How to create and manage MaxCompute projects in the console - MaxCompute

A project is the basic organizational unit in MaxCompute. It serves as the primary boundary for multi-user isolation and access control. The MaxCompute console provides a centralized project management interface. You can use this interface to intuitively and efficiently grant permissions to team members, configure project security policies, or adjust compute and storage properties.

Permissions

Operation	Description
Create a project	Requires the AliyunMaxComputeFullAccess policy or the `odps:CreateProject` Resource Access Management (RAM) permission. The project creator becomes the `Super_Administrator` by default and has full control over the project.
Configure a project	Editing basic information requires RAM permissions. Configuring parameters of basic properties requires RAM permissions or the Super_Administrator role for the project.
Data operations	Data operations within a project require you to grant object-level permissions in the project. If you perform data operations using the MaxCompute console or OpenAPI, RAM permissions are also required.
Configure permission properties	Requires RAM permissions, or an administrative role (Admin) for the project, such as Super_Administrator, Admin, or a custom administrative permission.
Configure IP whitelist parameters	Requires RAM permissions, or an administrative role (Admin) for the project, such as Super_Administrator, Admin, or a custom administrative permission.

Note

By default, an Alibaba Cloud account has the permissions to create and configure projects. However, you must still grant permissions for data operations.

Usage notes

Permanent deletion: Deleting a project is a high-risk, irreversible operation. This operation permanently destroys all data and resources in the project. Back up your data before you delete a project.
Scope of features: The console focuses on project-level management and configuration. To create and develop data assets, such as tables, resources, and user-defined functions (UDFs), you must use a developer tool, such as the MaxCompute client or DataWorks.
Permission usage: The Super_Administrator and Admin roles in a project have all or most of the permissions to manage the project. Grant these roles with caution.

Go to project management

Log on to the MaxCompute console and select a region in the top-left corner.
In the navigation pane on the left, choose Manage Configurations > Projects.

Basic project operations

Create a project

On the Projects page, click Create Project. In the Create Project dialog box, configure the project parameters and click OK.

For more information, see Appendix: Project configuration parameters.

Edit a project

On the Projects page, find the target project and click Manage in its Actions column.
On the Project Settings page, click the Parameter Configuration tab.
Edit the project parameters.
For more information, see Appendix: Project configuration parameters.

Follow a project

On the Projects page, hover over the name of the target project and click the icon to Follow the project.
On the Overview page, the My Following section lists the Projects that you follow.

Delete a project

On the Projects page, in the Actions column for the target project, click Delete.
In the Delete Project dialog box, select the Are you sure that you want to delete the MaxCompute project? checkbox and click OK to delete the MaxCompute project.
Currently, MaxCompute projects can only be Immediately Delete and Prohibit Project Restoration.

Important

Deleting a project has the following effects:

Permanent data loss: All tables and data in the project are immediately and permanently deleted and cannot be restored. After a project is deleted, it takes time for the data to be cleared. The larger the project, the longer the cleanup process takes. If you try to create a project with the same name immediately and receive an error that the project already exists, wait a few moments and try again.
Job failures: All jobs submitted to the project fail because the project no longer exists.
Workspace errors: If a DataWorks workspace is attached to the project, you must detach it before you delete the project. Deleting the MaxCompute project directly causes errors in the associated DataWorks workspace.

Freeze and resume a project

You can change the status of a MaxCompute project in the following two ways:

Freeze: Stops the service. A frozen project prevents jobs from running and data from being queried. The data is retained, but storage fees continue to accrue.
A frozen project has a Status of Stopped. If your account has an overdue payment, you can restore all frozen projects by renewing your service.
On the Projects page, go to the Actions column for the target project and click Freeze.
Restore: Resumes a project that is stopped or pending deletion. Once restored, the project's Status changes to Normal.
On the Projects page, in the Actions column for the target project, click Restore.

Tag management

Tags are a unified resource management tool from Alibaba Cloud. You can use them for cost allocation, resource grouping, and automated Operations and Maintenance (O&M). You can view and attach tags on the project management page in the MaxCompute console.

Create a tag for a single project

Hover over the icon in the Tag column for the target project and click Edit/Edit.
If a resource has no tags, Edit is displayed. Otherwise, Edit is displayed.
In the Configure Tags dialog box, you can enter a Tag Key and a Tag Value.
Click OK. In the Configure Tags successfully dialog box, click Close.

