MaxCompute lets you grant permissions to RAM accounts, such as RAM users and RAM roles, using roles in the MaxCompute console. This topic describes how to grant different types of permissions and provides policy examples.
Grant project-level management permissions
MaxCompute project-level management permissions include the ability to configure project security, manage project-level users and role permissions, manage packages, use label-based access control, and clean up expired permissions. For more information, see List of project management permissions.
Procedure
-
Log in to the MaxCompute console and select a region in the upper-left corner.
-
In the left-side navigation pane, choose .
-
On the Projects page, click Manage in the Actions column for the target project.
-
On the Project Settings page, click the Role Permissions tab.
On the Role Permissions tab, you can create an Admin role or modify the permissions of an existing Admin role.
NoteBy default, only an Alibaba Cloud account has the permission to manage roles for a project. To grant permissions using a RAM account, such as a RAM user or a RAM role, the account must have the required project management permissions.
-
Create an Admin role
-
Click Create Project-level Role to create a project role with the required MaxCompute permissions.
-
In the Create Role dialog box, configure the parameters as prompted and click OK.
Set Role Type to Admin, and then enter an authorization policy.
-
-
Modify the permissions of an existing Admin role.
On the Role Permissions tab, find the target role and click Modify Authorization in the Actions column. After you modify the policy, click Confirm to save the changes.
For more information about the values for Action and Resource, see List of project management permissions. This topic provides policy examples based on management modules.
-
-
Find the target project-level role and click Manage Members in the Actions column. In the Manage Members dialog box, you can view the members assigned to the role, assign the role to users, or remove users from the role, which revokes it.
Policy examples
-
The management permissions for a module often involve multiple actions and resource permissions. Therefore, the examples use a wildcard (
*) to grant permissions on multiple objects at once. -
For more information about the values for Action and Resource, see List of project management permissions.
-
Replace
project_namein the examples with the name of your MaxCompute project.
Role management
The following policy grants permissions to manage roles.
{
"Statement": [
{
"Action": [
"odps:*"
],
"Effect": "Allow",
"Resource": [
"acs:odps:*:projects/project_name/authorization/roles",
"acs:odps:*:projects/project_name/authorization/roles/*/*"
]
}
],
"Version": "1"
}
Package management
The following policy grants permissions to manage packages.
{
"Statement": [
{
"Action": [
"odps:*"
],
"Effect": "Allow",
"Resource": [
"acs:odps:*:projects/project_name/authorization/packages",
"acs:odps:*:projects/project_name/authorization/packages/*",
"acs:odps:*:projects/project_name/authorization/packages/*/*/*"
]
}
],
"Version": "1"
}
To manage packages in the console, you need the list permission on the project. Therefore, you must first grant the list permission on the current project to the user. For information about how to grant permissions in the console, see Grant project-level operation permissions on objects. For information about how to grant permissions by using commands, see Manage user permissions by using commands.
Project security
The following policy grants permissions to modify project security configurations.
{
"Statement":[
{
"Action":[
"odps:*"
],
"Effect":"Allow",
"Resource":[
"acs:odps:*:projects/project_name/authorization/configurations/*"
]
}
],
"Version":"1"
}
User management
The following policy grants permissions to manage project users.
{
"Statement":[
{
"Action":[
"odps:*"
],
"Effect":"Allow",
"Resource":[
"acs:odps:*:projects/project_name/authorization/users"
]
}
],
"Version":"1"
}
All management permissions
The following policy grants all management permissions.
{
"Statement":[
{
"Action":[
"odps:*"
],
"Effect":"Allow",
"Resource":[
"acs:odps:*:projects/project_name/authorization/*"
]
}
],
"Version":"1"
}
Grant project-level operation permissions on objects
Project-level operation permissions apply to objects within a project, such as tables, functions, and resources. Examples of these permissions include CreateTable, CreateInstance, and SelectTable. For more information, see List of permissions for projects and objects within projects.
