Project management

Read permissions

• Alibaba Cloud account: all permissions that are required for project management, including the query and operation permissions on all resources in a project.

• RAM user:

  • To view a project in the project list as a RAM user, you must make sure that the RAM user is added to the project.

  • To create or delete a project, modify the default quota group of a project, or freeze or resume a project, you must obtain the required RAM permissions. For more information, see RAM permissions.

  • To go to the project configuration page and configure parameters, manage role permissions, or manage packages, you must have the management permissions on the project. The built-in roles are Admin and Super_Administrator. For more information about how to customize management permissions, see Project management permissions.

Limits

Create a project

Projects that are created in the MaxCompute console can be used by various clients. DataWorks provides a unified end-to-end big data development and governance platform and is integrated with MaxCompute. You cannot associate a DataWorks workspace in standard mode with an existing MaxCompute project. We recommend that you create and use MaxCompute projects in DataWorks. For more information, see Create a workspace.

1. Log on to the MaxCompute console and select a region in the upper-left corner.

2. In the left-side navigation pane, choose Workspace > Project Management.

3. On the Project Management page, click Create Project.

4. In the Create Project dialog box, configure the parameters as prompted.

   The following table describes the parameters on which you need to focus.

   Parameter	Description

   Parameter	Description
   The project name	The name must be 3 to 28 characters in length and can contain letters, digits, and underscores (_). The name must start with a letter and must be globally unique.
   Billing Method	The billing method of computing resources, which is also the billing method of the default quota group.
   Default Quota	The default quota group that is used to allocate computing resources. If you do not specify a quota group for your project, the jobs initiated by your project consume the computing resources in the default quota group. For more information about how to use computing resources, see Use computing resources - quota groups.
   SQL Consumption Limit	The upper limit for the resources that can be consumed by an SQL job. Formula: Amount of scanned data (GB) × Complexity. This parameter is optional. If you select Pay-as-you-go as the billing method, we recommend that you set this parameter to prevent unexpected high SQL consumption. We also recommend that you configure real-time consumption monitoring and alerting to monitor and limit excessive consumption. For more information, see Consumption monitoring, alerting, and control.
   Data Type	MaxCompute data types include 1.0 Data Type, 2.0 Data Type, and Hive-compatible Type. You need to select an appropriate data type version based on your business requirements. For more information about the differences among the three data type versions, see Data type editions.
   Storage Type	The storage type is set at the project level. You can select Multi-zone Storage or Single-zone Storage. For more information about storage specifications and billing, see Storage fees. Note We recommend that you use multi-zone storage for data related to your production business to cope with zone-level failures. In the event of a zone-level failure, multi-zone storage ensures uninterrupted data reading and writing services and guarantees data integrity and security. For more information, see Zone-disaster recovery.
   Automatic Materialized View (AutoMV)	Automatically creates materialized views based on user job query habits and performance to improve computing efficiency and reduce repeated calculations. For more information, see Automatic Materialized View (AutoMV).
   AutoMV Storage Limit (GB)	Sets the upper limit of storage resources that AutoMV can use. Once this limit is exceeded, AutoMV will prohibit writing data to created materialized views. For more information, see Manage AutoMV switch and set storage resource limits.
   Encryption	Specifies whether to enable the data encryption feature for the MaxCompute project that you create. For more information about data encryption, see Storage encryption. If you select Yes, you must specify the following items: Key: the type of the key that is used in the MaxCompute project. You can select MaxCompute Default Key or Bring Your Own Key (BYOK). If you select MaxCompute Default Key, the key that MaxCompute automatically creates for the project is used. Algorithm: The encryption algorithm that is supported by the key. Valid values: AES256, AESCTR, and RC4.

5. Click OK to create the project.

   After the project is created, you can view the new MaxCompute project in the project list on the Project Management page. You can hover over a project and click the icon to follow it. You can then view the followed projects in the Overview page Projects I Follow section.

