Specific resource management operations of MaxCompute can be performed only in the MaxCompute console. You can perform some of the resource management operations only after the required policies are attached to the RAM user or RAM role that you use. This topic describes the related permissions and policies.
Permissions
If a RAM user is allowed ("Effect": "Allow") to perform the ListProjects and GetProject operations, the RAM user can view the list and information of all MaxCompute projects (including the projects to which the RAM user is not added) in the specified region within the Alibaba Cloud account.
If a RAM user is explicitly forbidden ("Effect": "Deny") to perform the ListProjects and GetProject operations, the RAM user cannot view the information of any MaxCompute project (including the projects to which the RAM user is added) in the specified region within the Alibaba Cloud account.
If no policy is attached to a RAM user to determine whether the RAM user is allowed to perform the ListProjects and GetProject operations, the RAM user can view the list and information of the existing MaxCompute projects in the specified region within the Alibaba Cloud account.
You can assign the tenant-level roles of MaxCompute to users to grant the users the permissions to manage network connections and tenant-level users and roles. If
"Effect": "Allow"is configured in a RAM policy that is attached to a user, the user passes the authentication for the allowed operations. If no RAM policy is attached to the user, the permissions of the tenant-level role that is assigned to the user take effect. If"Effect": "Deny"is configured in a RAM policy that is attached to the user, the user fails the authentication for the denied operations.
Project management
Category | Action | ARN | ARN example | Description |
Project management | odps:ListProjects | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | View all projects in the specified region within the Alibaba Cloud account. |
odps:CreateProject | Create a project. | |||
odps:GetProject | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Obtain information about a project. | |
odps:DeleteProject | Delete a project. | |||
odps:UpdateProjectStatus | Freeze or restore a project. | |||
odps:UpdateProjectDefaultQuota | Change the default quota of a project. | |||
odps:ListOutboundInternetAddress | View the configuration of the external network. | |||
odps:UpdateOutboundInternetAddress | Update the configuration of the external network. | |||
odps:CreateRole | Create a project-level role. | |||
odps:DeleteRole | Delete a project-level role. | |||
odps:UpdateRole | Update a project-level role. | |||
odps:UpdateUsersToAdmin | Assign the Admin role to a RAM user to set the RAM user as the administrator for a project. | |||
odps:UpdateUsersToSuperAdmin | Assign the Super_Administrator role to a RAM user to set the RAM user as the super administrator for a project. | |||
odps:UpdateUsersToRole | Update users with project-level roles. | |||
odps:GetRoleAcl | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Obtain the ACL-based permissions that are granted to a project-level role. | |
odps:GetRoleAclOnObject | Obtain ACL-based permissions on an object that are granted to a project-level role. | |||
odps:GetRolePolicy | Obtain the policy that is attached to a project-level role. | |||
odps:ListResources | Obtain resources. | |||
odps:ListRoles | Obtain project-level roles. | |||
odps:CreatePackage | acs:odps:{#regionId}:{#accountId}:package/{#packageName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):package/pkg_1 | Create a package. | |
odps:DeletePackage | Delete a package. | |||
odps:GetPackage | Obtain information about a package. | |||
odps:ListPackages | Obtain information about multiple packages. | |||
odps:UpdatePackage | Update a package. | |||
odps:ListUserPermissionsAsStringByProject | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | List the permissions of users in strings by project. | |
odps:ListUserPermissionsByProject | List the permissions of users in the JSON format by project. | |||
odps:ListUsersInfoByProject | List all users and the role and security information of the users in a project. | |||
odps:ListProjectUsers | List all users in a project. |
Quota management
Category | Action | ARN | ARN example | Description |
Quota management | odps:UpdateQuota | acs:odps:{#regionId}:{#accountId}:quotas/{#NickName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Modify a level-1 quota or a level-2 quota. |
odps:UpdateQuotaPlan | Modify a quota plan. | |||
odps:UpdateSubQuotas | Create a level-2 custom quota. | |||
odps:UpdateQuotaSchedule | Modify a time plan. | |||
