All users, except the project owner, must be added to a MaxCompute project and granted the related permissions to manage data, jobs, resources, and functions in MaxCompute. This topic describes how a project owner can add, delete, and authorize other users, such as Alibaba Cloud accounts and RAM users.

If you are a project owner, we recommend that you read this topic carefully. If you are a common user, we recommend that you apply to the project owner for permissions to join the project and read the related content.

The operations described in this topic are performed on the MaxCompute client.

Add an Alibaba Cloud account

If the project owner Alice decides to authorize a user, Alice must add the user to the project. Only users added to the project can be authorized.

Run the following command to add a user: 
add user username;
username can be an Alibaba Cloud account or a RAM user of the Alibaba Cloud account that runs this command. Sample commands: 
add user ALIYUN$odps_test_user@aliyun.com;
add user RAM$ram_test_user;
In this example, the Alibaba Cloud account of Alice is alice@aliyun.com. After Alice runs the preceding commands, Alice can run the following command to check whether the users have been added to the project. 
list users;
-- The following output indicates that the Alibaba Cloud account odps_test_user@aliyun.com and the RAM user ram_test_user of Alice have been added to the project. 
RAM$alice@aliyun.com:ram_test_user
ALIYUN$odps_test_user@aliyun.com

Add a RAM user

You can add a RAM user by using one of the following methods:
  • Use DataWorks. For more information, see Prepare a RAM user.
  • Run the following command on the MaxCompute client: 
    add accountprovider ram;
OK
    After the project is added, the project owner can run the following command to view the account system supported by the project and confirm whether the RAM user is added: 
    list accountproviders;
    Note
    • MaxCompute allows only an Alibaba Cloud account to add its RAM users to the project. Therefore, when you run the add user command, you do not need to specify the Alibaba Cloud account of the RAM user. By default, the account that is used to run this command is the Alibaba Cloud account of the RAM user.
    • MaxCompute projects recognize only the RAM account system but not the RAM permission system. After RAM users of your Alibaba Cloud account are added to a MaxCompute project, MaxCompute authenticates these RAM users but does not consider the permission definitions in RAM.

Add a RAM role

To use a RAM role in MaxCompute, perform the following steps:
  1. Create a RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, or Create a RAM role for a trusted Alibaba Cloud service.

    For example, the name of the created RAM role is vuser1.

  2. Define the policy attached to the RAM role. For more information, see Edit the trust policy of a RAM role.
    Some operations may need to be performed in DataWorks. Therefore, you must assign the RAM role to DataWorks so that you can submit periodic scheduling jobs to MaxCompute in DataWorks. Sample statements of a trust policy:
    {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dataworks.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
  3. Add the RAM role to a MaxCompute project. You can use one of the following methods:
    • Method 1: Use the MaxCompute client (odpscmd) or log on to the MaxCompute console (query editor) and run the following command in the MaxCompute project:
      add user `RAM$<Alibaba Cloud account>:role/RAM role name`;
      For example, if you want to authorize RAM user abc@example.com to use the RAM role vuser1, run the following command: RAM$abc@example.com:role/vuser1.

      You can run the list users; command to check whether the RAM role has been added to the MaxCompute project.

    • Method 2: Log on to the MaxCompute console. On the Project management tab, find your project and click Member management in the Actions column to go to the Member management page. Add the RAM role to the project. For more information about how to add members on the Member management page, see Add workspace members.

Grant permissions to an Alibaba Cloud account

After a user is added to a project, the project owner or project administrator must authorize the user. The user can perform operations in the project only after it is authorized.

MaxCompute provides multiple policies, such as authorization, cross-project data sharing, and project data protection. This section describes two common scenarios. For more information, see Authorize users.
  • Scenario 1: Jack is the administrator of the prj1 project. A new user Alice with the Alibaba Cloud account alice@aliyun.com applies for joining prj1 and requires the permissions to view tables, submit jobs, and create tables.
    Users with the Admin role in the project or the project owner can run the following command on the MaxCompute client: 
    -- Enter prj1. 
use prj1; 
-- Add Alice to the project.  
add user aliyun$alice@aliyun.com; 
-- Grant permissions to Alice. 
grant List, CreateTable, CreateInstance on project prj1 to user aliyun$alice@aliyun.com;
  • Scenario 2: The Alibaba Cloud account bob@aliyun.com is added to the $user_project_name project. The user needs to be granted the permissions to create tables, obtain table information, and execute functions.
    Users with the Admin role in the project or the project owner can run the following command on the MaxCompute client: 
    -- Grant bob@aliyun.com the CREATE TABLE permission on the $user_project_name project. 
grant CreateTable on PROJECT $user_project_name to USER ALIYUN$bob@aliyun.com;
-- Grant bob@aliyun.com the DESCRIBE permission on the $user_table_name table.   
grant Describe on Table $user_table_name to USER ALIYUN$bob@aliyun.com;
-- Grant bob@aliyun.com the EXECUTE permission to execute the $user_function_name function.  
grant Execute on Function $user_function_name to USER ALIYUN$bob@aliyun.com;

Authorize a RAM user

Grant the RAM user Alice of the Alibaba Cloud account bob@aliyun.com the DESCRIBE permission on table src.
  1. View the account system supported by the project. 
    list accountproviders;
-- The following result is returned: 
ALIYUN, RAM

    The output shows that the RAM account system is supported by the project, which means that you can add RAM users to this project. If RAM users are not supported, run the add accountprovider ram; command to add the RAM account system.