   You can perform the following operations on the created project:

   • Manage and configure project properties. For more information, see Configure a project.

   • Manage data permissions in the project and grant data permissions to RAM users. You can manage permissions by using project roles. For more information about how to add project members, see Role Management.

   • Prepare the development environment for your MaxCompute project and install the required tools to develop data in your project. For more information about how to prepare the environment and install tools, see Select a client.

   • Delete the created MaxCompute project. For more information, see Delete a project.

Configure a project

1. Log on to the MaxCompute console and select a region in the upper-left corner.

2. In the left-side navigation pane, choose Workspace > Project Management.

3. On the Project Management page, click Manage in the Actions column of the target project.

4. Configure parameters.

   1. On the Project Configuration page, click Parameter Configuration.

   2. On the Parameter Configuration tab, you can configure the following parameters.

      Note

      • Basic information permission verification RAM permissions. To configure basic property parameters, you must have the Super_Administrator role permission for the corresponding project.

      • To configure permission property and IP whitelist parameters, you need to have the management permission (Admin) role for the corresponding project, including Super_Administrator, Admin, or custom management permissions.

      Parameter Category	Parameter	Description

      Parameter Category	Parameter	Description
      Basics	Default Computing Quota	The default quota group for your project. You can change the default quota group based on your business requirements.
      	Storage Space (GB)	The storage space that is occupied by your project, which is the logical storage space after your project data is collected and compressed.
      Lifecycle configuration	Configure Lifecycle	Specifies whether to configure lifecycles for tables in the project, which is to set the odps.table.lifecycle property. The following values are available: optional: The lifecycle clause is optional in a table creation statement. If you do not configure a lifecycle for a table, the table does not expire. mandatory: The lifecycle clause is required in a table creation statement. You must configure a lifecycle for a table. inherit: If you do not configure a lifecycle for a table when you create the table, the lifecycle of the table is the value of odps.table.lifecycle.value. The odps.table.lifecycle.value property sets the lifecycle of a table in days. Valid values: 1~37231. Default value: 37231.
      	Last Access Configuration Policy	For projects or partitioned tables, you can define rules for the lifecycles of storage tiers. The system can trigger automatic conversion among storage tiers based on the lifecycle rules. After you define storage tier lifecycle rules for a project, if all the non-partitioned tables or partitions in the project meet the rules, the system automatically performs storage tier conversion for the non-partitioned tables or partitions. After you define storage tier lifecycle rules for a partitioned table, if all the partitions in the table meet the rules, the system automatically performs storage tier conversion for the partitions. For more information, see Automatically set using lifecycle rules.
      Super administrator	Members	View or edit members of the super_administrator role for the project. This setting has the same effect as managing members of the super_administrator role on the Role Permissions tab. However, this operation supports RAM permission verification. That is, RAM users with the UpdateUsersToSuperAdmin permission can set members of the super_administrator role for the project. For more information, see RAM permissions.
      Basic Properties	Full Table Scan for Partitioned Table	Specifies whether to allow full table scans for the project, which is to set the odps.sql.allow.fullscan property. A full table scan occupies many resources, which reduces data processing efficiency. Therefore, we recommend that you do not enable this feature.
      	Backup Data Retention Period	Specifies the number of days for which backup data is retained in the project, which is to set the odps.timemachine.retention.days property. During the retention period, you can restore data of the current version to the backup data of any version. Valid values: 0 to 30. Default value: 1. The value 0 indicates that the backup feature is disabled.
      	Data Type Edition	The data type version for the project. Valid values: 1.0 Data Type, 2.0 Data Type, and Hive-compatible Type. For more information about the differences among the three data type versions, see Data type editions.
      	DECIMAL in MaxCompute V2.0	Specifies whether to enable the DECIMAL data type in MaxCompute V2.0 for the project, which is to set the odps.sql.decimal.odps2 property.
      	Storage Type	The storage type is set at the project level. You can select Multi-zone Storage or Single-zone Storage. For more information about storage specifications and billing, see Storage fees. Note We recommend that you use multi-zone storage for data related to your production business to cope with zone-level failures. In the event of a zone-level failure, multi-zone storage ensures uninterrupted data reading and writing services and guarantees data integrity and security. For more information, see Zone-disaster recovery.
