MaxCompute allows you to attach Resource Access Management (RAM) policies to RAM users and RAM roles. To reduce security risks for enterprises, you can grant the permissions to access and manage MaxCompute resources within your Alibaba Cloud account to the RAM users and RAM roles based on the principle of least privilege. This topic describes the RAM policies that you can use to manage permissions on MaxCompute resources.
Background information
Custom policies
After you attach a custom policy to a RAM user or a RAM role, all permissions contained in the custom policy are granted to the RAM user or the RAM role. RAM allows you to create custom policies for fine-grained permission management. For more information, see Create a custom policy.
- Policy for managing MaxCompute projects
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:CreateProject", "odps:DeleteProject", "odps:UpdateProjectDefaultQuota" ], "Resource": "*" } ] } - Policy for managing MaxCompute quotas
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:UpdateQuota", "odps:UpdateQuotaPlan", "odps:UpdateSubQuotas", "odps:UpdateQuotaSchedule", "odps:CreateQuotaPlan", "odps:DeleteQuotaPlan", "odps:CreateQuotaSchedule" ], "Resource": "*" } ] }
System policies
RAM provides the system policy AliyunMaxComputeFullAccess for MaxCompute. This policy includes all access permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role. For more information about RAM permissions and policies, see RAM permissions. If you attach this policy to a RAM user or a RAM role, the RAM user or the RAM role may have excessive permissions. Proceed with caution.
For more information about how to attach system policies to RAM users or RAM roles, see Grant permissions to the RAM user.