Create tags for multiple projects in batches

Select the projects that you want to tag, and click Batch Add Tag at the bottom of the page.
In the Configure Tags dialog box, you can enter a Tag Key and a Tag Value.
Click OK. In the Configure Tags successfully dialog box, click Close.

Detach a tag from a single project

In the Tag column for the target project, hover over the icon and click Edit.
In the Configure Tags dialog box, click the icon next to the tag to detach.
Click OK. Then, in the Configure Tags successfully dialog box, click Close.

Detach tags from multiple projects in batches

Select the projects that you want to detach tags from and click Batch Remove Tag at the bottom of the page.
In the Delete Tags for Multiple Resources dialog box, select the tags to detach.
Click Detach x Tags, where x is the number of tags to detach. When the Configure Tags successfully dialog box appears, click Close.

Use tags

On the Projects page, click Filter by Tag to filter by tag key and tag value.

Manage project assets

You can use the project management feature to view packages, tables, resources, user-defined functions (UDFs), and periodic tasks in a MaxCompute project. You can also configure schema support.

Configure a schema

On the Projects page, find the target project, and in the Actions column, click Upgrade to Support Schemas.

If this button is not displayed, the project already supports schemas.

Use packages for resource reuse

You can use packages to access resources across MaxCompute projects.

Packages are often used in scenarios where you need to share tables, resources, and functions, but not compute resources, or where data permission management is not a concern.

A package involves a resource provider and a resource consumer. The following procedure describes how to grant cross-project access using a package.

Share a package as a resource provider

On the Projects page, find the target project and click Manage in its Actions column.
On the Project Settings page, click the Package tab.
On the Project Settings page, click the Package tab.
In the Create Package dialog box, enter a Package Name, select the Table, Resource, and Function to share, and set the permissions. Then, click OK to create the package.
On the Package tab, in the Actions column for the target package, click Specify Project. In the Specify Project dialog box, enter the names of the projects that are allowed to install this package.

Install a package as a resource consumer

On the Project Settings page, click the Package tab.
Click Install Package.
In the Install Package dialog box, enter the Package Name and click OK to install the package.
The format is projectName.package_name. You can install only one package at a time.
(Optional) Grant the package permissions to a role, and then grant the role to a user. For more information, see Manage user permissions in the console.

For more information about how to perform these operations using the command line, see Access resources across projects based on packages.

View tables, resources, UDFs, and periodic tasks

On the Project Settings page, you can view the tables, resources, user-defined functions (UDFs), and periodic tasks in the project.
Operations such as creating, modifying, and deleting these assets are not performed in the project management console. You must use a development tool, such as the MaxCompute client (odpscmd) or DataWorks, to work with tables, resources, and UDFs.

Permission configuration

Role permissions and authorization

Manage project role permissions and grant roles to users.

On the Project Settings page, click the Role Permissions tab.
Click Create Project-level Role to create a project-level role with MaxCompute permissions.

In the Create Role dialog box, configure the role parameters and click OK.

For more information, see Appendix: Project configuration parameters.

You can grant users permissions to operate on projects, tables, models, resources, functions, or instances. The following table lists the permissions that can be granted.

Object	Permission
Table	Describe, Select, Update, Alter, Drop, ShowHistory, Download
Resource	Read, Write, Download, Delete
Function	Read, Write, Download, Execute, Delete
Package	Read
Project	Read, Write, List, CreateTable, CreateInstance

Select a project-level role and click Manage Members in the Actions column. Select the Alibaba Cloud account or RAM user to whom you want to grant permissions, and click OK. If you cannot find the account by searching, you can add it in the Add Member section.

View project members

In MaxCompute, you must add users to a project before granting them permissions. On the Project Settings page, click the Project Member tab to view the permission details for all project members.

What to do next

To start developing in your project, you must prepare a development environment and install the necessary tools. For more information about how to prepare the environment and install tools, see Select a connection tool.

Appendix: Project configuration parameters

The following table describes all the parameters that you can configure in the console when you create or configure a project.

