All Products
Search
Document Center

MaxCompute:User planning and management

Last Updated:Jan 16, 2024

If a MaxCompute project needs to be maintained by multiple users, the users that are not the owner of the project must be added to the MaxCompute project and granted the related permissions to manage the tables, resources, functions, or job instances in MaxCompute. This topic describes the operations that can be performed in MaxCompute to manage users.

Background information

After a MaxCompute project is created, only the project owner and a user that is assigned a built-in role of MaxCompute can access the MaxCompute project. To allow other users to collaborate on the project, the project owner must add the users to the MaxCompute project.

The following table describes the user types and the operations that can be performed to manage users in MaxCompute.

Category

Type

Operation

Description

Performed by

Operation platform

Project level

Alibaba Cloud account

Add an Alibaba Cloud account (project-level)

Adds another Alibaba Cloud account to the MaxCompute project.

The project owner or a user that is assigned a built-in role of MaxCompute

Remove an Alibaba Cloud account (project-level)

Removes an Alibaba Cloud account from the MaxCompute project.

RAM user

Add a RAM user (project-level)

Adds a RAM user of the Alibaba Cloud account to which the MaxCompute project belongs to the MaxCompute project.

Remove a RAM user (project-level)

Removes a RAM user from the MaxCompute project.

RAM role

Add a RAM role (project-level)

Adds a RAM role that is created in the Resource Access Management (RAM) console to the MaxCompute project.

Remove a RAM role (project-level)

Removes a RAM role from the MaxCompute project.

View the user list (project-level)

Views the users that are added to the MaxCompute project.

Add an Alibaba Cloud account (project-level)

If the project owner wants to grant permissions to another Alibaba Cloud account, the project owner must add the Alibaba Cloud account to the MaxCompute project. Only the users that are added to the MaxCompute project can be granted permissions.

  • Syntax

    add user ALIYUN$<account_id>;

  • Parameters

    Parameter

    Required

    Description

    account_id

    Yes

    The ID of the Alibaba Cloud account, such as 5527xxxxxxxx5788, which is the ID of the Alibaba Cloud account odps_test_user@aliyun.com.

  • Example

    Add the Alibaba Cloud account odps_test_user@aliyun.com whose ID is 5527xxxxxxxx5788 to the MaxCompute project test_project_a. Sample statement:

    add user ALIYUN$5527xxxxxxxx5788;

Remove an Alibaba Cloud account (project-level)

If a user leaves the MaxCompute project team, the user must be removed from the project. After the user is removed, the user no longer has the permissions to access the resources of the project.

  • Syntax

    remove user ALIYUN$<account_id>;

  • Precautions

    • Before you remove a user that is assigned a role, you must revoke the role from the user. For more information about how to view the information of the role that is assigned to a user, see Query permissions. For more information about how to revoke a role from a user, see Revoke a role from a user.

    • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

  • Parameters

    Parameter

    Required

    Description

    account_id

    Yes

    The ID of the Alibaba Cloud account, such as 5527xxxxxxxx5788.

    You can run the list users; command to obtain the ID by using the MaxCompute client.

  • Examples

    • Example 1: Remove the Alibaba Cloud account odps_test_user@aliyun.com whose ID is 5527xxxxxxxx5788 from the MaxCompute project test_project_a. In this example, the Alibaba Cloud account odps_test_user@aliyun.com is not assigned a role. Sample statement:

      remove user ALIYUN$5527xxxxxxxx5788;

    • Example 2: Remove the Alibaba Cloud account odps_test_user@aliyun.com whose ID is 5527xxxxxxxx5788 from the MaxCompute project test_project_a. In this example, the Alibaba Cloud account odps_test_user@aliyun.com is assigned a role named Worker. Sample statement:

      -- Revoke the Worker role from the Alibaba Cloud account odps_test_user@aliyun.com. 
      revoke Worker from ALIYUN$5527xxxxxxxx5788;
      -- Remove the Alibaba Cloud account odps_test_user@aliyun.com. 
      remove user ALIYUN$5527xxxxxxxx5788;

Add a RAM user (project-level)

If the project owner wants to grant permissions to a RAM user, the project owner must add the RAM user to the MaxCompute project. Only the RAM users that are added to the MaxCompute project can be granted permissions.

  • Syntax

    add user RAM$[<account_id>:]<RAM user UID>;

  • Limits

    • You can add only the RAM users that belong to your Alibaba Cloud account to a MaxCompute project. If you want to add a RAM user of another Alibaba Cloud account to the MaxCompute project, you must add the Alibaba Cloud account to which the RAM user belongs to the MaxCompute project. Then, go to the MaxCompute project by using the newly added Alibaba Cloud account and add the RAM user to the MaxCompute project.

    • When you add a RAM user to a MaxCompute project, you must verify that the MaxCompute project supports the RAM account system. You can run the list accountproviders; command to check whether the MaxCompute project supports the RAM account system. If RAM does not appear in the query results, you can run the add accountprovider ram; command to add the RAM account system for the MaxCompute project.

    • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

  • Precautions

    MaxCompute projects recognize only the RAM account system but not the RAM permission system. After RAM users of your Alibaba Cloud account are added to a MaxCompute project, MaxCompute authenticates these RAM users but does not consider the permission definitions in RAM.

