All Products
Search

This Product

    MaxCompute:RAM permissions

    Document Center

    MaxCompute:RAM permissions

    Last Updated:Nov 24, 2023

    Specific resource management operations of MaxCompute can be performed only in the MaxCompute console. You can perform some of the resource management operations only after the required policies are attached to the RAM user or RAM role that you use. This topic describes the related permissions and policies.

    Permissions

    Category

    Action

    ARN

    ARN example

    Description

    Project management

    odps:ListProjects

    acs:odps:${region-id}:${resource-owner-id}:projects/*

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/*

    View all projects in the specified region within the Alibaba Cloud account.

    odps:CreateProject

    Create a project.

    odps:GetProject

    acs:odps:${region-id}:${resource-owner-id}:projects/${object-name}

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1

    Obtain information about a project.

    odps:DeleteProject

    Delete a project.

    odps:UpdateProjectStatus

    Freeze or restore a project.

    odps:UpdateProjectDefaultQuota

    Change the default quota of a project.

    odps:UpdateUsersToSuperAdmin

    acs:odps:${region-id}:${resource-owner-id}:projectUsers/*

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projectUsers/*

    Assign the Super_Administrator role to a RAM user to set the RAM user as the super administrator for a project.

    Quota management

    odps:UpdateQuota

    acs:odps:${region-id}:${resource-owner-id}:quotas/${object-name}

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota)

    Modify a level-1 quota or a level-2 quota.

    odps:UpdateQuotaPlan

    Modify the quota plan.

    odps:UpdateSubQuotas

    Create a level-2 custom quota.

    odps:UpdateQuotaSchedule

    Modify the time plan.

    odps:CreateQuotaPlan

    Create a quota plan.

    odps:DeleteQuotaPlan

    Delete a quota plan.

    odps:CreateQuotaSchedule

    Create a time plan.

    odps:CreateQuotaRoutingRule

    acs:odps:${region-id}:${resource-owner-id}:quotaRoutingRules/${quotaPath}

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotaRoutingRules(Name of a level-1 quota#Name of a level-2 quota)

    Add a level-2 quota rule.

    odps:RemoveQuotaRoutingRule

    Remove a level-2 quota rule.

    odps:UpdateQuotaRoutingRule

    Modify a level-2 quota rule.

    Network connection management

    odps:ListNetworkLinks

    acs:odps:${region-id}:${resource-owner-id}:networkLinks/*

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/*

    View all network connections under a tenant.

    odps:CreateNetworkLink

    Create a network connection.

    odps:GetNetworkLink

    acs:odps:${region-id}:${resource-owner-id}:networkLinks/${networkLinks-name}

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/networklink_1(Name of the network connection)

    Obtain information about a network connection.

    odps:RemoveNetworkLink

    Delete a network connection.

    Tenant-level user and role management

    odps:ListTenantUsers

    acs:odps:${resource-owner-id}:tenantUsers/*

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantUsers/*

    View tenant-level users.

    odps:AddTenantUsers

    Add tenant-level users.

    odps:RemoveTenantUsers

    Delete tenant-level users.

    odps:UpdateTenantRolesToUser

    Change the tenant-level role of a user.

    odps:ListAllTenantRoles

    acs:odps:${resource-owner-id}:tenantRoles/*

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/*

    View tenant-level roles.

    odps:CreateTenantRole

    Create a tenant-level role.

    odps:UpdateTenantRolePolicy

    acs:odps:${resource-owner-id}:tenantRoles/${role-name}

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/tenantrole_1(name of the tenant-level role)

    Update the policy that is attached to a tenant-level role.

    odps:GetTenantRolePolicy

    Obtain the policy that is attached to a tenant-level role.

    odps:RemoveTenantRole

    Delete a tenant-level role.

