This topic describes the permissions of Alibaba Cloud accounts and RAM users in MaxCompute and DataWorks.
After you create a project, you are the owner of the project, and you have all permissions on the tables, instances, resources, and UDFs in the project. Objects in a project can only be accessed by the owner and users authorized by the owner. Project is the foundation of the MaxCompute multi-tenant system, the basic unit of data management and computing, and the billing entity.
The following table describes the permissions of Alibaba Cloud accounts and RAM users
in MaxCompute and DataWorks.
| Operation | Description | Operated on | Alibaba Cloud account | Role | RAM user | Role | Dependency |
| Project management | Project creation and deletion | DataWorks | Supported | Project owner | Supported | Project administrator | The AccessKey pair is enabled for the Alibaba Cloud account. |
| Project creation and deletion | MaxCompute CLI and MaxCompute Studio | Not supported | N/A | Not supported | N/A | N/A | |
| Cross-project access | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | All roles | The Alibaba Cloud account authorizes this operation. | |
| Project update | DataWorks, MaxCompute CLI, and MaxCompute Studio | Not supported | N/A | Not supported | N/A | N/A | |
| Configuration of an IP address whitelist | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Not supported | N/A | The AccessKey pair is enabled for the Alibaba Cloud account. | |
| Full table scan | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Not supported | N/A | The AccessKey pair is enabled for the Alibaba Cloud account. | |
| Data protection | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Not supported | N/A | The AccessKey pair is enabled for the Alibaba Cloud account. | |
| Addition and authorization of project members | DataWorks | Supported | Project owner | Supported | Project administrator | The AccessKey pair is enabled for the Alibaba Cloud account. | |
| Addition and authorization of project members | MaxCompute CLI and MaxCompute Studio | Not supported | N/A | Not supported | N/A | N/A | |
| Data integration | Data source creation and modification | DataWorks | Supported | Project owner | Supported | Project administrator | N/A |
| Creation and modification of synchronization tasks | DataWorks | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Release of synchronization tasks | DataWorks | Supported | Project owner | Supported | Project administrator, developer, O&M and deployment personnel | N/A | |
| MaxCompute Management | Quota change | DataWorks | Supported | Project owner | Not supported | N/A | The AccessKey pair is enabled for the Alibaba Cloud account. |
| Access and monitoring | DataWorks | Supported | Project owner | Supported | All roles | N/A | |
| RAM user authorization | DataWorks | Not supported | N/A | Not supported | N/A | N/A | |
| Code development | Viewing of the code list and content | DataWorks | Supported | Project owner | Supported | All roles | N/A |
| Code building, deletion, update, or running | DataWorks | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Java UDF | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator, developer, O&M and deployment personnel | N/A | |
| Python UDF | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator, developer, O&M and deployment personnel | Submit a ticket to apply for the Python UDF function. | |
| Operation Center | Viewing and management of scheduling tasks | DataWorks | Supported | Project owner | Supported | Project administrator, developer, O&M and deployment personnel | N/A |
| Data management | Table creation | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator and developer | N/A |
| Table update | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator, developer, O&M and deployment personnel | N/A | |
| Table deletion | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Authorization of access to a single table (by configuring the ACL) | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Metadata preview by using the table query function | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | All roles | N/A | |
| Cross-project table preview by using the table query function | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | All | The Alibaba Cloud account authorizes this operation. | |
| Resource management | Viewing of the resource list | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | All roles | N/A |
| Resource creation and deletion | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Uploading of JAR, TEXT, or ARCHIVE resources | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Workflow development | Viewing of the workflow list and content | DataWorks | Supported | Project owner | Supported | All roles | N/A |
| Workflow creation, deletion, and update | DataWorks | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Folder creation, deletion, and update | DataWorks | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Function development | Viewing of the function list and details | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | All roles | N/A |
| Function creation and deletion | DataWorks, MaxCompute CLI, and MaxCompute Studio | Supported | Project owner | Supported | Project administrator and developer | N/A | |
| Sales | Purchase, recharge, renewal, upgrade, and downgrade | DTplus console and MaxCompute buy page | Supported | Project owner | Not supported | N/A | N/A |
| Viewing of bills, billing details, and usage records | Billing Management of the Alibaba Cloud console | Supported | Project owner | Not supported | N/A | N/A |
- If you add and authorize users by using DataWorks, see Add workspace members.
- If you add, delete, or authorize users (RAM users included) by using MaxCompute security management commands, see Manage users.
- If you add, delete, or authorize roles by using MaxCompute security management commands, see Manage roles.
- For more information about authorization and permission check, see Authorize users and Check permissions.
Note For RAM users that have roles in a MaxCompute or DataWorks project, revoke the roles of the RAM users in the project and remove the users from the project before you delete them. Otherwise, the RAM user is displayed as "p4_xxxxxxxxxxxxxxxxxxxx" and cannot be removed from the project. This issue does not affect the use of the project. Example:
-- The RAM user is displayed in a project as follows: odps@ MaxCompute>list users; p4_2652900xxxxxxxxxx -- The RAM user cannot be removed from the project. odps@ MaxCompute_DOC>remove user p4_2652900xxxxxxxxxx; Confirm to "remove user p4_2652900xxxxxxxxxx ;" (yes/no)? yes FAILED: lack of account provider -- You can still see the RAM user on the Members page of DataWorks. If you want to delete this RAM user, you must revoke all roles from the user. odps@ MaxCompute>revoke role_project_security, role_project_admin, role_project_dev, role_project_pe, role_project_deploy, role_project_guest from RAM$MainCount:hanmeimei; OK -- Run the following command to remove the RAM user so that it can be deleted: odps@ MaxCompute>remove user RAM$MainCount:hanmeimei;