Procedure
-
Log in to the MaxCompute console and select a region in the upper-left corner.
-
In the left-side navigation pane, choose .
-
On the Projects page, click Manage in the Actions column for the target project.
-
On the Project Settings page, click the Role Permissions tab.
You can create a Resource role or edit an existing Resource role.
NoteBy default, only an Alibaba Cloud account has the permission to manage roles for a project. To grant permissions using a RAM account, such as a RAM user or a RAM role, the account must have the required project management permissions.
-
Create a Resource role
Click Create Project-level Role to create a project role with the required MaxCompute permissions.
-
In the Create Role dialog box, configure the parameters as prompted and click OK.
Set Role Type to Resource. Then, grant permissions by using an ACL or a policy.
-
Modify the permissions of an existing Resource role
-
On the Role Permissions tab, find the target role and click Modify Authorization in the Actions column. Then, modify the permissions by using ACL or by editing the policy.
-
For more information about permissions, see List of permissions for projects and objects within projects. This topic provides examples of how to grant permissions by using ACL and policies in the console. For more details, see Grant project-level management permissions.
-
-
Find the target project-level role and click Manage Members in the Actions column. In the Manage Members dialog box, you can view the members assigned to the role, assign the role to users, or remove users from the role, which revokes it.
Authorization examples
-
For more information about the actions and objects for project-level object operation permissions, see List of permissions for projects and objects within projects.
-
Replace
project_namein the examples with the name of your MaxCompute project.
ACL
You can use an ACL to grant a Resource role permissions to create tables (CreateTable) and instances (CreateInstance), list all object types in the project (List), and read metadata (Describe) and data (Select) from all tables.
Do not close the progress bar or the page while the authorization is in progress. Otherwise, the authorization will be interrupted.
Policy
-
This policy grants a Resource role the permissions to create a table (CreateTable) and an instance (CreateInstance), view a list of all object types in the project (List), read the metadata of all tables (Describe), and read data from all tables (Select).
{ "Statement": [{ "Action": ["odps:CreateTable","odps:CreateInstance","odps:List"], "Effect": "Allow", "Resource": ["acs:odps:*:projects/project_name"]}, { "Action": ["odps:Describe","odps:Select"], "Effect": "Allow", "Resource": ["acs:odps:*:projects/project_name/tables/*"]}], "Version": "1"} -
This policy grants a Resource role the permissions to read the metadata (Describe) and query data (Select) from all tables whose names start with tmp, read and update all resources and functions, and denies the permission to delete any table.
{ "Statement": [{ "Action": ["odps:Describe","odps:Select"], "Effect": "Allow", "Resource": ["acs:odps:*:projects/project_name/tables/tmp_*"]}, { "Action": ["odps:Read","odps:Write"], "Effect": "Allow", "Resource": ["acs:odps:*:projects/project_name/resources/*"]}, { "Action": ["odps:Read","odps:Write"], "Effect": "Allow", "Resource": ["acs:odps:*:projects/project_name/functions/*"]}, { "Action": ["odps:Drop"], "Effect": "Deny", "Resource": ["acs:odps:*:projects/project_name/tables/*"]}], "Version": "1"}If data storage by schema is enabled for the project (see Schema operations), you must modify the policy as follows:
{ "Statement": [{ "Action": ["odps:Describe","odps:Select"], "Effect": "Allow", "Resource": ["acs:odps:*:projects/project_name/schemas/*/tables/tmp_*"]}, { "Action": ["odps:Read","odps:Write"], "Effect": "Allow", "Resource": ["acs:odps:*:projects/project_name/schemas/*/resources/*"]}, { "Action": ["odps:Read","odps:Write"], "Effect": "Allow", "Resource": ["acs:odps:*:projects/project_name/schemas/*/functions/*"]}, { "Action": ["odps:Drop"], "Effect": "Deny", "Resource": ["acs:odps:*:projects/project_name/schemas/*/tables/*"]}], "Version": "1"}
Grant tenant-level management permissions
Tenant-level management permissions involve managing users and roles at the tenant level. This includes adding or removing users, creating or deleting roles, viewing users and roles, assigning or revoking roles for users, and adding roles to or removing them from projects.
