level-2 quota

MaxCompute console (new version)

Supported.

N/A

Supported

N/A.

If you use a RAM user, attach the UpdateQuota policy to the RAM user.

Create a level-2 custom quota

MaxCompute console (new version)

Supported.

N/A

Supported

N/A.

If you use a RAM user, attach the UpdateSubQuotas policy to the RAM user.

Create, modify, and delete a quota plan

MaxCompute console (new version)

Supported.

N/A

Supported

N/A.

If you use a RAM user, attach the CreateQuotaPlan, UpdateQuotaPlan, and DeleteQuotaPlan policies to the RAM user.

Create and modify a time plan

MaxCompute console (new version)

Supported.

N/A

Supported

N/A.

If you use a RAM user, attach the createQuotaSchedule and UpdateQuotaSchedule policies to the RAM user.

Job O&M

View, perform O&M on, and monitor jobs

MaxCompute Management

Supported.

Project owner

Supported

MaxCompute role: Super_Administrator.

If you use a RAM user, use your Alibaba Cloud account to assign the Super_Administrator role to the RAM user.

Code development

JAVA UDF

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to develop Java user-defined functions (UDFs).

N/A.

Python UDF

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to develop Python UDFs.

N/A.

Data management

View the table list

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view a list of tables.

N/A.

Create a table

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create tables.

N/A.

Update tables

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to update tables.

N/A.

Drop a table

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to drop tables.

N/A.

Grant access to a single table by configuring an access control list (ACL)

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles.

N/A.

Preview metadata

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view metadata.

N/A.

Preview a table cross projects

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view tables cross projects.

Use an Alibaba Cloud account to complete authorization.

Resource management

View the resource list

  • MaxCompute console (new version)

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view resources.

N/A.

Create and delete resources

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create and delete resources.

N/A.

Upload resources

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to upload resources.

N/A.

Function development

View the function list and details

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view functions.

N/A.

Create and delete functions

  • MaxCompute client

  • MaxCompute Studio

Supported.

Project owner

Supported

MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create and delete functions.

N/A.