When Alice, the owner of a project, decides to authorize another user, she needs to add the user to the project first. Only the user who has been added to a project can be authorized.
The command for adding a user to a project is as follows:
add user <username> --Add a user to the project.
<username>of an Alibaba Cloud account is a valid email address registered on the official page, or a RAM sub-account of an Alibaba Cloud account that runs the command. For example:
add user ALIYUNemail@example.com;
add user RAM$ram_test_user;
Assume that Alice’s Alibaba Cloud account is “firstname.lastname@example.org”. When Alice executes these statements, the following results are returned by running the “list users;” command:
This indicates that the Alibaba Cloud account “email@example.com” and the sub-account “ram_test_user” created through RAM by Alice are added to the project.
When a user leaves the project team, Alice needs to remove the user from the project. Once a user is removed from the project, the user no long has any access permission to the project resources.The command for removing a user from a project is as follows:
remove user <username> --Remove a user from the project.
- After a user is removed, the user no long has any access permission to the resources of the project.
- If the user to be removed is assigned some roles, you must revoke all roles from the user before removing the user from the project. For more information about roles, see Project Role Management.
- After a user is removed, all ACL Authorization data related to the user is retained. After a user is added to a project again, the ACL Authorization of this user is enabled again.
- MaxCompute does not support complete removal of a user and all the permission data from a project.
Alice runs the following two commands:
remove user ALIYUNfirstname.lastname@example.org;
remove user RAM$ram_test_user;
And then Alice runs the “list users;” command and finds that the two accounts are no longer listed, which indicates that the two accounts are removed from the project. Note that MaxCompute only allows an account to add its own RAM sub-accounts to a project. RAM sub-accounts of other Alibaba Cloud accounts are not allowed. Therefore, you do not need to specify the account of the RAM sub-accounts when adding users. MaxCompute determines by default that the account which runs the command is the account of the sub-accounts.