      	SQL Consumption Limit	Specifies the upper limit for the resources that can be consumed by an SQL job, which is to set the odps.sql.metering.value.max property. For more information, see Consumption monitoring, alerting, and control. Formula: Amount of scanned data (GB) × Complexity.
      	Storage Encryption Status	You can configure this parameter only when you create a project. After you configure this parameter, you can only view the parameter configuration but cannot edit the configuration.
      	Data Transmission Service	The resource group of the data transmission service that is bound to your project. If you select default from the drop-down list, the shared resource group of the data transmission service is used. You cannot use the subscription-based resource group of the data transmission service. Regardless of the value of Enable As Default Data Transmission Service, the data transmission service automatically uses the Default resource group for the project by default.
      	Enable As Default Data Transmission Service	Specifies whether to use the resource group that is bound to your project for your data transmission task. If you turn on this switch, the data transmission task uses the resource group of the Data Transmission Service that is bound to your project. If you turn off this switch, the data transmission task uses the shared resource group of the data transmission service.
      	Time Zone	The time zone of the project, which is to set the odps.sql.timezone property.
      Permission Properties	ACL-based Access Control	Specifies whether to use the ACL-based access control feature, which is to set the CheckPermissionUsingACL property. The default value is true, which indicates that the feature is enabled.
      	Policy-based Access Control	Specifies whether to use the policy-based access control feature, which is to set the CheckPermissionUsingACL property. The default value is true, which indicates that the feature is enabled.
      	Perform Operations on Objects by Object Creator	Specifies whether object creators are allowed to access objects, which is to set the ObjectCreatorHasAccessPermission property. The default value is Allow, which indicates that object creators are allowed to access the objects.
      	Grant Permissions on Objects by Object Creator	Specifies whether object creators are allowed to grant permissions on the objects, which is to set the ObjectCreatorHasGrantPermission property. The default value is Allow, which indicates that object creators are allowed to grant permissions on the objects.
      	Label-based Access Control	Specifies whether to use the label-based access control feature, which is to set the LabelSecurity property. The default value is false, which indicates that the feature is disabled.
      	Project Data Protection	Specifies whether to enable the data protection mechanism for the project, which is to set the ProjectProtection property. This property specifies whether to prohibit or allow data to flow out of the project. If you select Project Data Protection, you can also set Exception Or Trusted Projects. For more information, see Data protection mechanism.
      	Download Permission	Specifies whether to enable the download permission control feature, which is to set the odps.security.enabledownloadprivilege property.
      	Project-level Tenant Resource Access Control	You can view the tenant resources that are bound to the project. For more information, see Project-level tenant resource access control. Note This feature is currently available only for preview and does not support enabling checks.
      IP Whitelist	Public Network and Cloud Product Internet IP	The whitelist of IP addresses that are authorized to access a project over the public network and cloud product Internet. Note If you configure only the whitelist of IP addresses for the public network and cloud product Internet, access over the public network and cloud product Internet is restricted by the configuration, and all access over VPCs is prohibited.
      	VPC IP Addresses	The whitelist of IP addresses that are authorized to access a project over a VPC. Note If you configure only the whitelist of IP addresses for VPCs, access over VPCs is restricted by the configuration, and all access over the public network and cloud product Internet is prohibited.
      MaxCompute External Network	Available MaxCompute External Network Addresses	You can add or delete the public IP address or endpoint and port number that you want to access. For more information, see Access the public network.
      Intelligent Optimization Switches	Automatic Materialized View (AutoMV)	After this feature is enabled, materialized views are automatically created based on user job query habits and performance to improve computing efficiency and reduce repeated calculations. For more information, see Automatic Materialized View (AutoMV).
      	AutoMV Storage Limit (GB)	Sets the upper limit of storage resources that AutoMV can use. Once this limit is exceeded, AutoMV will prohibit writing data to created materialized views. For more information, see Manage AutoMV switch and set storage resource limits.

