If a MaxCompute project needs to be maintained by multiple users, the users that are not the owner of the project must be added to the MaxCompute project and granted the related permissions to manage the tables, resources, functions, or job instances in MaxCompute. This topic describes the operations that can be performed in MaxCompute to manage users.

Background information

After a MaxCompute project is created, only the project owner and a user that is assigned a built-in role of MaxCompute can access the MaxCompute project. To allow other users to collaborate on the project, the project owner must add the users to the MaxCompute project.

The following table describes the user types and the operations that can be performed to manage users in MaxCompute.

Category Type Operation Description Performed by Operation platform
Project level Alibaba Cloud account Add an Alibaba Cloud account (project-level) Adds another Alibaba Cloud account to the MaxCompute project. The project owner or a user that is assigned a built-in role of MaxCompute
Remove an Alibaba Cloud account (project-level) Removes an Alibaba Cloud account that is added to the MaxCompute project.
RAM user Add a RAM user (project-level) Adds a RAM user of the Alibaba Cloud account to which the MaxCompute project belongs to the MaxCompute project.
Remove a RAM user (project-level) Removes a RAM user that is added to the MaxCompute project.
RAM role Add a RAM role (project-level) Adds a RAM role that is created in the RAM console to the MaxCompute project.
Remove a RAM role (project-level) Removes a RAM role that is added to the MaxCompute project.
View the user list (project-level) Views the users that are added to the MaxCompute project.

Add an Alibaba Cloud account (project-level)

If the project owner wants to grant permissions to another Alibaba Cloud account, the project owner must add the Alibaba Cloud account to the MaxCompute project. Only the users that are added to the MaxCompute project can be granted permissions.

  • Syntax
    add user ALIYUN$<account_name>;
  • Parameters
    Parameter Required Description
    account_name Yes The name of the Alibaba Cloud account, such as odps_test_user@aliyun.com.
  • Example

    Add the Alibaba Cloud account odps_test_user@aliyun.com to the MaxCompute project test_project_a. Sample statement: 

    add user ALIYUN$odps_test_user@aliyun.com;

Remove an Alibaba Cloud account (project-level)

If a user leaves the MaxCompute project team, the user must be removed from the project. After the user is removed, the user no longer has the permissions to access the resources of the project.

  • Syntax
    remove user ALIYUN$<account_name>;
  • Precautions
    • Before you remove a user that is assigned a role, you must revoke the role from the user. For more information about how to view the information of the role that is assigned to a user, see Query permissions. For more information about how to revoke a role from a user, see Revoke a role from a user.
    • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.
  • Parameters
    Parameter Required Description
    account_name Yes The name of the Alibaba Cloud account, such as odps_test_user@aliyun.com.

    You can run the list users; command to obtain the information of the Alibaba Cloud account by using the MaxCompute client.

  • Examples
    • Example 1: Remove the Alibaba Cloud account odps_test_user@aliyun.com that is added to the MaxCompute project test_project_a. In this example, the Alibaba Cloud account odps_test_user@aliyun.com is not assigned a role. Sample statement: 
      remove user ALIYUN$odps_test_user@aliyun.com;
    • Example 2: Remove the Alibaba Cloud account odps_test_user@aliyun.com that is added to the MaxCompute project test_project_a. In this example, the Alibaba Cloud account odps_test_user@aliyun.com is assigned a role named Worker. Sample statement: 
      -- Revoke the Worker role from the Alibaba Cloud account odps_test_user@aliyun.com. 
revoke Worker from ALIYUN$odps_test_user@aliyun.com;
-- Remove the Alibaba Cloud account odps_test_user@aliyun.com. 
remove user ALIYUN$odps_test_user@aliyun.com;

Add a RAM user (project-level)

If the project owner wants to grant permissions to a RAM user, the project owner must add the RAM user to the MaxCompute project. Only the RAM users that are added to the MaxCompute project can be granted permissions.

  • Syntax
    add user RAM$[<account_name>:]<RAM user>;
  • Limits
    • You can add only the RAM users that belong to your Alibaba Cloud account to a MaxCompute project. If you want to add a RAM user of another Alibaba Cloud account to the MaxCompute project, you must add the Alibaba Cloud account to which the RAM user belongs to the MaxCompute project. Then, go to the MaxCompute project by using the newly added Alibaba Cloud account and add the RAM user to the MaxCompute project.
    • When you add a RAM user to a MaxCompute project, you must verify that the MaxCompute project supports the RAM account system. You can run the list accountproviders; command to check whether the MaxCompute project supports the RAM account system. If RAM does not appear in the query results, you can run the add accountprovider ram; command to add the RAM account system for the MaxCompute project.
    • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.
  • Precautions

    MaxCompute projects recognize only the RAM account system but not the RAM permission system. After RAM users of your Alibaba Cloud account are added to a MaxCompute project, MaxCompute authenticates these RAM users but does not consider the permission definitions in RAM.

  • Parameters
    Parameter Required Description
    account_name No The name of the Alibaba Cloud account to which the RAM user belongs, such as odps_test_user@aliyun.com.
    RAM user Yes The display name of the RAM user.

    To obtain the display name of a RAM user in the RAM console, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Users. You can view the display name of a RAM user on the Users page.

