Manage users and roles at the project level - MaxCompute

To let multiple users collaborate on a MaxCompute project, add them to the project and grant the relevant permissions. Only users added to a project can be granted access to its tables, resources, functions, and job instances.

By default, only the project owner and users with a built-in MaxCompute role can access a project.

Prerequisites

Before you begin, ensure that you have:

A MaxCompute project
Project owner access, or a built-in MaxCompute role assignment

Supported user types

MaxCompute supports three identity types at the project level:

Type	When to use
Alibaba Cloud account	Grant access to another Alibaba Cloud account — typically a peer team or external collaborator with their own Alibaba Cloud account.
RAM user	Grant access to a sub-user under your own Alibaba Cloud account — typically a developer or operator on your team.
RAM role	Grant access to a Resource Access Management (RAM) role — useful for service-to-service access, such as submitting periodic scheduling jobs from DataWorks.

RAM roles added here are roles defined in the RAM console, not MaxCompute built-in or custom roles. For more information about MaxCompute roles, see Role planning.

MaxCompute recognizes the RAM account system but not the RAM permission system. After RAM users are added to a project, MaxCompute authenticates them but does not apply permission definitions from RAM.

Operations

The project owner or a user with a built-in MaxCompute role can run the following SQL commands using the MaxCompute client, MaxCompute Studio, or the DataWorks console.

Operation	Description
Add an Alibaba Cloud account	Adds another Alibaba Cloud account to the project
Remove an Alibaba Cloud account	Removes an Alibaba Cloud account from the project
Add a RAM user	Adds a RAM user to the project
Remove a RAM user	Removes a RAM user from the project
Add a RAM role	Adds a RAM role to the project
Remove a RAM role	Removes a RAM role from the project
List users	Lists all users added to the project

Important

When you remove a user, their permissions are retained. If the user is added back to the project later, those permissions are reactivated. To clear residual permissions, see Manage user permissions by using commands.

User Category	User Type	Operation	Description	Operator role	Operation portal
Project-level (Project)	Alibaba Cloud account	Add an Alibaba Cloud account user (project-level)	Add another Alibaba Cloud account to a MaxCompute project.	The project owner or a user that is assigned a built-in MaxCompute role.	MaxCompute client MaxCompute Studio Connect using DataWorks
	Alibaba Cloud account	Delete an Alibaba Cloud account user (project-level)	Delete an Alibaba Cloud account that is added to a MaxCompute project.
	RAM user	Add a RAM user (project-level)	Add a RAM user of the Alibaba Cloud account to which the MaxCompute project belongs to the project.
	RAM user	Delete a RAM user (project-level)	Delete a RAM user that is added to a MaxCompute project.
	RAM role	Add a RAM role (project-level)	Add a RAM role that is created in the Resource Access Management (RAM) console to a MaxCompute project.
	RAM role	Delete a RAM role (project-level)	Delete a RAM role that is added to a MaxCompute project.
	View the user list (project-level)		View the users that are added to a MaxCompute project.

Add an Alibaba Cloud account

Syntax

remove user ALIYUN$<account_id>;

Parameters

Parameter	Required	Description
account_id	Yes	The Alibaba Cloud account identifier to which the RAM role belongs. If the Use Account ID switch in tenant properties is enabled, the account uses the ID. Otherwise, the account uses the logon name. For example, `odps_test_user@aliyun.com` (Account ID: `5527xxxxxxxx5788`).
account_id	No	The Alibaba Cloud account identifier to which the RAM user belongs. If the Use Account ID switch in tenant properties is enabled, the account uses the ID. Otherwise, the account uses the logon name. For example, `odps_test_user@aliyun.com` (Account ID: `5527xxxxxxxx5788`).
RAM_user_UID	Yes	The UID of the RAM user. Log on to the RAM console. In the navigation pane on the left, choose Identity Management > Users. Click the target user. In the User Basic Information section, you can obtain the UID.
account_id	Yes	The Alibaba Cloud account identifier. If the Use Account ID switch in tenant properties is enabled, the account uses the ID. Otherwise, the account uses the logon name. For example, `5527xxxxxxxx5788` or `odps_test_user@aliyun.com`. You can run the `list users;` command on the MaxCompute client to obtain the account identifier.
account_id	Yes	The Alibaba Cloud account identifier. If the Use Account ID switch in tenant properties is enabled, the account uses the ID. Otherwise, the account uses the logon name. For example, `odps_test_user@aliyun.com` (Account ID: `5527xxxxxxxx5788`).
`account_id`	Yes	The ID of the Alibaba Cloud account, such as `5527xxxxxxxx5788` (the ID of `odps_test_user@aliyun.com`).

Example

Add the Alibaba Cloud account odps_test_user@aliyun.com (ID: 5527xxxxxxxx5788) to the project test_project_a:

When "Use Account ID" is enabled

add user ALIYUN$5527xxxxxxxx5788;

When "Use Account ID" is disabled

Remove an Alibaba Cloud account

Syntax

remove user ALIYUN$<account_id>;

Parameters

Parameter	Required	Description
`account_id`	Yes	The ID of the Alibaba Cloud account. Run `list users;` in the MaxCompute client to get the ID.

Important

If the account has a role assigned, revoke the role before removing the account. Otherwise, residual role information remains in the project. To check which roles are assigned, see Query permissions. To revoke a role, see Revoke a role from a user.

Examples

Example 1: Remove odps_test_user@aliyun.com (no role assigned):

When "Use Account ID" is enabled

remove user ALIYUN$5527xxxxxxxx5788;

When "Use Account ID" is disabled

Example 2: Remove odps_test_user@aliyun.com (role Worker assigned):

-- Revoke the Worker role first.
revoke Worker from ALIYUN$5527xxxxxxxx5788;
-- Then remove the user.
remove user ALIYUN$5527xxxxxxxx5788;

Add a RAM user

Syntax

remove user `RAM$<account_id>:role/<RAM_role_name>`;

add user RAM$[<account_id>:]<RAM user UID>;

Parameters

Parameter	Required	Description
`account_id`	No	The ID of the Alibaba Cloud account that owns the RAM user, such as `5527xxxxxxxx5788`.
`RAM user UID`	Yes	The UID of the RAM user. To get the UID, log on to the RAM console, go to Identities > Users, click the logon name of the RAM user, and view the UID in the Basic Information section.

Limits

Only RAM users belonging to your own Alibaba Cloud account can be added directly. To add a RAM user from another Alibaba Cloud account, first add that account to the project (see Add an Alibaba Cloud account), then log in with that account and add the RAM user.
The project must support the RAM account system. Run list accountproviders; to check. If RAM is not listed, run add accountprovider ram; to enable it.

Example

Add RAM user ram_test (UID: 2763xxxxxxxxxx1649) under account 5527xxxxxxxx5788 to the project test_project_a:

add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

When "Use Account ID" is disabled

Remove a RAM user

Syntax

remove user RAM$[<account_id>:]<RAM user UID>;

Parameters

Parameter	Required	Description
`account_id`	No	The ID of the Alibaba Cloud account that owns the RAM user, such as `5527xxxxxxxx5788`.
`RAM user UID`	Yes	The UID of the RAM user. To get the UID, log on to the RAM console, go to Identities > Users, click the logon name of the RAM user, and view the UID in the Basic Information section.

Important

If the RAM user has a role assigned, revoke the role before removing the user. If you skip this step, the entry p4_xxxxxxxxxxxxxxxxxxxx remains in the project and cannot be deleted — though the project continues to work normally. To check which roles are assigned, see Query permissions. To revoke a role, see Revoke a role from a user.

Examples

Example 1: Remove RAM user with UID 2763xxxxxxxxxx1649 under account 5527xxxxxxxx5788 (no role assigned):

remove user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;

Example 2: Remove the same RAM user (role Worker assigned):

-- Revoke the Worker role first.
revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- Then remove the RAM user.
remove user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
-- Remove the RAM account provider if you no longer use RAM users.
remove accountprovider ram;

Add a RAM role

Syntax

The grave accent (` ``) in the command is required.

Parameters

Parameter	Required	Description
`account_id`	Yes	The ID of the Alibaba Cloud account that owns the RAM role, such as `5527xxxxxxxx5788`.
`RAM role name`	Yes	The name of the RAM role. To get the name, log on to the RAM console, go to Identities > Roles, and view the role name on the Roles page.

Example

Add the RAM role ram_role to the project test_project_a:

add user `RAM$5527xxxxxxxx5788:role/ram_role`;

Subsequent operations need to be performed in DataWorks. You must assign the RAM role to DataWorks when you modify the policy that is attached to the RAM role. This way, you can submit periodic scheduling jobs to MaxCompute in DataWorks.

Remove a RAM role

Syntax

remove user `RAM$<account_id>:role/<RAM role name>`;

The grave accent (` ``) in the command is required.

Parameters

Parameter	Required	Description
`account_id`	Yes	The ID of the Alibaba Cloud account that owns the RAM role, such as `5527xxxxxxxx5788`.
`RAM role name`	Yes	The name of the RAM role. To get the name, log on to the RAM console, go to Identities > Roles, and view the role name on the Roles page.

Example

Remove the RAM role ram_role from the project test_project_a:

remove user `RAM$5527xxxxxxxx5788:role/ram_role`;

List users

Run the following command to view all users added to a MaxCompute project:

list users;

Example output:

ALIYUN$5527xxxxxxxx5788
RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649
RAM$5527xxxxxxxx5788:role/ram_role

When "Use Account ID" is disabled

What's next

After adding users, grant them permissions based on your business requirements. See Manage user permissions by using commands.