odps:CreateQuotaPlan | Create a quota plan. | |||
odps:DeleteQuotaPlan | Delete a quota plan. | |||
odps:CreateQuotaSchedule | Create a time plan. | |||
odps:ListQuotaRoutingRules | acs:odps:{#regionId}:{#accountId}:quotas/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/* | View level-2 quota rules. | |
odps:CreateQuotaRoutingRule | Add a level-2 quota rule. | |||
odps:GetQuotaRoutingRule | acs:odps:{#regionId}:{#accountId}:quotas/{#quotaPath} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1#quota_1_1(Name of a level-1 quota#Name of a level-2 quota, both a name and a nickname supported ) | View a level-2 quota rule. | |
odps:RemoveQuotaRoutingRule | Remove a level-2 quota rule. | |||
odps:UpdateQuotaRoutingRule | Modify a level-2 quota rule. | |||
odps:CreateQuota | acs:odps:{#regionId}:{#accountId}:quota/{#NickName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Create a quota. | |
odps:DeleteQuota | Delete a quota. | |||
odps:GetQuota | Obtain information about a quota. | |||
odps:ListQuotas | List quotas. | |||
odps:ListQuotasPlans | List quota plans. | |||
odps:GetQuotaPlan | Obtain information about a quota plan. | |||
odps:GetQuotaSchedule | Obtain information about a time-specific quota plan. |
Notebook management
Category | Action | ARN | ARN example | Description |
Notebook management | odps:CreateNotebookTemplate | acs:odps:{#regionId}:{#accountId}:notebooktemplate/{#notebookTemplatesId} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebooktemplate/notebookid | Create a Notebook instance template. |
odps:ListNotebookTemplates | List Notebook instance templates. | |||
odps:GetNotebookTemplate | Obtain details about a Notebook instance template. | |||
odps:UpdateNotebookTemplate | Update a Notebook instance template. | |||
odps:DeleteNotebookTemplate | Delete a Notebook instance template. | |||
odps:CreateNotebookStorage | acs:odps:{#regionId}:{#accountId}:notebookstorage/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookstorage/* | Create a data storage to attach to a Notebook instance. | |
odps:ListNotebookStorage | View the data storage that is attached to a Notebook instance. | |||
odps:CreateNotebookInstance | acs:odps:{#regionId}:{#accountId}:notebookinstance/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookinstance/* | Create a Notebook instance. | |
odps:ListNotebookInstances | List Notebook instances. | |||
odps:GetNotebookInstance | acs:odps:{#regionId}:{#accountId}:notebookinstance/{#notebookInstanceId} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookinstance/* | Obtain details about a Notebook instance. | |
odps:StartNotebookInstance | Start a Notebook instance. | |||
odps:StopNotebookInstance | Stop a Notebook instance. | |||
odps:UpdateNotebookInstance | Update a Notebook instance. | |||
odps:DeleteNotebookInstance | Delete a Notebook instance. |
Resource observation
Category | Action | ARN | ARN example | Description |
Resource observation | odps:GetMetric | acs:odps:{#regionId}:{#accountId}:metric/{#category} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):metric/storage | Obtain monitoring curves for objects such as open storage, external table caching, job observation, and storage trends. |
Resource observation (computing resources) | odps:GetQuotaUsage | acs:odps:{#regionId}:{#accountId}:quotas/{#nickname} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Obtain the usage details of computing resources or data transmission resources. |
Resource observation (storage resources) | odps:GetStorageSizeSummary | acs:odps:{#regionId}:{#accountId}:storage/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/* | Obtain the aggregate data on the sizes of storage resources that are used on the current day. |
odps:GetStorageAmountSummary | Obtain the aggregate data on storage resource distribution on the current day. | |||
odps:GetStorageSummaryCompared | Obtain changes on the usage of storage resources. | |||
odps:ListStorageProjectsInfo | Obtain storage details about a project. | |||
odps:SumDailyBillsByItem | acs:odps:{#regionId}:{#accountId}:bills/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):bills/* | Obtain storage fees that are calculated based on the catalog price. | |
odps:SumStorageMetricsByDate | acs:odps:{#regionId}:{#accountId}:storageMetrics/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storageMetrics/* | Obtain storage usage for every day. | |
odps:ListStorageTablesInfo | acs:odps:{#regionId}:{#accountId}:storage/{#projectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/prj_1 | List the storage details about tables. | |
odps:ListStoragePartitionsInfo | List the storage details of partitions. | |||
