If a MaxCompute project needs to be maintained by multiple users, the users that are not the owner of the project must be added to the MaxCompute project and granted the related permissions to manage the tables, resources, functions, or job instances in MaxCompute. This topic describes the operations that can be performed in MaxCompute to manage users.
Background information
After a MaxCompute project is created, only the project owner and a user that is assigned a built-in role of MaxCompute can access the MaxCompute project. To allow other users to collaborate on the project, the project owner must add the users to the MaxCompute project.
The following table describes the user types and the operations that can be performed to manage users in MaxCompute.
Category | Type | Operation | Description | Performed by | Operation platform |
Project level | Alibaba Cloud account | Adds another Alibaba Cloud account to the MaxCompute project. | The project owner or a user that is assigned a built-in role of MaxCompute | ||
Removes an Alibaba Cloud account from the MaxCompute project. | |||||
RAM user | Adds a RAM user of the Alibaba Cloud account to which the MaxCompute project belongs to the MaxCompute project. | ||||
Removes a RAM user from the MaxCompute project. | |||||
RAM role | Adds a RAM role that is created in the Resource Access Management (RAM) console to the MaxCompute project. | ||||
Removes a RAM role from the MaxCompute project. | |||||
Views the users that are added to the MaxCompute project. | |||||
Add an Alibaba Cloud account (project-level)
If the project owner wants to grant permissions to another Alibaba Cloud account, the project owner must add the Alibaba Cloud account to the MaxCompute project. Only the users that are added to the MaxCompute project can be granted permissions.
Syntax
add user ALIYUN$<account_id>;Parameters
Parameter
Required
Description
account_id
Yes
The ID of the Alibaba Cloud account, such as
5527xxxxxxxx5788, which is the ID of the Alibaba Cloud accountodps_test_user@aliyun.com.Example
Add the Alibaba Cloud account
odps_test_user@aliyun.comwhose ID is5527xxxxxxxx5788to the MaxCompute project test_project_a. Sample statement:add user ALIYUN$5527xxxxxxxx5788;
Remove an Alibaba Cloud account (project-level)
If a user leaves the MaxCompute project team, the user must be removed from the project. After the user is removed, the user no longer has the permissions to access the resources of the project.
Syntax
remove user ALIYUN$<account_id>;Precautions
Before you remove a user that is assigned a role, you must revoke the role from the user. For more information about how to view the information of the role that is assigned to a user, see Query permissions. For more information about how to revoke a role from a user, see Revoke a role from a user.
After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.
Parameters
Parameter
Required
Description
account_id
Yes
The ID of the Alibaba Cloud account, such as
5527xxxxxxxx5788.You can run the
list users;command to obtain the ID by using the MaxCompute client.Examples
Example 1: Remove the Alibaba Cloud account
odps_test_user@aliyun.comwhose ID is5527xxxxxxxx5788from the MaxCompute project test_project_a. In this example, the Alibaba Cloud account odps_test_user@aliyun.com is not assigned a role. Sample statement:remove user ALIYUN$5527xxxxxxxx5788;Example 2: Remove the Alibaba Cloud account
odps_test_user@aliyun.comwhose ID is5527xxxxxxxx5788from the MaxCompute project test_project_a. In this example, the Alibaba Cloud account odps_test_user@aliyun.com is assigned a role named Worker. Sample statement:-- Revoke the Worker role from the Alibaba Cloud account odps_test_user@aliyun.com. revoke Worker from ALIYUN$5527xxxxxxxx5788; -- Remove the Alibaba Cloud account odps_test_user@aliyun.com. remove user ALIYUN$5527xxxxxxxx5788;
Add a RAM user (project-level)
If the project owner wants to grant permissions to a RAM user, the project owner must add the RAM user to the MaxCompute project. Only the RAM users that are added to the MaxCompute project can be granted permissions.
Syntax
add user RAM$[<account_id>:]<RAM user UID>;Limits
You can add only the RAM users that belong to your Alibaba Cloud account to a MaxCompute project. If you want to add a RAM user of another Alibaba Cloud account to the MaxCompute project, you must add the Alibaba Cloud account to which the RAM user belongs to the MaxCompute project. Then, go to the MaxCompute project by using the newly added Alibaba Cloud account and add the RAM user to the MaxCompute project.
When you add a RAM user to a MaxCompute project, you must verify that the MaxCompute project supports the RAM account system. You can run the
list accountproviders;command to check whether the MaxCompute project supports the RAM account system. IfRAMdoes not appear in the query results, you can run theadd accountprovider ram;command to add the RAM account system for the MaxCompute project.After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.
Precautions
MaxCompute projects recognize only the RAM account system but not the RAM permission system. After RAM users of your Alibaba Cloud account are added to a MaxCompute project, MaxCompute authenticates these RAM users but does not consider the permission definitions in RAM.
Parameters
Parameter
Required
Description
account_id
No
The ID of the Alibaba Cloud account to which the RAM user belongs, such as
5527xxxxxxxx5788, which is the ID of the Alibaba Cloud accountodps_test_user@aliyun.com.RAM user UID
Yes
The UID of the RAM user.
To obtain the UID, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose . On the Users page, find the RAM user and click the logon name of the RAM user. In the Basic Information section of the page that appears, view the UID.
