Grant permissions to RAM users, Grant permissions to RAM users - E-MapReduce

If you want to allow a RAM user to use the E-MapReduce (EMR) console, you must grant the required permissions to the RAM user by using your Alibaba Cloud account in the RAM console.

Background information

RAM is a resource access control service provided by Alibaba Cloud. For more information, see What is RAM? The following examples describe how RAM is used to implement access control in EMR:

Users: You can use RAM users to grant permissions to different roles, such as developers and O&M engineers. This way, different RAM users have different permissions to access different resources.
User groups: You can group RAM users based on their responsibilities and grant permissions to user groups. This allows you to grant the same permissions to multiple users at the same time and simplifies the management of RAM users and their permissions.

Policies

The following table describes the policies that are used in EMR.

Policy name	Description	Permission
AliyunEMRFullAccess	Provides RAM users with full access to EMR.	This policy allows RAM users to perform all operations on resources on the EMR on ECS and EMR on ACK pages.
AliyunEMRReadOnlyAccess	Provides RAM users the read-only permissions of EMR.	This policy allows RAM users to read resources on the EMR on ECS and EMR on ACK pages.
AliyunEMRDlsFullAccess	Provides RAM users with full access to EMR OSS-HDFS.	This policy allows RAM users to manage data of EMR OSS-HDFS.
AliyunEMRDevelopAccess (not recommended)	Provides RAM users with the developer permissions of EMR.	This policy allows RAM users to perform all operations on EMR clusters, except for the operations to create or release clusters. Note From December 30, 2024 (UTC+8), Data Development (Old) in the EMR console will be discontinued in phases by region.
AliyunEMRFlowAdmin (not recommended)	Provides RAM users with the administrator permissions on the Data Platform module in EMR.	This policy allows RAM users to create projects and develop and manage jobs. This policy does not allow RAM users to add members to projects or manage clusters. Note From December 30, 2024 (UTC+8), Data Development (Old) in the EMR console will be discontinued in phases by region.

Procedure

Perform the following steps to grant permissions on EMR resources to a RAM user in the RAM console:

Log on to the RAM console with your Alibaba Cloud account or as a RAM user that has administrative rights.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.

In the Grant Permission panel, configure the following parameters based on your business requirements.

Parameter	Description
Resource Scope	Account: If you select this option, permissions take effect on the current Alibaba Cloud account. ResourceGroup: If you select this option, permissions take effect on a specified resource group.
Principal	The RAM user to which you want to grant permissions.
Policy	Select System Policy from the drop-down list, enter EMR in the search box to search for EMR system policies, and then click the required policies to add the policies to the Selected Policy section. For more information about EMR policies, see Policies.

Click Grant permissions.
The granted permissions immediately take effect. You can log on to the EMR console by using the RAM user to which you granted permissions to check the permissions.
Note
If the RAM user no longer requires the permissions, you can revoke the permissions from the RAM user. For more information, see Revoke permissions from a RAM user.