This topic describes how to set a Resource Access Management (RAM) user as a super administrator in a MaxCompute project. It also provides suggestions for managing members and permissions.
Background
In daily operations, an Alibaba Cloud account is typically managed by designated personnel to ensure data security. Most users access MaxCompute through RAM user accounts. However, only an Alibaba Cloud account can be the project owner. Many permission management operations in MaxCompute, such as setting project-level flags and configuring cross-project resource sharing with packages, can be performed only by the project owner. Therefore, a RAM user with super administrator permissions is necessary.
MaxCompute provides a built-in management role named Super_Administrator. This role includes all permissions for all resource types within a project, along with project management permissions. For more information about the permissions, see Role planning.
The project owner can grant the Super_Administrator role to a RAM user. Once granted this role, the RAM user can perform various management operations on the project on behalf of the project owner. These operations include setting project-level flags and managing all resource permissions.
Procedure
Grant a RAM user the permissions to create projects. For more information, see Grant DataWorks management permissions to a RAM user.
Select a RAM user and use that account to create a project. The project owner will still be the Alibaba Cloud account.
Grant permissions
Grant permissions using the MaxCompute client (odpscmd)
Assume that the Alibaba Cloud account bob@aliyun.com is the owner of the project_a project and that Allen is a RAM user under bob@aliyun.com.
Use the Alibaba Cloud account to run the following commands to grant permissions.
--Switch to the project_a project. USE project_a; --Add the RAM user Allen to the project_a project. ADD USER ram$bob@aliyun.com:Allen; --Grant the Super_Administrator role to the RAM user Allen. GRANT super_administrator TO ram$bob@aliyun.com:Allen; --Grant the Admin role to the RAM user Allen. GRANT admin TO ram$bob@aliyun.com:Allen;Use the authorized RAM user to run the following command to view its own permissions. If the return value contains the Super_Administrator role, the permissions have been granted successfully.
SHOW GRANTS;
Grant permissions using DataWorks
(Optional) Add the RAM user as a project member. If the RAM user is already a project member, skip this step.
Log on to the DataWorks console and select a region in the upper-left corner.
In the left navigation pane, click Workspace.
On the Workspaces page, click the name of the target workspace.
On the Workspace Details page, click Workspace Members and Roles in the left navigation pane.
On the Workspace Members tab, click Add Members.
In the Add Members dialog box, select the organization members that you want to add from the Available Accounts list. The selected members are displayed in the Selected Accounts list.
Select the roles to assign to the account and click Confirm to add the member.
Grant the Super_Administrator role to the RAM user.
On the Workspace Details page, click Workspace Members and Roles in the left navigation pane.
On the Workspace Members tab, select Workspace Manager from the Role column for the target member to complete the authorization.
Use the authorized RAM user to run the following command to view its own permissions. If the return value contains the Super_Administrator role, the permissions have been granted successfully.
SHOW GRANTS;
Grant permissions using the MaxCompute console
Log on to the MaxCompute console and select a region in the top-left corner.
In the navigation pane on the left, choose .
On the Projects page, find the target project and click Manage in its Actions column.
On the Project Settings page, click the Role Permissions tab.
Select the
super_administratorrole and click Manage Members in the corresponding Actions column.In the Manage Members dialog box, select the RAM user that you want to add and click OK to complete the authorization.
Use the authorized RAM user to run the following command to view its own permissions. If the return value contains the Super_Administrator role, the permissions have been granted successfully.
SHOW GRANTS;
Usage notes
Member management
Define the responsibilities for each RAM user. Each RAM user account must be assigned to a single developer. Do not share accounts. This practice helps ensure data security.
In a project, you can assign the Super_Administrator role to only one RAM user. You can grant the Admin role to other accounts that require basic management permissions.
MaxCompute supports Alibaba Cloud accounts and RAM users. To better ensure data security, add only RAM users that belong to the project owner's Alibaba Cloud account as project members.
The project owner's Alibaba Cloud account has control over its RAM users. If a developer is transferred or leaves the company, the project owner can disable or update the corresponding RAM user account to maintain data security.
NoteIf you use DataWorks to manage project members, you can add only RAM users that belong to the project owner's Alibaba Cloud account as project members.
Only an Alibaba Cloud account owner can create RAM users. Even a super administrator must request that the Alibaba Cloud account owner create a RAM user first. Then, the super administrator can add the newly created RAM user to the project.
Add only users who need to perform data development in the current project as project members. Data development involves running jobs in the project. For users who only need to interact with data, use packages to share resources across projects. This practice avoids adding too many users to the project, which complicates member management.
If an employee is transferred or leaves the company, first remove the employee's RAM user from the project. Then, notify the project owner to disable the RAM user account. If the employee who is assigned the Super_Administrator role is transferred or leaves, the project owner must remove the user from the project and disable the RAM user account.
Permission management
Manage permissions using roles. Associate permissions with roles, and then associate roles with users.
Follow the principle of least privilege. This practice prevents security risks that are caused by excessive permissions.
To share data across projects, use packages. This way, the resource provider needs to manage only packages, not individual members.
NoteA RAM user with the Super_Administrator role already has permissions to query and manage all resources in the project. You do not need to grant additional permissions to this user.
Permission audit
You can audit permissions using the views provided by the MaxCompute global meta service. For more information, see List of metadata views.
Cost management
For more information about cost management, see View bill details. To allow a RAM user to query billing data, the Alibaba Cloud account owner must grant the RAM user the required permissions in the User Center. For more information about how to grant permissions, see Grant permissions to a RAM role. The required permissions include the following:
AliyunBSSFullAccess: The permissions to manage the User Center.
AliyunBSSReadOnlyAccess: The read-only permissions to access the User Center.
AliyunBSSOrderAccess: The permissions to view, pay for, and cancel orders in the User Center.
NoteThe User Center permissions are not associated with the Super_Administrator role of a MaxCompute project. You must grant these permissions separately.
Resource usage management
If you use subscription compute resources for MaxCompute, you can view compute resource usage and manage all compute resources in the MaxCompute console. For more information, see Resource observation and Manage quotas for compute resources.
If you use pay-as-you-go compute resources for MaxCompute, you can view compute resource usage using the views provided by the MaxCompute global meta service. For example, you can use the TASKS_HISTORY view to check the details of completed jobs. These details include the execution time, job content, and resource consumption. For more information, see TASKS_HISTORY.
NoteThe global meta service views retain data for only the last 15 days. To retain data for a longer period, you must read and save the data on a regular basis.