Example
Add the RAM user
RAM$odps_test_user@aliyun.com:ram_testwhose UID is2763xxxxxxxxxx1649to the MaxCompute project test_project_a. The RAM user belongs to the Alibaba Cloud account whose ID is 5527xxxxxxxx5788. Sample statement:add user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;
Remove a RAM user (project-level)
If a RAM user leaves the MaxCompute project team, the RAM user must be removed from the project. After the user is removed, the user no longer has the permissions to access the resources of the project.
Syntax
remove user RAM$[<account_id>:]<RAM user UID>;Precautions
Before you remove a RAM user that is assigned a role, you must revoke the role from the user. Otherwise, information of the RAM user remains in the project. When you query the user,
p4_xxxxxxxxxxxxxxxxxxxxis displayed and you cannot delete the information. However, the project can be normally used. For more information about how to view the information of the role that is assigned to a user, see Query permissions. For more information about how to revoke a role from a user, see Revoke a role from a user.After a user is removed, the permissions that are granted to the user are retained. If the user is added to the project again, the historical access permissions of the user are activated again. For more information about how to clear the residual permission information of a removed user, see Completely clear the residual permission information of a removed user.
Parameters
Parameter
Required
Description
account_id
No
The ID of the Alibaba Cloud account to which the RAM user belongs, such as
5527xxxxxxxx5788, which is the ID of the Alibaba Cloud accountodps_test_user@aliyun.com.RAM user UID
Yes
The UID of the RAM user.
To obtain the UID, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose . On the Users page, find the RAM user and click the logon name of the RAM user. In the Basic Information section of the page that appears, view the UID.
Examples
Example 1: Remove the RAM user
RAM$odps_test_user@aliyun.com:ram_testwhose UID is2763xxxxxxxxxx1649from the MaxCompute project test_project_a. In this example, the RAM user RAM$odps_test_user@aliyun.com:ram_test belongs to the Alibaba Cloud account whose ID is 5527xxxxxxxx5788 and is not assigned a role. Sample statement:remove user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649;Example 2: Remove the RAM user
RAM$odps_test_user@aliyun.com:ram_testwhose UID is2763xxxxxxxxxx1649from the MaxCompute project test_project_a. In this example, the RAM user RAM$odps_test_user@aliyun.com:ram_test belongs to the Alibaba Cloud account whose ID is 5527xxxxxxxx5788 and is assigned a role named Worker. Sample statement:-- Revoke the Worker role from the RAM user RAM$odps_test_user@aliyun.com:ram_test. revoke Worker from RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649; -- Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test. remove user RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649; -- Remove the RAM account system if you no longer use RAM users. remove accountprovider ram;
Add a RAM role (project-level)
You can create a RAM role and modify the policy that is attached to the RAM role in the RAM console. Then, you can add the RAM role to a MaxCompute project. RAM users in the project can assume the RAM role to perform operations.
RAM roles are different from the MaxCompute built-in or custom roles described in Role planning. Instead, RAM roles are roles in the RAM console. For more information about how to use a RAM role, see Assume a RAM role.
Syntax
add user `RAM$<accout_id>:role/<RAM role name>`;Precautions
The grave accent
(`)in the preceding command is required.Parameters
Parameter
Required
Description
account_id
Yes
The ID of the Alibaba Cloud account to which the RAM role belongs, such as
5527xxxxxxxx5788, which is the ID of the Alibaba Cloud accountodps_test_user@aliyun.com.RAM role name
Yes
The name of the RAM role.
To obtain the name, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose . On the Roles page, view the name of the RAM role.
Example
Add the RAM role
ram_roleto the MaxCompute project test_project_a. Sample statement:add user `RAM$5527xxxxxxxx5788:role/ram_role`;
Related operations
Subsequent operations need to be performed in DataWorks. Therefore, you must assign the RAM role to DataWorks when you modify the policy that is attached to the RAM role. This way, you can submit periodic scheduling jobs to MaxCompute in DataWorks.
Remove a RAM role (project-level)
You can remove a RAM role from a MaxCompute project.
Syntax
remove user `RAM$<accout_id>:role/<RAM role name>`;Precautions
The grave accent
(`)in the preceding command is required.Parameters
Parameter
Required
Description
account_id
Yes
The ID of the Alibaba Cloud account to which the RAM role belongs, such as
5527xxxxxxxx5788, which is the ID of the Alibaba Cloud accountodps_test_user@aliyun.com.RAM role name
Yes
The name of the RAM role.
To obtain the name, perform the following steps: Log on to the RAM console. In the left-side navigation pane, choose . On the Roles page, view the name of the RAM role.
Example
Remove the RAM role
ram_rolefrom the MaxCompute project test_project_a. Sample statement:remove user `RAM$5527xxxxxxxx5788:role/ram_role`;
View the user list (project-level)
You can view the users that are added to a MaxCompute project.
Syntax
list users;Example
View the users that are added to a MaxCompute project. Sample statement:
list users;The following result is returned:
ALIYUN$5527xxxxxxxx5788 RAM$5527xxxxxxxx5788:2763xxxxxxxxxx1649 RAM$5527xxxxxxxx5788:role/ram_role
Additional information
After you complete user planning, you can grant permissions to a user based on your business requirements. For more information, see Manage user permissions by using commands.