  • Example

    Add the RAM user RAM$odps_test_user@aliyun.com:ram_test to the MaxCompute project test_project_a. Sample statement: 

    add user RAM$ram_test;
-- The preceding statement is equivalent to the following statement: 
add user RAM$odps_test_user@aliyun.com:ram_test;

Remove a RAM user (project-level)

If a RAM user leaves the MaxCompute project team, the RAM user must be removed from the project. After the RAM user is removed, the RAM user no longer has the permissions to access the resources of the project.

  • Syntax
    remove user RAM$[<account_name>:]<RAM user>;
  • Precautions
    • Before you remove a RAM user that is assigned a role, you must revoke the role from the user. Otherwise, information of the RAM user remains in the project. When you query the user, p4_xxxxxxxxxxxxxxxxxxxx is displayed and you cannot delete the information. However, the project can be used as expected. For more information about how to view the information of the role that is assigned to a user, see Query permissions. For more information about how to revoke a role from a user, see Revoke a role from a user.
    • After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.
  • Parameters
    Parameter Required Description
    account_name No The name of the Alibaba Cloud account to which the RAM user belongs, such as odps_test_user@aliyun.com.
    RAM user Yes The display name of the RAM user.

    To obtain the display name of a RAM user in the RAM console, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Users. You can view the display name of a RAM user on the Users page.

  • Examples
    • Example 1: Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test that is added to the MaxCompute project test_project_a. In this example, the RAM user RAM$odps_test_user@aliyun.com:ram_test is not assigned a role. Sample statement: 
      remove user RAM$ram_test;
-- The preceding statement is equivalent to the following statement: 
remove user RAM$odps_test_user@aliyun.com:ram_test;
    • Example 2: Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test that is added to the MaxCompute project test_project_a. In this example, the RAM user RAM$odps_test_user@aliyun.com:ram_test is assigned a role named Worker. Sample statement: 
      -- Revoke the Worker role from the RAM user RAM$odps_test_user@aliyun.com:ram_test. 
revoke Worker from RAM$odps_test_user@aliyun.com:ram_test;
-- Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test. 
remove user RAM$ram_test;
-- The preceding statement is equivalent to the following statement: 
remove user RAM$odps_test_user@aliyun.com:ram_test;
-- Remove the RAM account system if you no longer use RAM users. 
remove accountprovider ram;

Add a RAM role (project-level)

You can create a RAM role and modify the policy that is attached to the RAM role in the RAM console. Then, you can add the RAM role to a MaxCompute project. RAM users in the project can assume the RAM role to perform operations.

RAM roles are different from the MaxCompute built-in or custom roles described in Role planning and management. Instead, RAM roles are roles in the RAM console. For more information about how to use a RAM role, see Assume a RAM role.

Subsequent operations need to be performed on DataWorks. Therefore, you must assign the RAM role to DataWorks when you modify the policy that is attached to the RAM role. This way, you can submit periodic scheduling jobs to MaxCompute on DataWorks. The following code shows how to configure the policy that is attached to the RAM role. 

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dataworks.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

For more information about how to create a RAM role or configure the policy that is attached to a RAM role, see Create a RAM role for a trusted Alibaba Cloud account, Create a RAM role for a trusted IdP, Create a RAM role for a trusted Alibaba Cloud service, or Edit the trust policy of a RAM role.

  • Syntax
    add user `RAM$<accout_name>:role/<RAM role>`;
  • Precautions

    The grave accent (`) in the preceding command is required.

  • Parameters
    Parameter Required Description
    account_name Yes The name of the Alibaba Cloud account to which the RAM role belongs, such as odps_test_user@aliyun.com.
    RAM role Yes The name of the RAM role.

    To obtain the name of a RAM role in the RAM console, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles. You can view the name of a RAM role on the Roles page.

  • Example

    Add the RAM role ram_role to the MaxCompute project test_project_a. Sample statement: 

    add user `RAM$odps_test_user@aliyun.com:role/ram_role`;

Remove a RAM role (project-level)

You can remove the RAM role that is added to a MaxCompute project.

  • Syntax
    remove user `RAM$<accout_name>:role/<RAM role>`;
  • Precautions

    The grave accent (`) in the preceding command is required.

  • Parameters
    Parameter Required Description
    account_name Yes The name of the Alibaba Cloud account to which the RAM role belongs, such as odps_test_user@aliyun.com.
    RAM role Yes The name of the RAM role.

    To obtain the name of a RAM role in the RAM console, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles. You can view the name of a RAM role on the Roles page.

  • Example

    Remove the RAM role ram_role from the MaxCompute project test_project_a. Sample statement: 

    remove user `RAM$odps_test_user@aliyun.com:role/ram_role`;

View the user list (project-level)

You can view the users that are added to a MaxCompute project.

  • Syntax
    list users;
  • Example
    View the users that are added to a MaxCompute project. Sample statement: 
    list users;
    The following result is returned: 
    ALIYUN$odps_test_user@aliyun.com
RAM$odps_test_user@aliyun.com:ram_test
RAM$odps_test_user@aliyun.com:role/ram_role

Additional information

After you complete user planning, you can grant permissions to a user based on your business requirements. For more information, see Grant permissions to users.