Category	Parameter	Description	Configurable at creation
Basic Information	Project Name (Globally Unique)	The name is globally unique and cannot be changed after creation. It must start with a letter and can contain letters, digits, and underscores (_). The length must be 3 to 28 characters.
	Billing Method	Specify the Billing Method and set the Default Quota. All compute jobs that do not have a specified quota use the Default Quota. Subscription: Suitable for business scenarios that require long-term stable operation. This method provides guaranteed compute resources and prevents uncertainty caused by resource contention. Pay-as-you-go: Suitable for business scenarios that are short-term or in the testing phase. This method provides flexible billing based on actual usage. For information about how to select a quota type, see Compute resources - Quota management. For more information about usage logic, see Compute resources - Quota usage.
	Default Quota
	Total Storage	The current storage size of the project. This amount is consistent with the metering standard, which is the logical storage size after compression, collected by project.
Lifecycle Configuration	Data Retention Lifecycle	Specifies Configure Lifecycle for tables in the project. This sets the `odps.table.lifecycle` property. Valid values: Optional: The Lifecycle clause is optional when you create a table. If you do not set a lifecycle for a table, the table never expires. Mandatory: The Lifecycle clause is required. You must set a lifecycle for the table. Inherit: If you do not set a lifecycle for a table when you create it, the table inherits its lifecycle from the odps.table.lifecycle.value property by default. The odps.table.lifecycle.value property sets the table lifecycle in days. The value range is `1~37231`, and the default value is 37231.
Lifecycle Configuration	Tiered Storage Lifecycle	Defines a tiered storage lifecycle rule. This rule triggers the automatic conversion of storage classes. The storage class is changed if either the Last Access Configuration Policy or the Last Modified Configuration Policy is met. For non-partitioned tables: The rule applies directly to the entire table. When the condition is met, the storage class of the table is automatically converted from Standard to Infrequent Access. For partitioned tables: The rule applies to each partition independently, not the entire table. When a partition meets the condition, only the storage class of that partition is converted. Other partitions are not affected. For more information, see Automatic configuration through lifecycle rules.
Super Administrator	Member	View or edit the members of the `super_administrator` role for the project. This setting has the same effect as managing members for the `super_administrator` role on the Role Permissions tab. However, this operation supports RAM permission verification. A RAM user with the `UpdateUsersToSuperAdmin` permission can set members for the `super_administrator` role of the project here. For more information, see RAM permissions.
Basic Properties	Allow full table scan for partitioned tables	Specifies whether to allow full table scans in the project. This sets the `odps.sql.allow.fullscan` property. Full table scans consume a large amount of resources. To improve processing efficiency, do not enable this feature.
	Backup data retention period	Sets the retention period for backup data in the project, in days. This sets the `odps.timemachine.retention.days` property. During this period, you can restore the current version to any backed-up data version. The value can be from 0 to 30. The default value is 1. A value of 0 disables the backup feature.
	Data Type Edition	The data type version for the project. 1.0 data type: Suitable for early MaxCompute projects where dependent product components do not support the 2.0 data type version. 2.0 data type: Suitable for MaxCompute projects that had no historical data before April 2020 and where dependent product components support the 2.0 data type version. Hive-compatible type: Suitable for MaxCompute projects migrated from Hadoop where dependent product components support the 2.0 data type version.
	DECIMAL in MaxCompute V2.0	Specifies whether to enable the MaxCompute V2.0 Decimal data type for the project. This sets the `odps.sql.decimal.odps2` property.
	Storage Type	The data storage class is a project-level setting. For information about storage specifications and billing, see Storage fees. Multi-zone Storage: Uses a multi-zone data redundancy mechanism to store redundant copies of user data in multiple zones within the same region. Single-zone Storage: Uses a single-zone data redundancy mechanism to store redundant copies of user data on multiple storage devices within a single zone. Important Choose Multi-AZ storage for data related to enterprise production services to protect against zone-level failures. In case of a zone-level failure, this ensures uninterrupted data read and write services and maintains data integrity and security. For more information, see Zone-disaster recovery.
	Storage Encryption	Specifies whether to enable storage encryption for the MaxCompute project. If you enable encryption, you must select a key and an algorithm: Key: The key type used by the project. Options include the default key (MaxCompute Default Key) and a Bring-Your-Own-Key (BYOK). The default key is created internally by MaxCompute. Algorithm: The encryption algorithm supported by the key. Options include AES256, AESCTR, and RC4.
	Default Tunnel Quota	The default resource group for Data Transmission Service that is used when no specific quota is specified for reading or writing data in the project. The default value is Default, which represents the public Data Transmission Service resource group. You cannot change this setting in the console.