  2. Add a RAM user to the project and grant the DESCRIBE permission on the src table to the RAM user: 
    add user ram$bob@aliyun.com:Alice;
-- The following result is returned: 
OK: DisplayName=RAM$bob@aliyun.com:Alice
-- Grant the DESCRIBE permission to the RAM user. 
grant Describe on table src to user ram$bob@aliyun.com:Alice;
-- The following result is returned: 
OK
Note
  • For more information about how to obtain the AccessKey ID and AccessKey secret of a RAM user, see Create a RAM user.
  • For more information about how to authorize a user, see Authorize users.

Remove an Alibaba Cloud account

After a user leaves a project, the user must be removed from the project. After the user is removed, the user no longer has the permissions to access the resources of the project.

You can run the following command to remove a user: 
remove user;
Note
  • Before you remove a user who has been assigned a role, you must revoke the role. For more information about roles, see Manage roles.
  • After a user is removed, the permissions granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again.
  • MaxCompute does not support the complete removal of a user and the relevant authorization data.
The following example shows how to remove users: 
-- Remove users. 
remove user ALIYUN$odps_test_user@aliyun.com;
remove user RAM$ram_test_user;
-- Run the following command to check whether the users have been removed: If these two users are not included in the returned results, they have been removed from the project.  
list users;

Remove a RAM user

  • Run the remove user command to remove a RAM user of an Alibaba Cloud account. 
    -- Revoke the permissions of RAM user Alice. 
odps@ ****>revoke describe on table src from user ram$bob@aliyun.com:Alice;
OK
-- Remove the RAM user. 
odps@ ****>remove user ram$bob@aliyun.com:Alice;
Confirm to "remove user ram$bob@aliyun.com:Alice;" (yes/no)? yes
OK
    Before you remove a RAM user that has been assigned a role, you must revoke the role. Otherwise, information of the RAM user remains in the project. When you query the user, p4_xxxxxxxxxxxxxxxxxxxx is displayed and you cannot remove the user. However, the project can be normally used. Example: 
    -- If the RAM user remains in the project, the following result is returned: 
odps@MaxCompute>list users;
p4_2652900xxxxxxxxxx
-- If the RAM user cannot be removed from the project, the following message is displayed: 
odps@MaxCompute>remove user p4_2652900xxxxxxxxxx;
Confirm to "remove user p4_2652900xxxxxxxxxx
;" (yes/no)? yes
FAILED: lack of account provider
-- The RAM user is still displayed on the Members page of DataWorks. 
-- To remove a RAM user, you must revoke the role assigned to the RAM user. 
odps@MaxCompute>revoke role_project_security, role_project_admin, role_project_dev, role_project_pe, role_project_deploy, role_project_guest from RAM$MainCount:hanmeimei;
OK
-- Run the following command to remove the RAM user. 
odps@ MaxCompute>remove user RAM$MainCount:hanmeimei;
  • Only the project owner is allowed to run the remove accountprovider command to remove the RAM account system from the current project. 
    -- Remove the RAM account system. 
odps@ ****>remove accountprovider ram;
Confirm to "remove accountprovider ram;" (yes/no)? yes
OK
-- Check whether the removal is successful. 
odps@ ****>list accountproviders;
ALIYUN

Completely clear the residual permission information of a removed user

After a user is removed from a project, the permissions, such as access control list (ACL), LabelSecurity, and Policy are retained in the project. If the removed user is added back to the project again, the user will have the original ACL, LabelSecurity, and Policy permissions. If the user is removed by mistake and added back to the project, the user still has the original permissions. However, if the user is added back to the original project with a different role, the potential risk of data security may occur.

To prevent the potential risk, MaxCompute allows you to clear all permissions. If a user is no longer in the project but has ACL, LabelSecurity, and Policy permissions, MaxCompute reclaims these permissions.

Only project owners or the users who assume the Admin and Super_Administrator roles can clear the residual permissions of removed users. After a user is removed from the project, you can run the following command to clear the residual permissions of the user: 

purge privs from user <username>;
Note If the user is not removed from the project and you run the preceding command, the "Principal <username> still exist in the project" error is returned.