Home PageMaxComputeUse CasesBest PracticesSecurity managementSet a RAM user as the super administrator for a MaxCompute project
Search for Help Content

Set a RAM user as the super administrator for a MaxCompute project

Updated at: 2025-01-14 03:16
Product
Community

This topic describes how to set a RAM user as the super administrator for a MaxCompute project, and provides suggestions on how to manage members and permissions as the super administrator.

Background information

To ensure data security, the Alibaba Cloud account of a project is used only by authorized personnel. Common users can only log on to MaxCompute as RAM users. A project owner must be the Alibaba Cloud account, and some operations can only be performed by the project owner, such as setting a project flag and configuring cross-project resource sharing by using packages. If you use a RAM user, you must make sure that the RAM user is assigned the super administrator role.

The built-in management role Super_Administrator is added to MaxCompute. This role has permissions on all types of resources in a project and project management permissions. For more information about permissions, see Role planning.

A project owner can assign the Super_Administrator role to a RAM user. As a super administrator, the RAM user has the permissions needed to manage the project, such as common project flag setting permissions and permissions on managing all resources.

Authorization methods

We recommend that you assign the Super_Administrator role to a RAM user that has the permissions to create a project. This way, the RAM user can manage both DataWorks workspaces and MaxCompute projects that are associated with these DataWorks workspaces.

Note

  • For information about how to authorize a RAM user to create projects, see the "Grant the permissions to perform operations in DataWorks to a RAM user" section in Prepare a RAM user.

  • To ensure data security, we recommend that you clarify the responsibilities of owners of RAM users. Make sure that each RAM user belongs to one developer.

  • Only one RAM user can be assigned the Super_Administrator role in a project. You can assign the Admin role to other RAM users that require basic management permissions.

After you select a RAM user and use the RAM user to create a project, the project owner is still the Alibaba Cloud account, who can assign the Super_Administrator role to the RAM user in the following ways:

  • Assign the Super_Administrator role on the MaxCompute client (odpscmd).

    In this example, bob@aliyun.com is the owner of the project_a project, and Allen is a RAM user of bob@aliyun.com.

    1. Run the following commands to assign the Super_Administrator and Admin roles to bob@aliyun.com: 

      -- Access the project_a project. 
use project_a;
-- Add the RAM user Allen to project_a. 
add user ram$bob@aliyun.com:Allen;
-- Assign the Super_Administrator role to Allen. 
grant super_administrator TO ram$bob@aliyun.com:Allen;
-- Assign the Admin role to Allen. 
grant admin TO ram$bob@aliyun.com:Allen;

    2. Run the following command to view the permissions as the authorized RAM user. If the Super_Administrator role is in the command output, the authorization is successful. 

      show grants;

  • Assign the Super_Administrator role in the DataWorks console.

    1. Log on to the DataWorks console and enter SettingCenter.

    2. Optional. Add a RAM user as a project member. Skip this step if the RAM user is already a project member.

      1. In the left-side navigation pane, choose Workspace Members and click Workspace Members tab.

      2. In the upper-right corner, click Add Members.

      3. In the Add Members dialog box, select the members you want to add from the Available Accounts section and click the rightwards arrow to add them to the Selected Accounts section.

        Note

        In the Add Members dialog box, click Refresh to synchronize the RAM users of the current Alibaba Cloud account to the Available Accounts section.

      4. Select the required roles and click Confirmation.

    3. Assign the Super_Administrator role to the RAM user.

      1. In the left-side navigation pane, choose Workspace Members and click Workspace Members tab.

      2. Find the target member and select the Workspace Manager in the Role column.

    4. Run the following command to view the permissions as the authorized RAM user. If the Super_Administrator role is in the command output, the authorization is successful. 

      show grants;

  • Assign the Super_Administrator role in the MaxCompute console

    1. Log on to the MaxCompute console. In the top navigation bar, select a region.

    2. In the left-side navigation pane, choose Workspace > Projects.

    3. Find the project that you want to manage and click Manage in the Actions column. On the page that appears, click the Role Permissions tab.

    4. On the Role Permissions tab, find super_administrator and click Manage Members in the Actions column.

    5. In the Manage Members dialog box, add the required RAM user and click OK.

      Run the following command to view the permissions as the authorized RAM user. If the Super_Administrator role is in the command output, the authorization is successful. 

      show grants;

Usage notes

  • Member management

    • MaxCompute supports the Alibaba Cloud account and RAM users. To ensure data security, we recommend that you only add RAM users of the project owner as project members.

      The Alibaba Cloud account is used to control RAM users, such as revoking or updating their credentials. This ensures data security in the case of personnel transfers and resignations.

      Note

      If you use DataWorks to manage project members, you can add only RAM users under the project owner as project members.

    • RAM users can be added by the Alibaba Cloud account and the super administrator. If you want to add RAM users to a project as the super administrator, wait until the RAM users are created by the Alibaba Cloud account.

    • We recommend that you only add the users who need to develop data, namely, users who need to run jobs, in the current project as project members. For users who require data interactions, you can use packages to share resources across projects. This reduces the complexity of member management because fewer members are added to the project.

    • If an employee who has a RAM user is transferred to another position or resigns, the RAM user with the Super_Administrator role needs to remove the RAM user of the employee from the project, and then notify the project owner to revoke its credentials. If an employee who has a RAM user with the Super_Administrator role is transferred to another position or resigns, the Alibaba Cloud account must be used to remove the RAM user and revoke its credentials.

  • Permission management

    • We recommend that you manage permissions by role. Permissions are associated with roles, and roles are associated with users.

    • We recommend that you use the principle of least privilege to avoid security risks caused by excessive permissions.

    • If you need to use cross-project data, we recommend that you share resources by using packages. In this way, resource providers only need to manage packages, which avoids the extra costs caused by the management of additional members.

    Note

    A RAM user who is assigned the Super_Administrator role has the permissions to query and manage all resources in a project. Therefore, no additional permissions need to be granted to the RAM user.

  • Permission audit

    You can use the view provided by the MaxCompute metadata service to audit permissions. For more information, see Metadata views.

  • Cost management

    For more information about cost management, see View billing details. RAM users can query the billing details only after the Alibaba Cloud account grants them the permissions to access Billing Management. For more information, see Grant permissions to a RAM role. The following permissions are required:

    • AliyunBSSFullAccess: the permissions to manage Billing Management.

    • AliyunBSSReadOnlyAccess: the access and read-only permissions on Billing Management.

    • AliyunBSSOrderAccess: the permissions to view, pay for, and cancel orders in Billing Management.

    Note

    Permissions on Billing Management are independent of the Super_Administrator role of a MaxCompute project. You must grant these permissions separately to the user.

  • Resource usage management

    • If you use subscription computing resources of MaxCompute, you can view the usage of computing resources and manage all the computing resources in the MaxCompute console. For more information, see Use resource observation and Manage quotas for computing resources in the MaxCompute console.

    • If you use pay-as-you-go computing resources of MaxCompute, you can view the usage of computing resources in the views provided by the MaxCompute metadata service. For example, the TASKS_HISTORY view provides details of audit jobs, such as the time, content, and resource consumption. For more information, see the "TASKS_HISTORY" section in Metadata views.

      Note

      The views provided by the metadata service only retain data generated in the previous 15 days. If you need to store data for a longer period of time, we recommend that you regularly read and save the data on your on-premises machine.

Previous: Security managementNext: Policy-based permission management for users assigned built-in roles
  • On this page (1)
  • Background information
  • Authorization methods
  • Usage notes
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare