FAQ about permission management of MaxCompute - MaxCompute

This topic provides answers to some frequently asked questions (FAQ) about permission management of MaxCompute.

Category	FAQ
Authorization methods	How do I read data across projects? Can I change the owner of a MaxCompute project to a RAM user? What operations cannot be performed by the RAM users assigned the Admin role?
User authorization	I cannot access DataWorks by using the credentials of a RAM user and an error message, indicating that the AccessKey ID of the RAM user is not found, appears. However, the AccessKey ID exists. What do I do? What do I do if I fail to grant a RAM user the permissions on tables in the production environment? How do I grant users the permissions on tables? What are the objects and actions in permission management? How do I use the credentials of a RAM user to access the projects that are created by other Alibaba Cloud accounts? How do I obtain the tenant ID (tenant_id)? What do I do if the error message "FAILED: Invalid account Name xxxxxx" appears during authorization? What do I do if the error message "FAILED: lack of account provider, principalName xxxxxx" appears when I grant permissions to a user?
Permissions	Why does an error appear when a user who has the Select permission on a view queries data from the view? The error indicates that the view owner does not have the Select permission on the table that is referenced by the view. What do I do if the error message "You have NO privilege to do the restricted operation on xxx Access Mode is AllDenied" appears when I run a job?

How do I read data across projects?

You can read data across projects by using a package. A package is a mechanism that is used to share data and resources across projects. It is introduced to resolve user authorization issues when you want to share data and resources across projects. To share objects of a project, the project administrator can create a package that contains the objects and authorize the administrators of other projects to install the package. After the administrators of other projects install the package, they can authorize project members to use the package.

For more information about how to use a package and control access to the package, see Cross-project resource access based on packages and Access control for packages.

Can I change the owner of a MaxCompute project to a RAM user?

No, you cannot change the owner of a MaxCompute project to a RAM user. The project owner must be the account that creates the project. A project owner can assign the Admin role to a RAM user.

Which operations cannot be performed by the RAM users assigned the Admin role?

Compared with the project owner, the RAM users assigned the Admin role cannot perform the following operations:

Grant the permissions of the Admin role to other users.
Configure the security settings of projects.
Modify the authentication model of projects.
Modify the permissions of the Admin role.

I cannot access DataWorks as a RAM user and an error message, indicating that the AccessKey ID of the RAM user is not found, appears. However, the AccessKey ID exists. What do I do?

You must bind an AccessKey pair to the RAM user. To perform this operation, go to the Personal Information page and click Modify AccessKey Information. In the dialog box that appears, configure the AccessKey ID and AccessKey Secret parameters. Then, click Save AccessKey. After you complete the configuration, try to access DataWorks again.

What do I do if I fail to grant a RAM user the permissions on tables in the production environment?

Problem description
When an Alibaba Cloud account is used to grant a RAM user the permissions on tables in the production environment, the following error message appears:
```
class java.lang.IllegalArgumentException: AccessId should not be empty.
```
Cause
The AccessKey pair of the Alibaba Cloud account or the RAM user is not configured.
Solution
Use the Alibaba Cloud account or the RAM user to go to the Personal Information page, and check whether the AccessKey pair is configured. If the AccessKey pair is not configured, click Modify AccessKey Information. In the dialog box that appears, configure the AccessKey ID and AccessKey Secret parameters. Then, click Save AccessKey.

How do I grant users the permissions on tables?

Only the project owner or the RAM users assigned the Super_Administrator or Admin role can grant users the permissions on tables. You can use ACL-based authorization (GRANT) to grant users the permissions on tables. Sample statement:

grant Update on table project_name to ram$bob@aliyun.com:Allen;

For more information about authorization, see MaxCompute permissions.

How do I grant permissions to a RAM user?

Only Alibaba Cloud accounts or RAM users that are assigned the Super_Administrator or Admin role can grant permissions to RAM users. For more information about authorization, see MaxCompute permissions.

What are the objects and actions in permission management?

