Specific resource management operations of MaxCompute can be performed only in the MaxCompute console. You can perform some of the resource management operations only after the required policies are attached to the RAM user or RAM role that you use. This topic describes the related permissions and policies.
Permissions
Category | Action | ARN | ARN example | Description |
Project management | odps:ListProjects | acs:odps:${region-id}:${resource-owner-id}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | View all projects in the specified region within the Alibaba Cloud account. |
odps:CreateProject | Create a project. | |||
odps:GetProject | acs:odps:${region-id}:${resource-owner-id}:projects/${object-name} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Obtain information about a project. | |
odps:DeleteProject | Delete a project. | |||
odps:UpdateProjectStatus | Freeze or restore a project. | |||
odps:UpdateProjectDefaultQuota | Change the default quota of a project. | |||
odps:UpdateUsersToSuperAdmin | acs:odps:${region-id}:${resource-owner-id}:projectUsers/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projectUsers/* | Assign the Super_Administrator role to a RAM user to set the RAM user as the super administrator for a project. | |
Quota management | odps:UpdateQuota | acs:odps:${region-id}:${resource-owner-id}:quotas/${object-name} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Modify a level-1 quota or a level-2 quota. |
odps:UpdateQuotaPlan | Modify the quota plan. | |||
odps:UpdateSubQuotas | Create a level-2 custom quota. | |||
odps:UpdateQuotaSchedule | Modify the time plan. | |||
odps:CreateQuotaPlan | Create a quota plan. | |||
odps:DeleteQuotaPlan | Delete a quota plan. | |||
odps:CreateQuotaSchedule | Create a time plan. | |||
odps:CreateQuotaRoutingRule | acs:odps:${region-id}:${resource-owner-id}:quotaRoutingRules/${quotaPath} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotaRoutingRules(Name of a level-1 quota#Name of a level-2 quota) | Add a level-2 quota rule. | |
odps:RemoveQuotaRoutingRule | Remove a level-2 quota rule. | |||
odps:UpdateQuotaRoutingRule | Modify a level-2 quota rule. | |||
Network connection management | odps:ListNetworkLinks | acs:odps:${region-id}:${resource-owner-id}:networkLinks/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/* | View all network connections under a tenant. |
odps:CreateNetworkLink | Create a network connection. | |||
odps:GetNetworkLink | acs:odps:${region-id}:${resource-owner-id}:networkLinks/${networkLinks-name} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/networklink_1(Name of the network connection) | Obtain information about a network connection. | |
odps:RemoveNetworkLink | Delete a network connection. | |||
Tenant-level user and role management | odps:ListTenantUsers | acs:odps:${resource-owner-id}:tenantUsers/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantUsers/* | View tenant-level users. |
odps:AddTenantUsers | Add tenant-level users. | |||
odps:RemoveTenantUsers | Delete tenant-level users. | |||
odps:UpdateTenantRolesToUser | Change the tenant-level role of a user. | |||
odps:ListAllTenantRoles | acs:odps:${resource-owner-id}:tenantRoles/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/* | View tenant-level roles. | |
odps:CreateTenantRole | Create a tenant-level role. | |||
odps:UpdateTenantRolePolicy | acs:odps:${resource-owner-id}:tenantRoles/${role-name} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/tenantrole_1(name of the tenant-level role) | Update the policy that is attached to a tenant-level role. | |
odps:GetTenantRolePolicy | Obtain the policy that is attached to a tenant-level role. | |||
odps:RemoveTenantRole | Delete a tenant-level role. | |||
Cost analysis | odps:SumBills | acs:odps:${region-id}:${resource-owner-id}:bills/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):bills/* | View the cost analysis. |
odps:SumBillsByDate | ||||
odps:SumDailyBillsByItem | ||||
odps:SumComputeMetricsByRecord | acs:odps:${region-id}:${resource-owner-id}:computeMetrics/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):computeMetrics/* | View the computing usage analysis. | |
odps:SumComputeMetricsByUsage | ||||
odps:ListComputeMetricsByInstance | ||||
odps:ListComputeMetricsBySignature | ||||
odps:SumStorageMetricsByDate | acs:odps:${region-id}:${resource-owner-id}:storageMetrics/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storageMetrics/* | View the storage usage analysis. | |
odps:SumStorageMetricsByType |
If a RAM user is allowed ("Effect": "Allow") to perform the ListProjects and GetProject operations, the RAM user can view the list and information of all MaxCompute projects (including the projects that are not added) in the specified region within the Alibaba Cloud account.
If a RAM user is explicitly forbidden ("Effect": "Deny") to perform the ListProjects and GetProject operations, the RAM user cannot view the information of any MaxCompute project (including the projects that are added) in the specified region within the Alibaba Cloud account.
If no policy is attached to a RAM user to determine whether the RAM user is allowed to perform the ListProjects and GetProject operations, the RAM user can view the list and information of the existing MaxCompute projects in the specified region within the Alibaba Cloud account.
Description of the Condition element
The Condition element is used to specify the conditions that are required for a policy to take effect. The Condition element consists of one or more conditions. Each condition consists of condition operators, condition keys, and condition values. For more information about the Condition element, see Condition.
The following tables describe the category of condition operators and the condition key in the Condition element of MaxCompute.
Category of condition operators
Category
Condition operator
Boolean
Bool
Condition key
Condition
Description
odps:Encryption
Specifies whether to encrypt a MaxCompute project when you create the project. Valid values:
true: The project is encrypted.
false: The project is not encrypted.
For more information about MaxCompute data encryption, see Data encryption.
Policies
Resource Access Management (RAM) supports the following types of policies: system policies that are managed by Alibaba Cloud and custom policies that are managed by customers.
System policies
RAM provides the following system policies for MaxCompute:
AliyunMaxComputeFullAccess
: This policy includes all access permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role. If you attach this policy to a RAM user or a RAM role, the RAM user or the RAM role may have excessive permissions. Proceed with caution.AliyunMaxComputeReadOnlyAccess
: This policy includes all List and Get permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role.
Custom policies
You can create custom policies for fine-grained permission management in the RAM console. For more information, see Create a custom policy. A RAM policy consists of the Version and Statement elements. A Statement contains the Effect, Action, Resource, and Condition fields. The Condition field is optional. The values of the Action and Resource fields are obtained from the Action and Alibaba Cloud Resource Name (ARN) values in the permission list. For more information, see Permissions. The values of the Condition field are obtained from the condition description. For more information, see Condition description. For more information about the syntax and structure of RAM policies, see Policy syntax and structure.
The following sample code provides examples of custom policies.
Policy for managing MaxCompute projects
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:ListProjects", "odps:GetProject", "odps:CreateProject", "odps:DeleteProject", "odps:UpdateProjectDefaultQuota" ], "Resource": "*" } ] }
Policy for managing MaxCompute quotas
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:UpdateQuota", "odps:UpdateQuotaPlan", "odps:UpdateSubQuotas", "odps:UpdateQuotaSchedule", "odps:CreateQuotaPlan", "odps:DeleteQuotaPlan", "odps:CreateQuotaSchedule" ], "Resource": "*" } ] }
Policy for prohibiting the creation of non-encrypted MaxCompute projects
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": "odps:CreateProject", "Resource": "*", "Condition": { "Bool": { "odps:Encryption": [ "false" ] } } } ] }