The permission model of users roles and operations - MaxCompute

MaxCompute uses a layered permission model built on two concepts: users (identities) and roles (collections of permissions). The project owner holds all permissions by default. All other users need explicit grants before they can access any project resource.

Three identity layers interact in MaxCompute:

RAM layer — Alibaba Cloud account and RAM identities control resource purchase, project creation, and account-level operations.
MaxCompute project layer — Built-in and custom roles control data access and operations within a project.
DataWorks layer — DataWorks workspace roles control collaboration in the DataWorks console. For the relationship between DataWorks and MaxCompute roles, see Permission relationships between MaxCompute and DataWorks.

Keeping these three layers distinct helps you avoid a common source of confusion: RAM roles manage cloud resource access, MaxCompute roles manage access within a project, and DataWorks roles manage workspace collaboration. They are not interchangeable.

Supported user types and roles

User types

User type	Description
Alibaba Cloud account	An account created on the Alibaba Cloud website. By default, only this account has permissions to manage the MaxCompute service.
RAM user	A sub-identity created under an Alibaba Cloud account. RAM users assist the account owner in data processing tasks.
RAM role	A virtual identity with no logon password or AccessKey pair. A RAM role takes effect only after a trusted entity assumes it.

Built-in roles

MaxCompute provides two built-in management roles with different privilege levels.

Role	Description	Who can assign it
Super_Administrator	Grants full operation permissions on all project resources plus administrator privileges.	Project owner or any user already assigned Super_Administrator
Admin	Grants operation permissions and basic administrator privileges.	Project owner only

Custom roles

A custom role is a non-built-in role you define based on your business requirements. After creating a role and granting it the necessary permissions, assign it to users. In DataWorks, you can define custom roles using names that start with Role_.

Common permission tasks

Task	Reference
Add a user to a project and grant permissions	User planning and management and MaxCompute permissions
Assign a built-in role to a user	Assign a role to a user
Create a custom role and assign it	Role planning
View a user's or role's permissions	View permissions

Operations and required permissions

The table below shows which identities can perform each operation and what policies or roles are required.

"Use your Alibaba Cloud account to complete authorization" means the RAM user or RAM role must be granted the required MaxCompute role by the Alibaba Cloud account before it can perform the operation.

Service activation and resource purchase

Operation	Tools	Alibaba Cloud account	RAM user or RAM role	Requirements for RAM user or RAM role
Activate, purchase, renew, upgrade, downgrade the MaxCompute service; top up your account	MaxCompute console (new version), MaxCompute buy page	Supported	Supported	RAM user: Attach the AliyunDataWorksFullAccession and liyunBSSOrderAccess system policies. RAM role: Attach the AliyunDataWorksFullAccession and AliyunBSSOrderAccess system policies.

Project management

Operation	Tools	Alibaba Cloud account (role)	RAM user or RAM role	RAM user or RAM role in a project	Requirements
Create and delete a project	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Supported	N/A	Attach the CreateProject and DeleteProject policies
Modify the default calculation quota	MaxCompute console (new version)	Project owner	Supported	N/A	Attach the UpdateProjectDefaultQuota policy
Change the project status	MaxCompute console (new version)	Project owner	Supported	N/A	Attach the UpdateProjectStatus policy
Configure an IP address whitelist	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Supported	Super_Administrator; custom roles with project security configuration permissions	Use your Alibaba Cloud account to complete authorization
Protect project data	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Supported	Super_Administrator	Use your Alibaba Cloud account to complete authorization
Scan a full table	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Supported	Super_Administrator	Use your Alibaba Cloud account to complete authorization
Add, authorize, and manage project members	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Supported	Super_Administrator; custom roles with project management permissions	Use your Alibaba Cloud account to complete authorization
Access data across projects	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Supported	Built-in roles and custom roles with cross-project access permissions	Use your Alibaba Cloud account to complete authorization

Quota management

Operation	Tools	Alibaba Cloud account	RAM user or RAM role	Requirements
Modify a level-1 or level-2 quota	MaxCompute console (new version)	Supported	Supported	Attach the UpdateQuota policy
Create a level-2 custom quota	MaxCompute console (new version)	Supported	Supported	Attach the UpdateSubQuotas policy
Create, modify, and delete a quota plan	MaxCompute console (new version)	Supported	Supported	Attach the CreateQuotaPlan, UpdateQuotaPlan, and DeleteQuotaPlan policies
Create and modify a time plan	MaxCompute console (new version)	Supported	Supported	Attach the createQuotaSchedule and UpdateQuotaSchedule policies

Job O&M

Operation	Tools	Alibaba Cloud account (role)	RAM user or RAM role in a project	Requirements
View, perform O&M on, and monitor jobs	MaxCompute Management	Project owner	Super_Administrator	Use your Alibaba Cloud account to assign the Super_Administrator role to the RAM user

Code development

Operation	Tools	Alibaba Cloud account (role)	RAM user or RAM role in a project
Develop Java user-defined functions (UDFs)	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with Java UDF development permissions
Develop Python UDFs	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with Python UDF development permissions

Data management

Operation	Tools	Alibaba Cloud account (role)	RAM user or RAM role in a project
View the table list	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with table list view permissions
Create a table	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with table creation permissions
Update tables	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with table update permissions
Drop a table	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with table drop permissions
Grant access to a single table via an access control list (ACL)	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Built-in roles only
Preview metadata	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with metadata view permissions
Preview a table across projects	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with cross-project table view permissions

Resource management

Operation	Tools	Alibaba Cloud account (role)	RAM user or RAM role in a project
View the resource list	MaxCompute console (new version), MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with resource view permissions
Create and delete resources	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with resource creation and deletion permissions
Upload resources	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with resource upload permissions

Function development

Operation	Tools	Alibaba Cloud account (role)	RAM user or RAM role in a project
View the function list and details	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with function view permissions
Create and delete functions	MaxCompute client, MaxCompute Studio	Project owner	Built-in roles and custom roles with function creation and deletion permissions

MaxCompute:Users and permissions