5. Role Management.

   On the Role Permissions tab, you can manage role permissions for the project, including adding, deleting, and modifying roles, along with granting roles to users.

   Note

   By default, only the Alibaba Cloud account has the permissions to manage roles for a project. If you want to manage roles as a RAM user, you must assign administrator roles of your project to the RAM user.

   1. On the Project Configuration page, click Role Permissions.

   2. On the Role Permissions tab, click Create Project-level Role.

   3. In the Create Role dialog box, create a role and grant permissions to the role as prompted.

      You can create an administrator role or a resource role. Pay attention to the Authorization Method parameter. You can use ACL or policy to grant permissions to a role. For more information about the permissions on various types of objects, see MaxCompute permissions.

      • ACL: You can use ACL-based access control to grant permissions on multiple objects in your project to a resource role at a time.

        Note

        After you submit an authorization request, do not close the progress bar or page until the authorization succeeds. Otherwise, the authorization is interrupted.

      • Policy: It primarily addresses Admin-type permissions and Resource-type permissions for complex authorization scenarios that cannot be solved by the ACL authorization mechanism, such as authorizing a group of objects in a single operation (all tables or tables that start with xxx, expressed using the wildcard character *), or granting permissions with conditions.

        Examples of policy documents

        • Grant all management permissions to an administrator role.

          {
              "Statement":[
                  {
                      "Action":[
                          "odps:*"
                      ],
                      "Effect":"Allow",
                      "Resource":[
                          "acs:odps:*:projects/project_name/authorization/*"
                      ]
                  }
              ],
              "Version":"1"
          }

        • Grant the permissions to query all tables whose names start with tmp in a project to a resource role.

          {
              "Statement":[
                  {
                      "Effect":"Allow",
                      "Action":[
                          "odps:Describe",
                          "odps:Select"
                      ],
                      "Resource":[
                          "acs:odps:*:projects/project_name/tables/tmp_*",
                          "acs:odps:*:projects/project_name/schemas/*/tables/tmp_*"
                      ]
                  }
              ],
              "Version":"1"
          }

   4. Click OK to create the role and grant permissions to the role.

   Other operations on roles:

   • View information about roles.

     In the role list on the Role Permissions tab, you can view all roles in the project, including the built-in Super_Administrator and Admin roles. Click Edit Role in the Actions column of a role to view the permissions of the role.

     Note

     If a role is created by using policy-based access control, the policy content can be displayed properly. If a role is created by using ACL-based access control, the role permissions may not be displayed because there are too many tables, resources, or functions. In this case, you can search for a specific object to check whether the role has the related permissions on the object. You can also run the describe role <role_name>; command to view all the permissions of the role.

   • Edit role permissions.

     Click Edit Role in the Actions column of a role. For a role that is granted permissions by using ACL-based access control, you can add or remove actions for an object, or add or remove an object. If the object that you want to remove is not displayed in the role list, you can run commands to edit the role. For more information, see Project-level role authorization.

     Note

     • If a MaxCompute project is associated with a DataWorks workspace, DataWorks initializes roles for the MaxCompute project. These roles have fixed permissions that comply with the business logic of DataWorks. We recommend that you do not update these roles. For more information about the roles that are initialized by DataWorks, see Appendix: Mapping between preset workspace-level roles and MaxCompute engine permissions.

     • If ACLs are used to grant permissions on many objects to the role, the Edit Role dialog box may not be open due to timeout. If the timeout occurs, you can only run commands to view and edit the ACL-based permissions of the role.

   • View users to which a role is assigned

     Click Manage Members in the Actions column of a role. In the Manage Members dialog box, you can view the users to which the role is assigned, assign the role to users, or remove users from the role (revoke the role from users).