Resource observation (data transmission services) | odps:GetTableAccessInfoTopK | acs:odps:{#regionId}:{#accountId}:quotas/{#nickname} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Obtain the top K tables that are most frequently accessed by data transmission resources. |
odps:GetTableIpAccessInfoTopK | Obtain the top K source IP addresses that are most frequently used to access data transmission resources. | |||
odps:GetTableAccessInfo | Obtain popularity information of tables that are most frequently accessed by data transmission resources. | |||
odps:ListTableSlotDetail | Obtain data transmission details of data transmission resources. | |||
odps:GetTunnelThroughputSummary | Obtain the total amount of data that is transmitted by using data transmission resources. | |||
Resource observation (job performance) | odps:ListTopJobInfo | acs:odps:{#regionId}:{#accountId}:job/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/prj_1 | List the jobs that consume the largest amount of resources and time. |
Job O&M
Category | Action | ARN | ARN example | Description |
Job O&M | odps:ListJobInfos | acs:odps:{#regionId}:{#accountId}:job/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/* | List information about all jobs. |
odps:ListJobSnapshotInfos | List snapshots of all jobs. | |||
odps:KillJobs | Terminate jobs. | |||
odps:GetJobResourceUsage | Obtain the aggregate resource information about a job. | |||
odps:GetRunningJobs | Obtain the jobs that are running. | |||
odps:GetJobSummaryByPreCompute | Obtain the aggregate data of job status. | |||
odps:GetJobLogView | acs:odps:{#regionId}:{#accountId}:job/{#instanceId} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/20240828****ju4h | Obtain the LogView URL of a job. | |
odps:GetJobAnalyzeQuotaUsage | Obtain the usage information of computing resources of a job. | |||
odps:GetJobAnalyzeQuotaDistribution | acs:odps:{#regionId}:{#accountId}:job/{#quotaNickname} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/quota_1 | Obtain the distribution of the computing resources of a job. |
Materialized views
Category | Action | ARN | ARN example | Description |
Materialized views | odps:ListGlobalConfig | acs:odps:{#regionId}:{#accountId}:globalconfig/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):globalconfig/* | List switches for global configurations. Only materialized views are supported. |
odps:GetGlobalConfig | acs:odps:{#regionId}:{#accountId}:globalconfig/{#configName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):globalconfig/mvrecommendation | Obtain the switch for a single global configuration. Only materialized views are supported. | |
odps:CloseGlobalConfig | Turn off the switch for a single global configuration. Only materialized views are supported. | |||
odps:UpdateGlobalConfig | Change the status of a single global configuration. Only materialized views are supported. | |||
odps:ListMvRecommendationSupportProjects | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | List projects for which materialized view recommendation is enabled. | |
odps:CheckMvRecommendationSupportProjects | Check projects for which materialized view recommendation is enabled. | |||
odps:ListMvRecommendations | List recommended materialized views. | |||
odps:GetMvRecommendation | Obtain information about a recommended materialized view. | |||
odps:AddMvRecommendationSupportProject | acs:odps:{#regionId}:{#accountId}:projects/{#projectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Add a project for which materialized view recommendation is enabled. | |
odps:RemoveMvRecommendationSupportProject | Remove a project for which materialized view recommendation is enabled. | |||
odps:CreateMaterializedView | Create a materialized view. | |||
odps:GetMaterializedViewStatus | Obtain the creation status of a materialized view. | |||
odps:ListMaterializedViews | List all materialized views that are created. | |||
odps:GetMaterializedView | Obtain information about a materialized view. | |||
odps:UpdateMaterializedView | Update information about a materialized view. | |||
odps:DeleteMaterializedView | Delete a materialized view. | |||
odps:ListProjectMvRecommendations | List the recommended materialized views of a project. | |||
odps:GetProjectMvRecommendation | Obtain information about the recommended materialized views of a project. | |||
odps:ListMvRecommendationsByProject | List recommended materialized views by project. | |||
odps:GetMvRecommendationByProject | Obtain information about recommended materialized views by project. | |||
odps:ListMvRecommendationJobInfo | List job information involved in recommended materialized views. | |||
