This topic provides answers to some frequently asked questions about permission management of MaxCompute.

Category FAQ
Authorization methods
User authorization

How do I read data across projects?

You can read data across projects by using a package. A package is a mechanism that is used to share data and resources across projects. It is introduced to resolve user authorization issues when you want to share data and resources across projects. To share objects of a project, the project administrator can create a package that contains the objects and authorize the administrators of other projects to install the package. After the administrators of other projects install the package, they can authorize project members to use the package.

For more information about how to use a package and control access to the package, see Cross-project resource access based on packages and Access control for packages.

Can I change the owner of a MaxCompute project to a RAM user?

No, you cannot change the owner of a MaxCompute project to a RAM user. The project owner must be the account that creates the project. A project owner can assign the Admin role to a RAM user.

Which operations cannot be performed by the RAM users assigned the Admin role?

Compared with the project owner, the RAM users assigned the Admin role cannot perform the following operations:
  • Grant the permissions of the Admin role to other users.
  • Configure the security settings of projects.
  • Modify the authentication model of projects.
  • Modify the permissions of the Admin role.

I cannot access DataWorks by using the credentials of a RAM user and an error message, indicating that the AccessKey ID of the RAM user is not found, appears. However, the AccessKey ID exists. What do I do?

You must bind an AccessKey pair to the RAM user. To perform this operation, go to the Personal Information page and click Modify AccessKey Information. In the dialog box that appears, enter the AccessKey ID and AccessKey secret. Then, click Save AccessKey. After you complete the configuration, try to access DataWorks again.

What do I do if I fail to grant a RAM user the permissions on tables in the production environment?

  • Problem description
    When an Alibaba Cloud account is used to grant a RAM user the permissions on tables in the production environment, the following error message appears:
    class java.lang.IllegalArgumentException: AccessId should not be empty.
  • Cause

    The AccessKey pair of the Alibaba Cloud account or RAM user is not configured.

  • Solution

    Use the Alibaba Cloud account or the credentials of the RAM user to go to the Personal Information page, and check whether the AccessKey pair is configured. If the AccessKey pair is not configured, click Modify AccessKey Information. In the dialog box that appears, enter the AccessKey ID and AccessKey secret. Then, click Save AccessKey.

How do I grant users the permissions on tables?

Only the project owner or the RAM users assigned the Super_Administrator or Admin role can grant users the permissions on tables. You can use ACL-based authorization (GRANT) to grant users the permissions on tables. Sample statement:

grant Update on table project_name to ram$bob@aliyun.com:Allen;

For more information about authorization, see Permissions.

How do I grant permissions to a RAM user?

Only Alibaba Cloud accounts or RAM users assigned the Super_Administrator or Admin role can grant permissions to RAM users. For more information about authorization, see Permissions.

What are the objects and actions in permission management?

MaxCompute authorization involves the following elements:
  • Subject: the users or roles to which you want to grant permissions.
  • Object: the objects on which permissions are granted to users or roles, such as projects, tables, functions, resources, and instances.
  • Action: the actions that the authorized users or roles can perform on objects, such as the actions to read data from, write data to, and query data from tables.
For more information, see Permissions.

How do I use the credentials of a RAM user to access the projects that are created by other Alibaba Cloud accounts?

For example, RAM user C (ram_user_1) of Alibaba Cloud account A wants to access the MaxCompute project that is created by Alibaba Cloud account B.

Log on to the MaxCompute console as Alibaba Cloud account B, add Alibaba Cloud account A to the project that is created by Alibaba Cloud Account B, and then assign the MaxCompute Admin role to Alibaba Cloud account A. Then, use Alibaba Cloud account A to log on to the project that is created by Alibaba Cloud account B and run the add user ram$A:ram_user_1; command to add RAM user C to the project that is created by Alibaba Cloud account B.