Before you develop nodes in DataWorks, you must plan and create RAM users that are used to develop nodes within your Alibaba Cloud account, and grant permissions to the RAM users. This way, you can add the RAM users to your DataWorks workspace to perform collaborative development. This topic describes how to create a RAM user, create an AccessKey pair for the RAM user, grant permissions to the RAM user, and allow a user to access DataWorks as a RAM user.

Background information

  • If you only want to experience DataWorks by using your Alibaba Cloud account, you do not need to prepare RAM users.
  • If you want to use DataWorks together with other users, prepare RAM users by following the instructions that are described in this topic.

Create a RAM user

You need to use your Alibaba Cloud account to log on to the Resource Access Management (RAM) console and create a RAM user.

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the following parameters:
    • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
    • Display Name: The display name can be up to 128 characters in length.
    • Optional:Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode and configure the required parameters.

    To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

    • Console Access

      If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

      • Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.
      • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.
      • Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.
    • OpenAPI Access

      If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

  6. Click OK.
Important After you create a RAM user, you must make sure that the username and password of the RAM user are securely stored.

(Optional) Create an AccessKey pair for a RAM user

An AccessKey pair is not required if you use a RAM user only to run nodes in DataWorks. If you have special business requirements, you can create an AccessKey pair for the RAM user in the RAM console. If the RAM user is authorized to manage AccessKey pairs, you can create an AccessKey pair as the RAM user in the RAM console.

To create an AccessKey pair for a RAM user, perform the following steps:

  1. Log on to the RAM console.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click the username of a specific RAM user.
  4. In the User AccessKeys section, click Create AccessKey.
  5. In the View Secret dialog box, view the AccessKey ID and AccessKey secret.

    You can click Download CSV File to download the AccessKey pair or click Copy to copy the AccessKey pair.

    Note
    • An AccessKey secret for a RAM user is displayed only after you click Create AccessKey. You cannot query the AccessKey secret in subsequent operations. Therefore, you must back up your AccessKey secret.
    • If an AccessKey pair is leaked or lost, you must create another AccessKey pair. You can create a maximum of two AccessKey pairs for each RAM user.
  6. Click OK.

Grant the permissions to perform operations in DataWorks to a RAM user

If you want to grant the permissions to perform operations in DataWorks to a RAM user, you must log on to the RAM console and grant the permissions to the RAM user. You can use one of the following methods to grant permissions:

Method 1: Grant permissions to a RAM user on the Users page

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

Method 2: Grant permissions to a RAM user on the Grants page

  1. Log on to the RAM console with an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Grants.
  3. On the Grants page, click Grant Permission.
  4. In the Grant Permission panel, grant permissions to the RAM user.
    1. Select the authorization scope.
      • Alibaba Cloud Account: The permissions take effect on the current Alibaba Cloud account.
      • Specific Resource Group: The permissions take effect in a specific resource group.
        Note If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
    2. Specify the principal.
      The principal is the RAM user to which you want to grant permissions.
    3. Select policies.
      Note You can attach a maximum of five policies to a RAM user at a time. If you need to attach more than five policies to a RAM user, perform the operation multiple times.
  5. Click OK.
  6. Click Complete.

Allow a user to access DataWorks as a RAM user

If you want to perform collaborative development together with other users in DataWorks, you need to prepare RAM users and provide the users with the information that can be used to log on to the Alibaba Cloud Management Console as the RAM users. If an AccessKey pair is required for a RAM user that you prepared, you must provide an available AccessKey pair to a user that uses DataWorks as the RAM user.

Note
  • A RAM user belongs to an Alibaba Cloud account and does not own resources. The resource usage of a RAM user is not calculated or billed to the RAM user.
  • All fees that are incurred when you use Alibaba Cloud services as a RAM user are deducted from the account balance of your Alibaba Cloud account.
  • You must obtain the link that can be used to log on to the Alibaba Cloud Management Console as a RAM user and the default domain name or domain alias of your Alibaba Cloud account. Then, you must send the information to a user that is allowed to access DataWorks as a RAM user.
You must provide the following information to a user that is allowed to access DataWorks as a RAM user:
  • Link that can be used to log on to the Alibaba Cloud Management Console as a RAM user
    To obtain the link, log on to the RAM console by using your Alibaba Cloud account, click Overview in the left-side navigation pane, and then click Copy Login URL on the right side of the logon link specified by the Login URL parameter in the Account Info section. For more information about how to log on to the Alibaba Cloud Management Console as a RAM user, see Log on to the Alibaba Cloud Management Console as a RAM user. RAM console
  • Domain alias or default domain name of your Alibaba Cloud account

    To obtain the domain alias or default domain name, log on to the RAM console by using your Alibaba Cloud account and choose Identifies > Settings in the left-side navigation pane. On the Settings page, click the Advanced tab to view the default domain name and domain alias.

  • Username and password of the RAM user
  • Obtain the AccessKey ID and AccessKey secret of the RAM user.
In addition to providing the preceding information, take note of the following points:
  • The RAM user is granted the permissions to log on to the Alibaba Cloud Management Console.
  • The RAM user is granted the permissions to manage AccessKey pairs. For more information, see Manage security settings of RAM users.

What to do next

After you prepare a RAM user, you can log on to the DataWorks console as the RAM user, create a workspace, and perform operations such as data development in the workspace. For more information, see Create a workspace.