odps:ListMaterializedViewJobInfo | List job information involved in materialized views. |
MaxCompute Migration Assist (MMA)
Category | Action | ARN | ARN example | Description |
MMA | odps:ListMmsDataSources | acs:odps:{#regionId}:{#accountId}:mmsdatasource/{#datasourceId} | acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsdatasource/2000029 | List data sources. |
odps:GetMmsDataSource | Obtain details about a data source. | |||
odps:CreateMmsDataSource | Create a data source. | |||
odps:UpdateMmsDataSource | Update a data source. | |||
odps:DeleteMmsDataSource | Delete a data source. | |||
odps:CreateMmsFetchMetadataJob | Create a task used to update metadata. | |||
odps:ListMmsJobs | List migration plans. | |||
odps:GetMmsJob | Obtain information about a migration plan. | |||
odps:CreateMmsJob | Create a migration plan. | |||
odps:DeleteMmsJob | Delete a migration plan. | |||
odps:StartMmsJob | Start a migration plan. | |||
odps:StopMmsJob | Stop a migration plan. | |||
odps:RetryMmsJob | Retry a migration plan. | |||
odps:ListMmsTasks | List migration tasks. | |||
odps:GetMmsTask | Obtain information about a migration task. | |||
odps:ListMmsTaskLogs | List logs for migration tasks. | |||
odps:GetMmsAsyncTask | Obtain information about an asynchronous task. | |||
odps:UpdateMmsAsyncTask | Update the status of an asynchronous task. | |||
odps:DeleteMmsAsyncTask | Delete an asynchronous task. | |||
odps:ListMmsDbs | List databases in a data source. | |||
odps:GetMmsDb | Obtain information about a specific database in a data source. | |||
odps:ListMmsTables | List tables in a data source. | |||
odps:GetMmsTable | Obtain information about a specific table in a data source. | |||
odps:ListMmsPartitions | List partitions in a data source. | |||
odps:GetMmsPartition | Obtain information about a specific partition in a data source. | |||
odps:ListMmsAgents | acs:odps:{#regionId}:{#accountId}:mmsagent | acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsagent | List agents that are run within an Alibaba Cloud account. | |
odps:CreateMmsAuthFile | acs:odps:{#regionId}:{#accountId}:mmsauthfile | acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsauthfile | Create an authentication file. |
Cost management
Category | Action | ARN | ARN example | Description |
Cost analysis | odps:SumBills | acs:odps:{#regionId}:{#accountId}:bills/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):bills/* | View the cost analysis. |
odps:SumBillsByDate | ||||
odps:SumDailyBillsByItem | ||||
odps:SumComputeMetricsByRecord | acs:odps:{#regionId}:{#accountId}:computeMetrics/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):computeMetrics/* | View the computing usage analysis. | |
odps:SumComputeMetricsByUsage | ||||
odps:ListComputeMetricsByInstance | ||||
odps:ListComputeMetricsBySignature | ||||
odps:SumStorageMetricsByDate | acs:odps:{#regionId}:{#accountId}:storageMetrics/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storageMetrics/* | View the storage usage analysis. | |
odps:SumStorageMetricsByType | ||||
Cost optimization - optimization plans for reconfiguring subscription computing resources | odps:CreateQuotaHistoryRequestAnalysis | acs:odps:{#regionId}:{#accountId}:quotas/{#NickName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Initiate a request to analyze the usage of the quota group configured for a subscription project. |
odps:GetQuotaHistoryRequestAnalysis | Obtain the results of analysis on the usage of the quota group configured for a subscription project. | |||
odps:CreateQuotaScheduleEffectAnalysis | Initiate a request to evaluate the situations of cost optimization conducted on a subscription project. | |||
odps:GetQuotaScheduleEffectAnalysis | Obtain the results of evaluation on the situations of cost optimization conducted on a subscription project. | |||
odps:CreateQuotaScheduleSuggestion | Initiate a request to obtain recommended configurations for cost optimization conducted on a subscription project. | |||
odps:GetQuotaScheduleSuggestion | Obtain the recommended configurations for cost optimization conducted on a subscription project. | |||
Cost optimization - configuration of a subscription quota for a pay-as-you-go project | odps:ListQuotaRecentlyActiveProjects | acs:odps:{#regionId}:{#accountId}:quotas/{#NickName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | List pay-as-you-go projects for which cost optimization is performed. |
odps:CreateQuotaHistoryRequestAnalysisWithProjects | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prjname | Initiate a request to analyze the usage of the quota group configured for a pay-as-you-go project. | |
