When you use Data Lake Analytics (DLA), you can use multiple types of accounts, such as Alibaba Cloud account, RAM user, and DLA accounts. DLA accounts include the root account, sub-accounts, and service accounts. This topic provides an overview of these accounts.

Account type Description Usage notes
Alibaba Cloud account By default, this account has the permission to call all API operations and perform all the operations in the DLA console. You can use this account to manage all the services of DLA. The Alibaba Cloud account is used to activate and manage the DLA service. For example, you can log on to the DLA console and create a virtual cluster (VC) with the Alibaba Cloud account.
RAM user A RAM user is authorized by its Alibaba Cloud account. A RAM user can manage the DLA service within the scope of authorization. You can also use a RAM user to manage the DLA service within the scope of the permissions granted by the Alibaba Cloud account to which the RAM user belongs. For example, you can authorize a RAM user to log on to the DLA console, submit DLA Spark jobs, or call the DLA metadata.
Note RAM users are created by Alibaba Cloud accounts. RAM users do not own resources. All resources belong to Alibaba Cloud accounts.
DLA accounts (root account, sub-accounts, and service accounts) A DLA account is used to perform operations on DLA databases. For example, you can create and delete a schema, create and delete a table, and run the Presto-based SQL engine of DLA. The permissions of DLA accounts are separated by region. Different DLA accounts are used for DLA services deployed in different regions. A DLA account is valid only in the region in which DLA resides. DLA accounts are classified into the following types:
  • Root account: After you activate DLA, it automatically creates a root account for you. The root account is allowed to execute SQL statements and submit DLA Spark jobs.
    Note The root account of DLA is bound with an Alibaba Cloud account and cannot be unbound.
  • Sub-account: After you activate DLA, you can create sub-accounts in the DLA console. The sub-accounts of a root account are mainly used by different users within an enterprise. After you create a sub-account, you can grant permissions to the sub-account, view its permissions, and revoke permissions from the sub-account by using the root account. For more information about the operations, see GRANT, SHOW, and REVOKE.
    Note Sub-accounts can be bound with RAM users. After you bind a sub-account with a RAM user, the RAM user can access databases and tables in Spark by using the serverless Presto engine of DLA. Similarly, the RAM user can access databases and tables in the serverless Presto engine by using Spark.
  • Service account: used by integrated services. Service accounts are classified into the following types:
    • DLA service account: the default database account that is used to create data sources, create tables, and execute SQL statements in the DLA console. You are prompted to activate this account when it is required during operations in the DLA console.
    • Database Backup (DBS) service account: a dedicated DLA database account that is created for DBS. In most cases, this account is authorized to only create databases and tables. DBS is allowed to use this account to perform related operations in the DLA console. The activation of this account must be initiated by the DBS console.