MaxCompute authorization involves the following elements:

Subject: the users or roles to which you want to grant permissions.
Object: the objects on which permissions are granted to users or roles, such as projects, tables, functions, resources, and instances.
Action: the actions that the authorized users or roles can perform on objects, such as the actions to read data from, write data to, and query data from tables.

For more information, see ACL-based access control.

How do I use a RAM user to access the projects that are created by other Alibaba Cloud accounts?

For example, RAM User C (ram_user_1) of Alibaba Cloud Account A wants to access the MaxCompute project that is created by Alibaba Cloud Account B.

Log on to the MaxCompute console as Alibaba Cloud Account B, add Alibaba Cloud Account A to the project that is created by Alibaba Cloud Account B, and then assign the MaxCompute Super_Administrator role to Alibaba Cloud Account A. Then, use Alibaba Cloud Account A to log on to the project that is created by Alibaba Cloud Account B and run the add user ram$A:ram_user_1; command to add RAM user C to the project that is created by Alibaba Cloud Account B.

How do I obtain the tenant ID (tenant_id)?

Permissions on specific resources can be granted to a tenant. To obtain the tenant ID, perform the following operations:

Log on to the MaxCompute console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Tenants > Tenant Properties.
On the Tenants page, obtain the tenant ID of the account.

What do I do if the error message "FAILED: Invalid account Name xxxxxx" appears during authorization?

Problem description
The following error message appears during authorization:
```
FAILED: Invalid account Name xxxxxx
```
Cause
The username in the authorization statement is invalid.
Solution
Check the username. You can run the list users; command to obtain the user list of the current project. When you perform authorization, copy the username that you want to use in the user list to the authorization statement instead of manually entering a username. This helps avoid spelling errors.

What do I do if the error message "FAILED: lack of account provider, principalName xxxxxx" appears when I grant permissions to a user?

Problem description
The following error message appears during authorization:
```
FAILED: lack of account provider, principalName xxxxxx
```
Cause
The username in the authorization statement is invalid or the RAM account system is not supported in the current project.
Solution
Log on to the MaxCompute client and run the list accountproviders; command to check whether the RAM account system is supported in the current MaxCompute project. If the command output does not contain RAM users, run the add accountprovider ram; command to enable support for the RAM account system. Then, run the list accountproviders; command again to check whether the RAM account system is supported in the MaxCompute project. If the RAM account system is supported but the error message still appears, check whether the username is valid. You can run the list users; command to obtain the user list of the current project. When you perform authorization, copy the username that you want to use in the user list to the authorization statement instead of manually entering a username. This helps avoid spelling errors.

Why does an error appear when a user who has the Select permission on a view queries data from the view? The error indicates that the view owner does not have the Select permission on the table that is referenced by the view.

Problem description
View A in MaxCompute references Table B. User A has the Select permission on View A. When User A performs a query operation on View A, an error message appears, indicating that the owner (User B) of View A does not have the Select permission on Table B.
Cause
A view is unavailable if the owner of the view does not have the Select permission on the table that is referenced by the view. This issue may occur in the following scenarios: (1) The Select permission on the referenced table is not granted to the new view owner at the earliest opportunity after the view owner is changed. (2) The owner of the table that is referenced by the view revokes the Select permission from the view owner. As a result, User A who has the Select permission on View A cannot query data from View A.
Solution
We recommend that you run the following command to check whether the view owner has the Select permission on the table that is referenced by the view:
```
show grants for <user_name>; -- Replace user_name with the username of the view owner.
```
If the view owner does not have the Select permission on the table that is referenced by the view, grant the Select permission on the referenced table to the view owner.

What do I do if the error message "You have NO privilege to do the restricted operation on xxx Access Mode is AllDenied" appears when I run a job?

Cause
The project to which the job you run belongs is disabled.
Solution
- Check whether your account has overdue payments or whether the default computing quota of the project is a subscription quota and the related subscription service is expired. If your account has overdue payments or the subscription quota is expired, top up your account or renew your subscription. Your project will recover within about 2 to 30 minutes based on the number of orders and the number of projects that run on your MaxCompute project.
- If your account does not have overdue payments or the subscription quota is not expired, your project is manually disabled. Go to the Projects page of the MaxCompute console to restore your project.