All Products
Search

This Product

    E-MapReduce:Grant permissions to a RAM user

    Document Center

    E-MapReduce:Grant permissions to a RAM user

    Last Updated:Mar 26, 2026

    By default, RAM users have no access to E-MapReduce (EMR). To allow a RAM user to use the EMR console, an Alibaba Cloud account holder or a RAM user with administrative rights must attach the appropriate EMR policy in the RAM console.

    Background information

    RAM (Resource Access Management) is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM?

    The following examples describe how RAM is used to implement access control in EMR:

    • Users: You can use RAM users to grant permissions to different roles, such as developers and O&M engineers. This way, different RAM users have different permissions to access different resources.

    • User groups: You can group RAM users based on their responsibilities and grant permissions to user groups. This allows you to grant the same permissions to multiple users at the same time and simplifies the management of RAM users and their permissions.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account or a RAM user with administrative rights in the RAM console

    • At least one RAM user to grant permissions to

    Available policies

    The following system policies are available for EMR. Select the policy that matches the access level you want to grant.

    Policy name Description Permissions
    AliyunEMRFullAccess Full access to EMR All operations on EMR on ECS and EMR on ACK
    AliyunEMRReadOnlyAccess Read-only access to EMR Read resources on EMR on ECS and EMR on ACK
    AliyunEMRDlsFullAccess Full access to EMR OSS-HDFS Manage data of EMR OSS-HDFS
    AliyunEMRDevelopAccess (not recommended) Developer permissions for EMR All operations on EMR clusters, except creating or releasing clusters
    AliyunEMRFlowAdmin (not recommended) Administrator permissions for the Data Platform module Create projects and develop and manage jobs; cannot add members to projects or manage clusters
    Note

    AliyunEMRDevelopAccess and AliyunEMRFlowAdmin are not recommended. From December 30, 2024 (UTC+8), Data Development (Old) in the EMR console is being discontinued in phases by region.

    Grant permissions to a RAM user

    1. Log on to the RAM console with your Alibaba Cloud account or as a RAM user with administrative rights.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the RAM user, and click Add Permissions in the Actions column. To grant permissions to multiple RAM users at once, select them and click Add Permissions at the bottom of the page.

      image

    4. In the Grant Permission panel, set the following parameters.

      Parameter Description
      Resource Scope Account: Permissions apply to the current Alibaba Cloud account. ResourceGroup: Permissions apply to a specified resource group.
      Principal The RAM user to grant permissions to.
      Policy Select System Policy, enter EMR in the search box, and click the policies to add them to the Selected Policy section. For more information about EMR policies, see Policies.

      image

    5. Click Grant permissions. Permissions take effect immediately.

    Verify the permissions

    After granting permissions, log on to the EMR console using the RAM user's credentials and confirm that the expected resources and operations are accessible.

    What's next

    If a RAM user no longer needs access, revoke the permissions. For more information, see Revoke permissions from a RAM user.