    Cost analysis

    odps:SumBills

    acs:odps:${region-id}:${resource-owner-id}:bills/*

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):bills/*

    View the cost analysis.

    odps:SumBillsByDate

    odps:SumDailyBillsByItem

    odps:SumComputeMetricsByRecord

    acs:odps:${region-id}:${resource-owner-id}:computeMetrics/*

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):computeMetrics/*

    View the computing usage analysis.

    odps:SumComputeMetricsByUsage

    odps:ListComputeMetricsByInstance

    odps:ListComputeMetricsBySignature

    odps:SumStorageMetricsByDate

    acs:odps:${region-id}:${resource-owner-id}:storageMetrics/*

    acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storageMetrics/*

    View the storage usage analysis.

    odps:SumStorageMetricsByType

    Important

    • If a RAM user is allowed ("Effect": "Allow") to perform the ListProjects and GetProject operations, the RAM user can view the list and information of all MaxCompute projects (including the projects that are not added) in the specified region within the Alibaba Cloud account.

    • If a RAM user is explicitly forbidden ("Effect": "Deny") to perform the ListProjects and GetProject operations, the RAM user cannot view the information of any MaxCompute project (including the projects that are added) in the specified region within the Alibaba Cloud account.

    • If no policy is attached to a RAM user to determine whether the RAM user is allowed to perform the ListProjects and GetProject operations, the RAM user can view the list and information of the existing MaxCompute projects in the specified region within the Alibaba Cloud account.

    Description of the Condition element

    The Condition element is used to specify the conditions that are required for a policy to take effect. The Condition element consists of one or more conditions. Each condition consists of condition operators, condition keys, and condition values. For more information about the Condition element, see Condition.

    The following tables describe the category of condition operators and the condition key in the Condition element of MaxCompute.

    • Category of condition operators

      Category

      Condition operator

      Boolean

      Bool

    • Condition key

      Condition

      Description

      odps:Encryption

      Specifies whether to encrypt a MaxCompute project when you create the project. Valid values:

      • true: The project is encrypted.

      • false: The project is not encrypted.

      For more information about MaxCompute data encryption, see Data encryption.

    Policies

    Resource Access Management (RAM) supports the following types of policies: system policies that are managed by Alibaba Cloud and custom policies that are managed by customers.

    • System policies

      RAM provides the following system policies for MaxCompute:

      • AliyunMaxComputeFullAccess: This policy includes all access permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role. If you attach this policy to a RAM user or a RAM role, the RAM user or the RAM role may have excessive permissions. Proceed with caution.

      • AliyunMaxComputeReadOnlyAccess: This policy includes all List and Get permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role.

    • Custom policies

      You can create custom policies for fine-grained permission management in the RAM console. For more information, see Create a custom policy. A RAM policy consists of the Version and Statement elements. A Statement contains the Effect, Action, Resource, and Condition fields. The Condition field is optional. The values of the Action and Resource fields are obtained from the Action and Alibaba Cloud Resource Name (ARN) values in the permission list. For more information, see Permissions. The values of the Condition field are obtained from the condition description. For more information, see Condition description. For more information about the syntax and structure of RAM policies, see Policy syntax and structure.

      The following sample code provides examples of custom policies.

      • Policy for managing MaxCompute projects 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "odps:ListProjects",
                "odps:GetProject",
                "odps:CreateProject",
                "odps:DeleteProject",
                "odps:UpdateProjectDefaultQuota"
            ],
            "Resource": "*"
        }
    ]
}

      • Policy for managing MaxCompute quotas 

        {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "odps:UpdateQuota",
                "odps:UpdateQuotaPlan",
                "odps:UpdateSubQuotas",
                "odps:UpdateQuotaSchedule",
                "odps:CreateQuotaPlan",
                "odps:DeleteQuotaPlan",
                "odps:CreateQuotaSchedule"
            ],
            "Resource": "*"
        }
    ]
}

      • Policy for prohibiting the creation of non-encrypted MaxCompute projects 

        {
 "Version": "1",
 "Statement": [
 {
 "Effect": "Deny",
 "Action": "odps:CreateProject",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "odps:Encryption": [
                        "false"
                    ]
                }
            }
        }
    ]
}