odps:GetQuotaHistoryRequestAnalysisWithProjects | Obtain the results of analysis on the usage of the quota group configured for a pay-as-you-go project. | |||
odps:CreateQuotaScheduleEffectAnalysisWithProjects | Initiate a request to evaluate the situations of cost optimization conducted on a pay-as-you-go project. | |||
odps:GetQuotaScheduleEffectAnalysisWithProjects | Obtain the results of evaluation on the situations of cost optimization conducted on a pay-as-you-go project. | |||
odps:CreateQuotaScheduleSuggestionWithProjects | Initiate a request to obtain recommended configurations for cost optimization conducted on a pay-as-you-go project. | |||
odps:GetQuotaScheduleSuggestionWithProjects | Obtain the recommended configurations for cost optimization conducted on a pay-as-you-go project. |
Tenant management
Category | Action | ARN | ARN example | Description |
Tenant management - tenant properties | odps:GetTenantSetting | acs:odps:{#accountId}:tenant/settings/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/settings/* | Obtain the configurations of a tenant. |
odps:UpdateTenantSetting | acs:odps:{#accountId}:tenant/settings/{#key} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/settings/namespaceSchema | Update the configurations of a tenant. | |
Tenant management - network connections (NetworkLink) | odps:ListNetworkLinks | acs:odps:{#regionId}:{#accountId}:networklink/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/* | View all network connections within a tenant. |
odps:CreateNetworkLink | Create a network connection. | |||
odps:GetNetworkLink | acs:odps:{#regionId}:{#accountId}:networklink/{#networkLinkName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/networklink_1(Name of a network connection) | Obtain information about a network connection. | |
odps:RemoveNetworkLink | Delete a network connection. | |||
Tenant management - image management | odps:ListImage | acs:odps:{#regionId}:{#accountId}:image/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/* | List custom images. |
odps:AddImage | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/* | Create a custom image. | ||
odps:GetImage | acs:odps:{#regionId}:{#accountId}:image/{#name} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/image1 | Obtain information about a custom image. | |
odps:RemoveImage | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/{name} | Delete a custom image. | ||
Tenant management - external data sources | odps:ListTenantObjectBindings | acs:odps:{#regionId}:{#accountId}:tenant/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/* | List projects with which tenant resources are associated. |
odps:UpdateTenantObjectBindings | Update the project with which a specific tenant resource is associated. | |||
odps:UpdateForeignServer | acs:odps:{#regionId}:{#accountId}:foreignservers/{#foreignServerName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):foreignservers/foreign_1 | Update an external data source. | |
odps:DeleteForeignServer | Delete an external data source. | |||
odps:GetForeignServer | Obtain information about an external data source. | |||
odps:ListForeignServers | acs:odps:{#regionId}:{#accountId}:foreignservers/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):foreignservers/* | List external data sources. | |
odps:CreateForeignServer | Create an external data source. | |||
Tenant-level user and role management | odps:ListTenantUsers | acs:odps:{#accountId}:tenantUsers/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantUsers/* | List tenant-level users. |
odps:AddTenantUsers | Add tenant-level users. | |||
odps:RemoveTenantUsers | Delete tenant-level users. | |||
odps:UpdateTenantRolesToUser | Change the tenant-level role of a user. | |||
odps:ListAllTenantRoles | acs:odps{#accountId}}:tenantRoles/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/* | List tenant-level roles. | |
odps:CreateTenantRole | Create a tenant-level role. | |||
odps:UpdateTenantRolePolicy | acs:odps:{#accountId}:tenantRoles/{#roleName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/tenantrole_1(Name of the tenant-level role) | Update the policy that is attached to a tenant-level role. | |
odps:GetTenantRolePolicy | Obtain the policy that is attached to a tenant-level role. | |||
odps:RemoveTenantRole | Delete a tenant-level role. |
Description of the Condition element
The Condition element is used to specify the conditions that are required for a policy to take effect. The Condition element consists of one or more conditions. Each condition consists of condition operators, condition keys, and condition values. For more information about the Condition element, see Condition.
