Create and authorize a RAM user - MaxCompute

Before working with MaxCompute, create a dedicated Resource Access Management (RAM) user and hand it over to the team member who will run jobs or manage projects. This keeps your Alibaba Cloud account credentials out of day-to-day workflows and gives you fine-grained control over what each team member can access.

RAM users belong to your Alibaba Cloud account — they don't own resources, and all costs they incur are billed to your account.

Prerequisites

Before you begin, ensure that you have an Alibaba Cloud account.

What you'll do

Create a RAM user with a logon name and access mode
Create an AccessKey for the RAM user
(Optional) Grant the RAM user permissions to use DataWorks or the MaxCompute console
Hand over the account and credentials to the intended user

Step 1: Create a RAM user

Log on to the Resource Access Management (RAM) console.
In the navigation pane, choose Identities > Users.
Click Create User.

In the User Account Information section, fill in the following fields: To create multiple users in a single operation, click Add User.

Field	Description
Logon Name	1–128 characters. Allowed: letters, numbers, periods (`.`), underscores (`_`), hyphens (`-`).
Display Name	Up to 128 characters.
Tag	Optional. Attach tags to organize users.

In the Access Mode section, select the access modes the user needs:

Access mode	When to select
Console Access	The user logs on to the Alibaba Cloud Management Console. Set a logon password, password reset policy, and multi-factor authentication (MFA) policy.
Using permanent AccessKey to access	The user calls APIs or uses developer tools. Generates a permanent AccessKey pair.

Click OK.
On the User Information page, click Download CSV File or click Copy in the Actions column to save the logon name and password.

Step 2: Create an AccessKey

An AccessKey is required for the RAM user to submit and run MaxCompute jobs programmatically. A RAM user can have a maximum of two AccessKeys.

The parent Alibaba Cloud account must allow RAM users to manage their own AccessKeys before these steps work.

In the navigation pane, choose Identities > Users.
Click the logon name of the target user to open the user details page.
Click the Authentication tab.
In the AccessKey section, click Create AccessKey.
In the Confirm that the current accessKey creation is for rotation purposes dialog box, review the usage scenarios and recommendations for AccessKeys, and select a suitable credential plan. Then, select the I confirm that it is necessary to create an AccessKey. checkbox and click Continue.
Complete the security verification, then save the AccessKey ID and AccessKey Secret.

For more information, see Manage the security settings of a RAM user.

(Optional) Step 3: Grant permissions to the RAM user

Grant permissions based on what the RAM user needs to do in MaxCompute.

To allow the RAM user to use DataWorks to create projects visually, the Alibaba Cloud account must grant the AliyunDataWorksFullAccess permission to the RAM user.

Choose the right policy

Scenario	Policy to grant
Activate the MaxCompute service	AliyunBSSOrderAccess
Activate the MaxCompute service or create/delete projects in the DataWorks console (legacy)	AliyunDataWorksFullAccess
Manage projects and quotas in the MaxCompute console	AliyunMaxComputeFullAccess or a custom policy

For the full list of permissions supported by the MaxCompute console, see RAM permissions.

The system automatically flags high-risk policies such as AdministratorAccess and AliyunRAMFullAccess. Do not grant these unless absolutely necessary.

Grant a policy

In the navigation pane, choose Identities > Users.
Find the target user and click Add Permissions in the Actions column.
In the Grant Permission panel, configure the following:
- Resource Scope: Select Account to apply permissions across the current Alibaba Cloud account, or select Resource Group to limit permissions to a specific resource group. Resource groups are only available if the service and resource type support them — see Alibaba Cloud services that support resource groups. For an example, see Use a resource group to control the access of a RAM user to specific ECS instances.
- Principal: The target RAM user. Selected automatically.
- Policy: Search for and select one or more policies. Two types are available:
  - System policies — created and maintained by Alibaba Cloud; cannot be modified. See Alibaba Cloud services that support RAM.
  - Custom policies — created and managed by you. See Create a custom policy.
Click OK.

To grant permissions to multiple users at once, select them in the user list and click Add Permissions below the list.

Step 4: Hand over the RAM user account

Provide the following information to the intended user:

Account credentials

Logon name and password (saved in Step 1)
AccessKey ID and AccessKey Secret (created in Step 2)

Logon information

Logon method and link — the RAM user can log on at the general logon URL or a dedicated logon address. See Log on to the Alibaba Cloud Management Console as a RAM user.
Default domain of the Alibaba Cloud account: log on to the RAM console, click Overview in the navigation pane, and find Default Domain in the Basic Information section.

What's next

With the RAM user ready, activate MaxCompute and DataWorks. See Activate MaxCompute and DataWorks.