  • Parameters

    Parameter

    Required

    Description

    account_id

    No

    The ID of the Alibaba Cloud account to which the RAM user belongs, such as 5527xxxxxxxx5788, which is the ID of the Alibaba Cloud account odps_test_user@aliyun.com.

    RAM user UID

    Yes

    The UID of the RAM user.

    To obtain the UID, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Users. On the Users page, find the RAM user and click the logon name of the RAM user. In the Basic Information section of the page that appears, view the UID.

  • Example

    Add the RAM user RAM$odps_test_user@aliyun.com:ram_test whose UID is 2763xxxxxxxxxx1649 to the MaxCompute project test_project_a. The RAM user belongs to the Alibaba Cloud account whose ID is 5527xxxxxxxx5788. Sample statement:

    add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

Remove a RAM user (project-level)

If a RAM user leaves the MaxCompute project team, the RAM user must be removed from the project. After the user is removed, the user no longer has the permissions to access the resources of the project.

  • Syntax

    remove user RAM$[<account_id>:]<RAM user UID>;

  • Precautions

    • Before you remove a RAM user that is assigned a role, you must revoke the role from the user. Otherwise, information of the RAM user remains in the project. When you query the user, p4_xxxxxxxxxxxxxxxxxxxx is displayed and you cannot delete the information. However, the project can be normally used. For more information about how to view the information of the role that is assigned to a user, see Query permissions. For more information about how to revoke a role from a user, see Revoke a role from a user.

    • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.

  • Parameters

    Parameter

    Required

    Description

    account_id

    No

    The ID of the Alibaba Cloud account to which the RAM user belongs, such as 5527xxxxxxxx5788, which is the ID of the Alibaba Cloud account odps_test_user@aliyun.com.

    RAM user UID

    Yes

    The UID of the RAM user.

    To obtain the UID, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Users. On the Users page, find the RAM user and click the logon name of the RAM user. In the Basic Information section of the page that appears, view the UID.

  • Examples

    • Example 1: Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test whose UID is 2763xxxxxxxxxx1649 from the MaxCompute project test_project_a. In this example, the RAM user RAM$odps_test_user@aliyun.com:ram_test belongs to the Alibaba Cloud account whose ID is 5527xxxxxxxx5788 and is not assigned a role. Sample statement:

      remove user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

    • Example 2: Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test whose UID is 2763xxxxxxxxxx1649 from the MaxCompute project test_project_a. In this example, the RAM user RAM$odps_test_user@aliyun.com:ram_test belongs to the Alibaba Cloud account whose ID is 5527xxxxxxxx5788 and is assigned a role named Worker. Sample statement:

      -- Revoke the Worker role from the RAM user RAM$odps_test_user@aliyun.com:ram_test. 
      revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
      -- Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test. 
      remove user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
      -- Remove the RAM account system if you no longer use RAM users. 
      remove accountprovider ram;

Add a RAM role (project-level)

You can create a RAM role and modify the policy that is attached to the RAM role in the RAM console. Then, you can add the RAM role to a MaxCompute project. RAM users in the project can assume the RAM role to perform operations.

RAM roles are different from the MaxCompute built-in or custom roles described in Role planning. Instead, RAM roles are roles in the RAM console. For more information about how to use a RAM role, see Assume a RAM role.

  • Syntax

    add user `RAM$<accout_id>:role/<RAM role name>`;

  • Precautions

    The grave accent (`) in the preceding command is required.

  • Parameters

    Parameter

    Required

    Description

    account_id

    Yes

    The ID of the Alibaba Cloud account to which the RAM role belongs, such as 5527xxxxxxxx5788, which is the ID of the Alibaba Cloud account odps_test_user@aliyun.com.

    RAM role name

    Yes

    The name of the RAM role.

    To obtain the name, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles. On the Roles page, view the name of the RAM role.

  • Example

    Add the RAM role ram_role to the MaxCompute project test_project_a. Sample statement:

    add user `RAM$5527xxxxxxxx5788:role/ram_role`;
  • Related operations

    Subsequent operations need to be performed in DataWorks. Therefore, you must assign the RAM role to DataWorks when you modify the policy that is attached to the RAM role. This way, you can submit periodic scheduling jobs to MaxCompute in DataWorks.

Remove a RAM role (project-level)

You can remove a RAM role from a MaxCompute project.

  • Syntax

    remove user `RAM$<accout_id>:role/<RAM role name>`;
  • Precautions

    The grave accent (`) in the preceding command is required.

  • Parameters

    Parameter

    Required

    Description

    account_id

    Yes

    The ID of the Alibaba Cloud account to which the RAM role belongs, such as 5527xxxxxxxx5788, which is the ID of the Alibaba Cloud account odps_test_user@aliyun.com.

    RAM role name

    Yes

    The name of the RAM role.

    To obtain the name, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles. On the Roles page, view the name of the RAM role.

  • Example

    Remove the RAM role ram_role from the MaxCompute project test_project_a. Sample statement:

    remove user `RAM$5527xxxxxxxx5788:role/ram_role`;

View the user list (project-level)

You can view the users that are added to a MaxCompute project.

  • Syntax

    list users;
  • Example

    View the users that are added to a MaxCompute project. Sample statement:

    list users;

    The following result is returned:

    ALIYUN$5527xxxxxxxx5788
    RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649
    RAM$5527xxxxxxxx5788:role/ram_role

Additional information

After you complete user planning, you can grant permissions to a user based on your business requirements. For more information, see Manage user permissions by using commands.