The following tables describe the category of condition operators and the condition key in the Condition element of MaxCompute.
Category of condition operators
Category
Condition operator
Boolean
Bool
Condition key
Condition
Description
odps:Encryption
Specifies whether to encrypt a MaxCompute project when you create the project. Valid values:
true: The project is encrypted.
false: The project is not encrypted.
For more information about MaxCompute data encryption, see Storage encryption.
Policies
Resource Access Management (RAM) supports the following types of policies: system policies that are managed by Alibaba Cloud and custom policies that are managed by customers.
System policies
RAM provides the following system policies for MaxCompute:
AliyunMaxComputeFullAccess: This policy includes all access permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role. If you attach this policy to a RAM user or a RAM role, the RAM user or the RAM role may have excessive permissions. Proceed with caution.AliyunMaxComputeReadOnlyAccess: This policy includes all List and Get permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role.
Custom policies
You can create custom policies for fine-grained permission management in the RAM console. For more information, see Create a custom policy. A RAM policy consists of the Version and Statement elements. The Statement element contains the Effect, Action, Resource, and Condition fields. The Condition field is optional. The values of the Action and Resource fields are obtained from the Action and ARN values in the permission list. For more information, see Permissions. The values of the Condition field are obtained from the condition description. For more information, see Description of the Condition element. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
The following sample code provides examples of custom policies.
Policy for managing MaxCompute projects
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:ListProjects", "odps:GetProject", "odps:CreateProject", "odps:DeleteProject", "odps:UpdateProjectDefaultQuota", "odps:UpdateProjectStatus", "odps:UpdateUsersToSuperAdmin", "odps:ListOutboundInternetAddress", "odps:UpdateOutboundInternetAddress" ], "Resource": "*" } ] }Policy for managing MaxCompute quotas
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:UpdateQuota", "odps:UpdateQuotaPlan", "odps:UpdateSubQuotas", "odps:UpdateQuotaSchedule", "odps:CreateQuotaPlan", "odps:DeleteQuotaPlan", "odps:CreateQuotaSchedule", "odps:ListQuotaRoutingRules", "odps:CreateQuotaRoutingRule", "odps:GetQuotaRoutingRule", "odps:RemoveQuotaRoutingRule", "odps:UpdateQuotaRoutingRule" ], "Resource": "*" } ] }Policy for prohibiting the creation of non-encrypted MaxCompute projects
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": "odps:CreateProject", "Resource": "*", "Condition": { "Bool": { "odps:Encryption": [ "false" ] } } } ] }Policy for viewing resource observation data in MaxCompute
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:GetMetric", "odps:GetQuotaUsage", "odps:GetStorageSummaryCompared", "odps:GetStorageSizeSummary", "odps:SumDailyBillsByItem", "odps:SumStorageMetricsByDate", "odps:GetStorageAmountSummary", "odps:ListStorageProjectsInfo", "odps:ListTopJobInfo", "odps:ListStorageTablesInfo", "odps:ListStoragePartitionsInfo", "odps:GetTableAccessInfoTopK", "odps:GetTableIpAccessInfoTopK", "odps:GetTableAccessInfo", "odps:ListTableSlotDetail", "odps:GetTunnelThroughputSummary" ], "Resource": "*" } ] }