All Products
Search
Document Center

MaxCompute:Prepare a RAM user

Last Updated:Jun 25, 2026

This topic describes how to create a Resource Access Management (RAM) user. To prevent data security issues in your project, create a RAM user and assign it to another user. This lets you use RAM to strictly control the permissions of users who participate in a MaxCompute project.

Introduction to RAM users

Resource Access Management (RAM) is an Alibaba Cloud service that lets you centrally manage user identities and resource access permissions. Using RAM, you can create and manage various identities and grant them fine-grained permissions. This ensures secure access to your cloud resources.

  • RAM users belong to an Alibaba Cloud account. They do not own resources and do not have an independent billing mechanism.

  • The costs incurred by a RAM user's operations on Alibaba Cloud services are billed to the Alibaba Cloud account to which the RAM user belongs.

Procedure

  1. You have an Alibaba Cloud account.

  2. Step 1: Create a RAM user

    Create a RAM user using the RAM service.

  3. Step 2: Create an AccessKey

    Create an AccessKey for the RAM user. The AccessKey is required to run jobs that are submitted by the RAM user.

  4. (Optional) Step 3: Grant permissions to the RAM user

    • To allow the RAM user to use DataWorks to create projects visually, the Alibaba Cloud account must grant the AliyunDataWorksFullAccess permission to the RAM user.

    • To allow the RAM user to manage projects and quotas in the new MaxCompute console, the Alibaba Cloud account must grant the AliyunMaxComputeFullAccess permission or a custom RAM policy to the RAM user. For more information, see RAM permissions.

  5. Step 4: Hand over the RAM user account to another user

    Provide the account and AccessKey information of the newly created RAM user to the intended user.

Step 1: Create a RAM user

  1. Log in to the RAM console.

  2. In the left navigation bar, select Identities > Users.

  3. On the Users page, click Create User.

  4. On the Create User page, configure the user information.

  5. In the User Account Information section, configure the following settings:

    1. Logon Name: The name must be 1 to 128 characters in length and can contain letters, numbers, periods (.), underscores (_), and hyphens (-).

    2. Display name: A maximum of 128 characters.

    3. Tag: Attach tags to the RAM user to facilitate subsequent tag-based user management.

    4. Add User: Optional. Click Add User to create multiple RAM users at once.

  6. In the Access Mode section, configure the following settings:

    1. Console Access: Set the console logon password, password reset policy, and multi-factor authentication (MFA) policy.

    2. Access with a permanent AccessKey: An AccessKey is automatically generated for a RAM user to access Alibaba Cloud through APIs or other development tools.

  7. Click OK to complete the creation.

  8. On the User Information page, click Download CSV File or click Copy in the Actions column to save the RAM user's logon name and logon password.

Step 2: Create an AccessKey

If the parent Alibaba Cloud account is configured to allow RAM users to manage their own AccessKeys, a RAM user can create an AccessKey. A RAM user can have a maximum of two AccessKeys. The following steps describe the procedure.

  1. Log in to the RAM console.

  2. In the left navigation bar, select Identities > Users.

  3. On the Users page, click the target User Logon Name/Display Name to go to the user details page.

  4. On the user details page, click the Authentication tab.

  5. On the Authentication tab, in the Access Key section, click Create AccessKey.

  6. In the Confirm that the current accessKey creation is for rotation purposes dialog box, review the usage scenarios and recommendations to select a more appropriate credential solution. After you select the corresponding usage scenario, select the I confirm that it is necessary to create an AccessKey checkbox, and then click Create More.

  7. Complete the security verification as prompted and save the AccessKey ID and AccessKey secret.

For more information about how to manage your own AccessKeys, see Manage the security settings of a RAM user.

(Optional) Step 3: Grant permissions to the RAM user

  1. In the left navigation bar, select Identities > Users.

  2. On the Users page, click Add Permissions in the Actions column for the target User Logon Name/Display Name.

  3. In the Grant Permission panel, select the policy to grant to the user, and click OK.

    You can also select multiple RAM users and click Add Permissions below the user list to grant permissions to them in a batch.

    1. Resource Scope

      For a resource group authorization to take effect, the cloud service and resource type must support resource groups. For more information, see Cloud services that support resource groups. For an example of resource group authorization, see Use a resource group to restrict a RAM user from managing specified ECS instances.

      • Account: The permissions are effective within the current Alibaba Cloud account.

      • Resource Group: The permissions take effect within the specified resource group.

    2. Principal: The principal is the RAM user to whom you want to grant permissions. The system automatically selects the current RAM user.

    3. Policies: A policy is a set of access permissions and is categorized into the following two types. You can select multiple policies.

      The system automatically identifies high-risk system policies, such as AdministratorAccess and AliyunRAMFullAccess. When you grant permissions, avoid granting unnecessary high-risk policies.

      • System policy: A policy created and maintained by Alibaba Cloud. You can use system policies but cannot modify them. For more information, see Cloud services that support RAM.

      • Custom policy: A policy managed by you. You can create, update, and delete custom policies. For more information, see Create a custom policy.

  4. In the list of policy names, select the required policies and add them to the selected list.

    • If the RAM user needs to activate the MaxCompute service later, the Alibaba Cloud account must grant the AliyunBSSOrderAccess permission to the RAM user.

    • AliyunDataWorksFullAccess: This policy is required if the RAM user needs to activate MaxCompute or add and delete projects in the legacy console.

    • AliyunMaxComputeFullAccess: This policy, or a custom policy, can be granted if the RAM user needs to manage projects and perform quota management in the new MaxCompute console. For information about the RAM permissions supported by the new console, see RAM permissions.

Step 4: Hand over the RAM user account to another user

When you hand over the RAM user account to another user, provide the following information:

  • The RAM user's account information, which includes the following:

    • The RAM user's account and password. This is the logon name and password that you saved in Step 1.

    • The RAM user's AccessKey ID and AccessKey secret. This is the AccessKey that you created in Step 2.

  • The logon method and logon link for the RAM user.

    The RAM user can log on to the Alibaba Cloud Management Console by entering their account information at the general logon URL or at a dedicated logon address. For more information, see Log on to the Alibaba Cloud Management Console as a RAM user.

  • The domain name of the Alibaba Cloud account to which the RAM user belongs.

    Log on to the RAM console. In the left navigation bar, click Overview and obtain the Default Domain from the Basic Information section.

What to do next

After you create the RAM user, you can activate the MaxCompute service. For more information, see Activate MaxCompute and DataWorks.