   • Drops a role.

     Click Delete in the Actions column of a role to delete the role from the MaxCompute project. This operation is equivalent to running the drop role <role_name>; command. For more information, see Role planning.

   • Enable or disable tenant-level roles.

     On the Role Permissions tab, select Tenant from the Role Level drop-down list. Then, click Enable or Disable in the Actions column of a role.

     Note

     If a role is granted permissions on an object in the project, the role can take effect only after you enable the object.

6. Configure packages.

   If you want to allow users or roles to access resources across MaxCompute projects, we recommend that you use packages. Packages are suitable for cross-project access to tables, resources, and functions, but not computing resources. You can also use packages for permission management without the need to assign permissions to users or roles. A package involves resource providers and resource visitors. The following section describes the process of cross-project resource access by using packages.

   1. Share resources as a resource provider.

      1. On the Project Configuration page, click Create Package.

      2. In the Create Package dialog box, enter a Package Name and select the tables, resources, and functions that you want to share.

      3. Click OK to create the package.

      4. Click Allow Projects in the Actions column of the package.

      5. In the Projects Allowed To Install This Package dialog box, enter the name of the project that can use the package.

      6. Click OK.

   2. Access resources as a resource visitor.

      1. On the Project Configuration page, click Install Package.

      2. In the Install Package dialog box, enter the name of the package that you want to access.

      3. Click OK to access the package.

      4. (Optional) Grant the package to a role, and then assign the role to users. For more information, see Role Management.

7. View project members.

   MaxCompute project data permission control requires adding users to the project for authorization. You can click the Project Members tab on the Project Configuration page to view the permission details of all members in the project.

Change project status

1. Log on to the MaxCompute console and select a region in the upper-left corner.

2. In the left-side navigation pane, choose Workspace > Project Management.

3. In the project list on the Project Management page, click Operation Freeze or Resume in the column of the target project.

4. In the confirmation dialog box, click OK.

Delete a project

1. Log on to the MaxCompute console and select a region in the upper-left corner.

2. In the left-side navigation pane, choose Workspace > Project Management.

3. In the project list on the Project Management page, click Operation Delete in the column of the target project.

4. In the Delete Project dialog box, select a deletion type and click OK.

Tag management

MaxCompute allows you to add or remove tags for projects. For more information about how to use tags and the limits on tags, see What are tags.

1. Log on to the MaxCompute console and select a region in the upper-left corner.

2. In the left-side navigation pane, choose Workspace > Project Management.

3. Create tags.

   • Add a tag for a project.

     1. Hover over the Tags Attach Edit icon in the column of the target project and click /.

     2. In the Edit Tag dialog box, enter a Tag Key and a Tag Value.

     3. Click OK, and then click Close in the Tag Edited Successfully dialog box.

   • Add tags for multiple projects at a time.

     1. Select the projects for which you want to add tags and click Batch Tag at the bottom of the page.

     2. In the Edit Tag dialog box, enter a Tag Key and a Tag Value.

     3. Click OK, and then click Close in the Tag Edited Successfully dialog box.

4. Tag Filtering.

   After you add tags for projects, you can filter projects based on tag keys and values from the Tag Filtering drop-down list.

5. (Optional) Remove tags.

   • Remove a tag from a project.

     1. Hover over the Tags Edit icon in the column of the target project and click .

     2. In the Edit Tag dialog box, click the icon next to the tag that you want to remove.

     3. Click OK, and then click Close in the Tag Edited Successfully dialog box.

   • Remove tags from multiple projects at a time.

     1. Select the projects from which you want to remove tags and click Batch Remove Tags at the bottom of the page.

     2. In the Batch Remove Tags dialog box, select the check boxes to the left of the tags that you want to remove.

     3. Click Remove X Tags (where x is the number of tags to be removed), and then click Close in the Tag Edited Successfully dialog box.