	Authorized Tunnel Quota	The project has authorized all users and roles to use the configured exclusive resource group to perform data read and write tasks. Therefore, even without manual authorization, you can specify the configured exclusive resource group quota in an SDK to perform data read and write tasks for the project. A project can be configured with only one exclusive resource group.
	Overlay Tunnel Quota	An enhanced feature for exclusive Data Transmission Service resource groups that lets you stack an exclusive resource group and the Default resource group. After you configure a purchased exclusive resource group here, the maximum concurrency for the project is increased to the sum of the resources of the public Data Transmission Service resource group and the exclusive resource group. A project can be configured with only one exclusive resource group, but multiple projects can be configured with the same exclusive resource group. For stacked usage, the quota group must be set to Default. To use the storage API operation, you must still specify the exclusive resource group. The QuotaName format is: ot_42854300324**_169821756_p#ot_42854300324_169821756. Note This enhanced feature is supported only in some regions, as shown in the console. Default quota and Authorized quota for Data Transmission Service. Overlay** quota for Data Transmission Service.
	Max Resources Consumed by An SQL Statement	Sets the maximum consumption threshold for a single SQL query. This sets the `odps.sql.metering.value.max` property. The unit is: Scanned data (GB) × Complexity. This parameter is optional. Set this parameter for the Pay-as-you-go billing method to prevent unexpectedly high costs for a single SQL query. Also, configure real-time consumption monitoring and alerts to prevent consumption from exceeding your expectations. For more information, see Consumption control for monitoring and alerts.
	Time Zone	The time zone for the project. This sets the `odps.sql.timezone` property. This affects the calculation results of all time-related functions, such as `NOW()` and `GETDATE()`, to ensure consistent and expected results when teams or applications across different regions process time data.
Permission Properties	ACL-based Access Control	Specifies whether to use the ACL access control feature. This sets the `CheckPermissionUsingACL` property. By default, this feature is enabled (true).
	Policy-based Access Control	Specifies whether to use the policy-based access control feature. This sets the `CheckPermissionUsingPolicy` property. The default value is true, which enables this feature.
	Perform Operations on Objects by Object Creator	Specifies whether to grant object creators access permissions to the objects they create. This sets the `ObjectCreatorHasAccessPermission` property. By default, this is allowed.
	Grant Permissions on Objects by Object Creator	Specifies whether to grant object creators authorization permissions for the objects they create. This sets the `ObjectCreatorHasGrantPermission` property. By default, this is allowed.
	Label-based Access Control	Specifies whether to use the label-based access control feature. This sets the `LabelSecurity` property. By default, this feature is disabled.
	Project Data Protection	Specifies whether to enable the data protection mechanism for the project. This sets the `ProjectProtection` property to prohibit or allow data to flow out of the project. If you enable Project Data Protection, you can also set an Exception or a Trusted Project. For more information, see Data protection mechanism.
	Download Permission	Specifies whether to enable the Download permission control feature. This sets the `odps.security.enabledownloadprivilege` property.
	Enable Project-level Tenant Resource Access Control	You can view the tenant resources attached to the project. For more information, see Project-level tenant resource access control. Note This feature is currently for preview only and does not support enabling checks.
IP Address Whitelist	Internet and Cloud Product Interconnection Network IP Address	The IP whitelist for the public network and interconnected cloud services. Only devices with IPs in the whitelist can access the project. Important If you configure only the IP whitelist for the public network and interconnected cloud services, access from these networks is restricted by the configuration, and all access from VPC networks is denied.
IP Address Whitelist	VPC IP Addresses	The IP whitelist for the VPC network. Only devices with IPs in the whitelist can access the project. Important If you configure only the IP whitelist for the VPC network, access from the VPC network is restricted by the configuration, and all access from the public network and interconnected cloud services is denied.
MaxCompute External Network	Available MaxCompute External Network Addresses	You can add or delete the public IP addresses or domain names and ports that you want to access. For more information, see Access the public network.
Intelligent Optimization Switch	AutoMV	If you enable this feature, the system automatically creates materialized views based on user job query patterns and performance to improve compute efficiency and reduce redundant computations.
Intelligent Optimization Switch	Maximum Storage for AutoMV	Sets the upper limit for storage resources that AutoMV can use. If this limit is exceeded, AutoMV stops writing data to the created materialized views. For more information, see Manage the AutoMV switch and set the storage resource limit.