If you want to allow a RAM user to use the E-MapReduce (EMR) console, you must grant the required permissions to the RAM user by using your Alibaba Cloud account in the RAM console.

Background information

RAM is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM? The following examples describe how RAM is used to implement access control in EMR:
  • RAM users: If you purchased multiple instances for an EMR cluster, you can create a policy that allows specific users who are responsible for O&M, development, or data analysis to use these instances. This eliminates the risk of AccessKey pair leaks and ensures account security.
  • RAM user groups: You can create multiple user groups and grant different permissions to them. The authorization process is the same as that for RAM users. The user groups can be used to manage multiple RAM users at the same time.

Policies

Policies are categorized into system policies and custom policies.

  • System policies
    System policies are provided by Alibaba Cloud to meet various management purposes. The following table describes the system policies that are used in EMR.
    System policy Description Permission
    AliyunEMRFullAccess Provides RAM users with full access to EMR. This policy allows RAM users to perform all operations on all EMR resources.
    AliyunEMRDevelopAccess Provides RAM users with the developer permissions of EMR. This policy allows RAM users to perform operations on all EMR resources, except for the operations to create and release clusters.
    AliyunEMRFlowAdmin Provides RAM users with the administrator permissions on the Data Platform module in EMR. This policy allows RAM users to create projects and develop and manage jobs. This policy does not allow RAM users to add members to projects or manage clusters.
  • Custom policies

    Custom policies are the policies that you design based on your business requirements. Custom policies are suitable for users who are familiar with Alibaba Cloud service APIs and require fine-grained access control. For more information about how to create a custom policy, see Policy structure and syntax.

Grant permissions to a RAM user

Perform the following steps to grant permissions on EMR resources to a RAM user in the RAM console:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, configure the parameters that are described in the following table based on your business requirements.
  5. Click OK.
  6. Click Complete.
    The granted permissions immediately take effect. You can log on to the RAM console by using the RAM user to which you granted permissions to check the permissions.