Grant permissions to RAM users - E-MapReduce - Alibaba Cloud Documentation Center

If you want to allow a RAM user to use the E-MapReduce (EMR) console, you must grant the required permissions to the RAM user by using your Alibaba Cloud account in the RAM console.

Background information

RAM is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM? The following examples describe how RAM is used to implement access control in EMR:

RAM users: If you purchased multiple instances for an EMR cluster, you can create a policy that allows specific users who are responsible for O&M, development, or data analysis to use these instances. This eliminates the risk of AccessKey pair leaks and ensures account security.
RAM user groups: You can create multiple user groups and grant different permissions to them. The authorization process is the same as that for RAM users. The user groups can be used to manage multiple RAM users at the same time.

Policies and roles

The following table describes the policies that are used in EMR.

Policy name	Description	Permission
AliyunEMRFullAccess	Provides RAM users with full access to EMR.	This policy allows RAM users to perform all operations on resources on the EMR on ECS and EMR on ACK pages.
AliyunEMRDevelopAccess	Provides RAM users with the developer permissions of EMR.	This policy allows RAM users to perform operations on all EMR resources, except for the operations to create and release clusters.
AliyunEMRFlowAdmin	Provides RAM users with the administrator permissions on the Data Platform module in EMR.	This policy allows RAM users to create projects and develop and manage jobs. This policy does not allow RAM users to add members to projects or manage clusters.
AliyunEMRDlsFullAccess	Provides RAM users with full access to EMR DLS.	This policy allows RAM users to manage data of EMR DLS.

The following table describes the roles that are used in EMR.

Role name	Description
AliyunOSSDlsDefaultRole	Allows Alibaba Cloud Object Storage Service (OSS) to access the resources in other cloud services.
AliyunEMRDlsDefaultRole	Allows EMR to access the resources in other cloud services.

Procedure

Perform the following steps to grant permissions on EMR resources to a RAM user in the RAM console:

Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user and click Add Permissions in the Actions column.

In the Add Permissions panel, configure the following parameters based on your business requirements.

EMR授权

Parameter	Description
Authorized Scope	Alibaba Cloud Account: If you select this option, permissions take effect on the current Alibaba Cloud account. Specific Resource Group: If you select this option, permissions take effect on a specified resource group.
Principal	The RAM user to which you want to grant permissions.
Select Policy	On the System Policy tab, enter EMR in the search box to search for EMR system policies and click the required policies to add the policies to the Selected section. For more information about EMR policies, see Policies.

Click OK.
Click OK.
The granted permissions immediately take effect. You can log on to the EMR console by using the RAM user to which you granted permissions to check the permissions.
Note
If the RAM user no longer requires the permissions, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.