Manage user permissions in the MaxCompute console

MaxCompute allows you to grant MaxCompute permissions to RAM users and RAM roles in the MaxCompute console by using roles. This topic describes how to grant different types of permissions and provides policy examples.

Grant project-level management permissions

MaxCompute project-level management permissions include the permissions related to project security configurations, project-level user and role permission management, package management, label-based access control, and clearance of expired permissions. For more information, see Permissions on project management.

Procedure

Log on to the MaxCompute console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Workspace > Projects.
On the Projects page, find the desired project and click Manage in the Actions column.
On the Project Settings page, click the Role Permissions tab. On the Role Permissions tab, create an administrator role or modify the permissions of an existing administrator role based on your business requirements.
Note
By default, only an Alibaba Cloud account has permissions to manage roles in a project. If you want to use a RAM user or RAM role to manage roles in a project, you must grant the RAM user or RAM role the permissions to manage the project.
- Create an administrator role
  1. On the Project Settings page, click the Role Permissions tab.
  2. On the Role Permissions tab, click Create Project-level Role.
  3. In the Create Role dialog box, configure Role Name, select Admin from the Role Type drop-down list, select Policy for Authorization Method, and then enter a policy document in the Policy-based Access Control field.
  4. Click OK.
- Modify the permissions of an existing administrator role
  1. On the Project Settings page, click the Role Permissions tab.
  2. On the Role Permissions tab of the Project Settings page, find the desired role and click Edit Role in the Actions column. In the Edit Role dialog box, modify the policy document for the role.
  3. Click OK.
For more information about the items that you can specify in the Action and Resource elements, see Permissions on project management. This topic provides examples of policy-based access control based on management modules.
Find the desired role and click Manage Members in the Actions column. In the Manage Members dialog box, you can view the users to which this role is assigned, assign the role to a user, or revoke the role permissions from a user.

Policy examples

Note

In most cases, the management permissions of a module involve various operations and permissions on resources. In the following sample code, an asterisk (*) is used as a wildcard to grant permissions to a group of objects at a time.
For more information about the items that you can specify in the Action and Resource elements, see Permissions on project management.
You must replace project_name in the following sample code with the name of the MaxCompute project on which you want to grant permissions.

Example 1: Policy that allows you to manage roles in a project

{
  "Statement": [
    {
      "Action": [
        "odps:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:odps:*:projects/project_name/authorization/roles",
        "acs:odps:*:projects/project_name/authorization/roles/*/*"
      ]
    }
  ],
  "Version": "1"
}

Example 2: Policy that allows you to manage packages in a project
```
{
  "Statement": [
    {
      "Action": [
        "odps:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:odps:*:projects/project_name/authorization/packages",
        "acs:odps:*:projects/project_name/authorization/packages/*",
        "acs:odps:*:projects/project_name/authorization/packages/*/*/*"
      ]
    }
  ],
  "Version": "1"
}
```
Note
The List permission on a project is required for package management in the MaxCompute console. Therefore, if a user wants to manage the packages in a project, the user must be granted the List permission on the project. For more information about how to grant permissions in the MaxCompute console, see Grant project-level operation permissions on objects. For more information about how to grant permissions by using commands, see Manage user permissions by using commands.

Example 3: Policy that allows you to modify the security configurations of a project

{
  "Statement":[
    {
      "Action":[
        "odps:*"
      ],
      "Effect":"Allow",
      "Resource":[
        "acs:odps:*:projects/project_name/authorization/configurations/*"
      ]
    }
  ],
  "Version":"1"
}

Example 4: Policy that allows you to manage users in a project

{
  "Statement":[
    {
      "Action":[
        "odps:*"
      ],
      "Effect":"Allow",
      "Resource":[
        "acs:odps:*:projects/project_name/authorization/users"
      ]
    }
  ],
  "Version":"1"
}

Example 5: Policy that allows you to perform all management operations on a project

{
  "Statement":[
    {
      "Action":[
        "odps:*"
      ],
      "Effect":"Allow",
      "Resource":[
        "acs:odps:*:projects/project_name/authorization/*"
      ]
    }
  ],
  "Version":"1"
}

Grant project-level operation permissions on objects

Project-level operation permissions on objects include the operation permissions, such as CreateTable, CreateInstance, and SelectTable, on projects, tables, functions, and resources and the objects in projects. For more information, see Permissions on projects and objects in projects.

Procedure

Log on to the MaxCompute console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Workspace > Projects.
On the Projects page, find the desired project and click Manage in the Actions column.
On the Role Permissions tab of the Project Settings page, create a resource role or modify the permissions of an existing resource role based on your business requirements.
Note
By default, only an Alibaba Cloud account has permissions to manage roles in a project. If you want to use a RAM user or RAM role to manage roles in a project, you must grant the RAM user or RAM role the permissions to manage the project.
- Create a resource role
  1. On the Project Settings page, click the Role Permissions tab.
  2. On the Role Permissions tab, click Create Project-level Role.
  3. In the Create Role dialog box, configure Role Name, select Resource from the Role Type drop-down list, and then select ACL or Policy for Authorization Method. If you select Policy for Authorization Method, enter a policy document in the Policy-based Access Control field.
  4. Click OK.
- Modify the permissions of an existing resource role
  1. On the Project Settings page, click the Role Permissions tab.
  2. On the Role Permissions tab of the Project Settings page, find the desired role and click Edit Role in the Actions column. In the Edit Role dialog box, modify the settings for ACL-based access control or policy-based access control.
  3. Click OK.
For more information about the permissions, see Permissions on projects and objects in projects. This topic provides examples on how to configure ACL-based access control and policy-based access control in the MaxCompute console. For more information, see Grant project-level management permissions.
Find the desired role and click Manage Members in the Actions column. In the Manage Members dialog box, you can view the users to which this role is assigned, assign the role to a user, or revoke the role permissions from a user.

Examples

Note

For more information about the actions and objects of project-level operation permissions, see Permissions on projects and objects in projects.
You must replace project_name in the following sample code with the name of the MaxCompute project on which you want to grant permissions.

Example 1: Use the ACL-based access control method to grant a resource role the CreateTable, CreateInstance, and List permissions on a project and the Describe and Select permissions on all tables in the project.
- Grant the role the CreateTable, CreateInstance, and List permissions on the project. The List permission is used to view all objects in the project.
- Grant the role the Describe and Select permissions on all tables in the project. The Describe permission is used to read the metadata of tables, and the Select permission is used to read the data in tables.
Note
Do not close the progress bar or the Edit Role dialog box after you click OK. Otherwise, the authorization may be terminated.

Example 2: Use policy-based access control to grant a resource role the CreateTable, CreateInstance, and List permissions on a project and the Describe and Select permissions on all tables in the project.

{
    "Statement": [{
            "Action": ["odps:CreateTable","odps:CreateInstance","odps:List"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name"]},
        {
            "Action": ["odps:Describe","odps:Select"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/tables/*"]}],
    "Version": "1"}

Example 3: Use policy-based access control to grant a resource role the Describe and Select permissions on all tables whose names start with tmp in a project, the permissions to read and update all resources and functions, and the permissions to prohibit the deletion of all tables.

{
    "Statement": [{
            "Action": ["odps:Describe","odps:Select"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/tables/tmp_*"]},
        {
            "Action": ["odps:Read","odps:Write"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/resources/*"]},
            {
            "Action": ["odps:Read","odps:