All Products
Search

This Product

    MaxCompute:Set a RAM user as the super administrator for a MaxCompute project

    Document Center

    MaxCompute:Set a RAM user as the super administrator for a MaxCompute project

    Last Updated:Mar 26, 2026

    Only an Alibaba Cloud account can own a MaxCompute project, but daily project management—setting project flags, configuring cross-project resource sharing—cannot always be handled by the account owner. Granting the built-in Super_Administrator role to a RAM user lets that user manage the project on behalf of the owner without sharing Alibaba Cloud account credentials.

    How it works

    MaxCompute provides two built-in management roles:

    RolePermissionsMaximum holders
    Super_AdministratorAll permissions for all resource types in the project, plus project management permissions1 RAM user per project
    AdminBasic management permissionsMultiple users

    The project owner grants Super_Administrator to one designated RAM user. That RAM user can then perform most day-to-day project management tasks. For the full permission list, see Role planning.

    A RAM user with Super_Administrator already has full query and management permissions for all resources in the project. No additional grants are needed.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account that owns the MaxCompute project

    • A RAM user created under that Alibaba Cloud account (only the Alibaba Cloud account owner can create RAM users)

    • DataWorks management permissions granted to the RAM user — see Grant DataWorks management permissions to a RAM user

    Grant the Super_Administrator role

    The project owner must perform the grant. Choose one of the following methods.

    Grant permissions using the MaxCompute client (odpscmd)

    The MaxCompute client (odpscmd) lets you grant both super_administrator and admin in a single session.

    In the following example, bob@aliyun.com is the Alibaba Cloud account (project owner) and Allen is a RAM user under that account.

    -- Switch to the target project
USE project_a;
-- Add the RAM user to the project
ADD USER ram$bob@aliyun.com:Allen;
-- Grant the super administrator role
GRANT super_administrator TO ram$bob@aliyun.com:Allen;
-- Grant the Admin role to the RAM user Allen
GRANT admin TO ram$bob@aliyun.com:Allen;

    To verify, have the RAM user run the following command. If the output includes Super_Administrator, the grant succeeded.

    SHOW GRANTS;

    Grant permissions using DataWorks

    1. (Optional) Add the RAM user as a project member. Skip this step if the user is already a member.

      1. Log on to the DataWorks console and select a region in the upper-left corner.

      2. In the left navigation pane, click Workspace.

      3. On the Workspaces page, click the name of the target workspace.

      4. On the Workspace Details page, click Workspace Members and Roles in the left navigation pane.

      5. On the Workspace Members tab, click Add Members.

      6. In the Add Members dialog box, select the RAM user from the Available Accounts list. The selected user appears in the Selected Accounts list.

      7. Assign a role and click Confirm.

    2. Grant the Super_Administrator role.

      1. On the Workspace Details page, click Workspace Members and Roles in the left navigation pane.

      2. On the Workspace Members tab, locate the target member and select Workspace Manager from the Role column.

    3. To verify, have the RAM user run the following command. If the output includes Super_Administrator, the grant succeeded.

      SHOW GRANTS;

    Grant permissions using the MaxCompute console

    1. Log on to the MaxCompute console and select a region in the upper-left corner.

    2. In the left navigation pane, choose Manage Configurations > Projects.

    3. On the Projects page, find the target project and click Manage in the Actions column.

    4. On the Project Settings page, click the Role Permissions tab.

    5. Select the super_administrator role and click Manage Members in the Actions column.

    6. In the Manage Members dialog box, select the RAM user and click OK.

    7. To verify, have the RAM user run the following command. If the output includes Super_Administrator, the grant succeeded.

      SHOW GRANTS;

    Best practices

    Member management

    • One account per developer. Assign each RAM user to one developer. Do not share accounts. If a developer leaves, the project owner can disable that RAM user without affecting anyone else.

    • Add only users who run jobs in the project. For users who only need to read data from this project, use packages to share resources across projects instead of adding them as members.

    • Limit project members to RAM users under the project owner's account. The project owner controls those RAM users and can disable any of them quickly. If you manage project members through DataWorks, this is the only option available.

    • Only the Alibaba Cloud account owner can create RAM users. The super administrator cannot create RAM users directly. They must request that the Alibaba Cloud account owner create the user first, then add that user to the project.

    • When a member leaves, remove the RAM user from the project first, then ask the Alibaba Cloud account owner to disable the RAM user account. If the departing member holds the Super_Administrator role, the project owner must handle both steps personally.

    Permission management

    • Use roles, not individual grants. Attach permissions to roles, then assign roles to users. This keeps permission changes manageable as the team grows.

    • Follow the principle of least privilege. Grant only the permissions each user needs to reduce the impact of a compromised or misused account.

    • Share data across projects with packages. The resource provider manages one package instead of individual members in each consuming project. See Role planning for details.

    Permission audit

    To check the permissions of the current user, run:

    SHOW GRANTS;

    For a broader audit, query the views provided by the MaxCompute global meta service. For all available views and query examples, see List of metadata views.

    Cost management

    The Super_Administrator role does not include billing permissions. To let a RAM user query billing data, the Alibaba Cloud account owner must grant the following permissions separately in the User Center:

    PermissionAccess level
    AliyunBSSFullAccessFull management permissions for the User Center
    AliyunBSSReadOnlyAccessRead-only access to the User Center
    AliyunBSSOrderAccessView, pay for, and cancel orders

    For instructions, see Grant permissions to a RAM role. For billing details, see View bill details.

    Resource usage management

    • Subscription compute resources: View and manage compute resources in the MaxCompute console. See Resource observation and Manage quotas for compute resources.

    • Pay-as-you-go compute resources: Query the TASKS_HISTORY view in the global meta service to check completed job details, including execution time, job content, and resource consumption.

      The global meta service views retain data for only the last 15 days. To retain data for a longer period, you must read and save the data on a regular basis.

    What's next