Only an Alibaba Cloud account or a user with the tenant-level Super_Administrator or Admin role can manage tenant-level permissions.
To grant management permissions to a RAM account, such as a RAM user or a RAM role, you must use an Alibaba Cloud account to assign the Super_Administrator or Admin role to it. The tenant-level Super_Administrator and Admin roles provide extensive management permissions. For details about the permissions, see Role planning. Use caution when you assign these roles. For more information about tenant-level roles, see Grant tenant-level role permissions.
-
Log in to the MaxCompute console and select a region in the upper-left corner.
-
In the left-side navigation pane, choose .
-
On the Tenants page, click the Users tab.
-
On the Users tab, find the target RAM user and click Modify Role in the Actions column.
In the Edit Role dialog box, move the desired roles from the Available Roles section to the Added Roles section, and then click OK.
Grant tenant-level object operation permissions
Tenant-level object operation permissions include permissions to operate on tenant-level objects, such as a quota or a network connection. Examples of these permissions include Usage and CreateNetworkLink. These permissions also allow a single account to manage objects across multiple projects, which simplifies permission management. For more information about tenant-level roles, see Grant tenant-level role permissions.
Procedure
-
Log in to the MaxCompute console and select a region in the upper-left corner.
-
In the left-side navigation pane, choose .
-
On the Tenants page, click the Roles tab.
-
On the Roles page, you can create a new tenant-level role or manage the permissions of an existing custom role.
NoteOnly an Alibaba Cloud account or a user with the tenant-level Super_Administrator or Admin role can manage tenant-level permissions.
-
Add a tenant-level role
On the Roles tab, click Add Role. In the Add Role dialog box, enter a custom Role Name, provide the Policy Content, and then click OK.
Parameter
Description
Role name
The name of the new tenant-level role. It must be unique within your Alibaba Cloud account, 6 to 64 characters long, start with a letter, and contain only letters, digits, and underscores (_).
Policy content
The permission policy for the role. You can edit the policy code based on a template.
-
Modify the permissions of an existing tenant-level role
On the Roles tab, find the target role and click Manage Permissions in the Actions column. Modify the authorization policy and click OK to save your changes.
-
-
On the Users tab, find the user you want to authorize and click Modify Role in the Actions column.
In the Edit Role dialog box, move the desired roles from the Available Roles section to the Added Roles section, and then click OK.
Policy examples
-
The examples use a wildcard (
*) to grant permissions on multiple objects at once. -
For more information about specific actions and resources, see List of permissions on objects in a tenant.
-
This policy grants a tenant-level role the Usage permission on all quotas in all regions, and the
CreateNetworkLink,List, andExecutepermissions on all network connections.{ "Statement":[ { "Action":[ "odps:Usage" ], "Effect":"Allow", "Resource":[ "acs:odps:*:regions/*/quotas/*" ] }, { "Action":[ "odps:CreateNetworkLink", "odps:List", "odps:Execute" ], "Effect":"Allow", "Resource":[ "acs:odps:*:networklinks/*" ] } ], "Version":"1" } -
This policy grants a tenant-level role all operation permissions on the MaxCompute projects
project_1andproject_2.{ "Statement":[ { "Action":[ "odps:*" ], "Effect":"Allow", "Resource":[ "acs:odps:*:projects/project_1", "acs:odps:*:projects/project_1/*", "acs:odps:*:projects/project_2", "acs:odps:*:projects/project_2/*" ] } ], "Version":"1" }NoteOnly the project owner or a user with the project Super_Administrator or Admin role can perform this action. After you grant permissions on a project object by using a tenant-level role, you must add that role to the project for the permissions to take effect. On the Role Permissions tab, set Role Level to Tenant. Then, find the target role and click Enable in the Actions column.