All Products
Search
Document Center

DataWorks:Prepare a RAM user

Last Updated:Feb 04, 2024

Before you develop nodes in DataWorks, you must plan and create RAM users that are used to develop nodes within your Alibaba Cloud account, and grant permissions to the RAM users. This way, you can add the RAM users to your DataWorks workspace to perform collaborative development. This topic describes how to create a RAM user, create an AccessKey pair for the RAM user, grant permissions to the RAM user, and allow a user to access DataWorks as a RAM user.

Background information

  • If you only want to experience DataWorks by using your Alibaba Cloud account, you do not need to prepare RAM users.

  • If you want to use DataWorks together with other users, prepare RAM users by following the instructions that are described in this topic.

Create a RAM user

You need to use your Alibaba Cloud account to log on to the Resource Access Management (RAM) console and create a RAM user.

Procedure

  1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click Create User.

  4. In the User Account Information section of the Create User page, configure the following parameters:

    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

    • Display Name: The display name can be up to 128 characters in length.

    • Tag: Click the edit icon and enter a tag key and a tag value. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

    Note

    You can click Add User to create multiple RAM users at a time.

  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Set Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.

      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

      • Enable MAF: specifies whether to enable multi-factor authentication (MFA) for the RAM user. After you enable MFA, you must bind an MFA device to the RAM user or allow the RAM user to bind an MFA device. For more information, see Bind an MFA device to a RAM user.

    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Obtain an AccessKey pair.

      Important

      An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.

  6. Click OK.

  7. Complete security verification as prompted.

Important

After you create a RAM user, you must make sure that the username and password of the RAM user are securely stored.

(Optional) Create an AccessKey pair for a RAM user

An AccessKey pair is not required if you use a RAM user only to run nodes in DataWorks. If you have special business requirements, you can create an AccessKey pair for the RAM user in the RAM console. If the RAM user is authorized to manage AccessKey pairs, you can create an AccessKey pair as the RAM user in the RAM console.

To create an AccessKey pair for a RAM user, perform the following steps:

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, click the username of the RAM user that you want to manage.

  4. In the User AccessKeys section, click Create AccessKey.

  5. In the Create AccessKey message, view the AccessKey ID and AccessKey secret.

    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.

  6. Click OK.

Grant the permissions to perform operations in DataWorks to a RAM user

If you want to grant the permissions to perform operations in DataWorks to a RAM user, you must log on to the RAM console and grant the permissions to the RAM user. You can use one of the following methods to grant permissions:

Method 1: Grant permissions to a RAM user on the Users page

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    1. Select the authorization scope.

      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.

      • Specific Resource Group: The authorization takes effect on a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to manage an ECS instance.

    2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

    3. Select policies.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies:

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

      Note

      You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.

  5. Click OK.

  6. Click Complete.

Method 2: Grant permissions to a RAM user on the Grants page

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Permissions > Grants.

  3. On the Permission page, click Grant Permission.

  4. In the Grant Permission panel, grant permissions to the RAM user.

    1. Select the authorization scope.

      • Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.

      • Specific Resource Group: The authorization takes effect on a specific resource group.

        Note

        If you select Specific Resource Group for Authorized Scope, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to manage an ECS instance.

    2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

    3. Select policies.

      A policy contains a set of permissions. Policies can be classified into system policies and custom policies:

      • System policies: policies that are created by Alibaba Cloud. You can use but cannot modify these policies. Version updates of the policies are maintained by Alibaba Cloud. For more information, see Services that work with RAM.

      • Custom policies: You can manage and update custom policies based on your business requirements. You can create, update, and delete custom policies. For more information, see Create a custom policy.

      Note

      You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, perform the operation multiple times.

  5. Click OK.

  6. Click Complete.

Allow a user to access DataWorks as a RAM user

If you want to perform collaborative development together with other users in DataWorks, you need to prepare RAM users and provide the users with the information that can be used to log on to the Alibaba Cloud Management Console as the RAM users. If an AccessKey pair is required for a RAM user that you prepared, you must provide an available AccessKey pair to a user that uses DataWorks as the RAM user.

Note
  • A RAM user belongs to an Alibaba Cloud account and does not own resources. The resource usage of a RAM user is not calculated or billed to the RAM user.

  • All fees that are incurred when you use Alibaba Cloud services as a RAM user are deducted from the account balance of your Alibaba Cloud account.

  • You must obtain the link that can be used to log on to the Alibaba Cloud Management Console as a RAM user and the default domain name or domain alias of your Alibaba Cloud account. Then, you must send the information to a user that is allowed to access DataWorks as a RAM user.

You must provide the following information to a user that is allowed to access DataWorks as a RAM user:

  • Link that can be used to log on to the Alibaba Cloud Management Console as a RAM user

    To obtain the link, log on to the RAM console by using your Alibaba Cloud account, click Overview in the left-side navigation pane, and then click Copy Login URL on the right side of the logon link specified by the Login URL parameter in the Account Info section. For more information about how to log on to the Alibaba Cloud Management Console as a RAM user, see Log on to the Alibaba Cloud Management Console as a RAM user.ram访问控制

  • Domain alias or default domain name of your Alibaba Cloud account

    To obtain the domain alias or default domain name, log on to the RAM console by using your Alibaba Cloud account and choose Identifies > Settings in the left-side navigation pane. On the Settings page, click the Advanced tab to view the default domain name and domain alias.

  • Username and password of the RAM user

  • Obtain the AccessKey ID and AccessKey secret of the RAM user.

In addition to providing the preceding information, take note of the following points:

  • The RAM user is granted the permissions to log on to the Alibaba Cloud Management Console.

  • The RAM user is granted the permissions to manage AccessKey pairs. For more information, see Manage security settings of RAM users.

What to do next

After you prepare a RAM user, you can log on to the DataWorks console as the RAM user, create a workspace, and perform operations such as data development in the workspace. For more information, see Create a workspace.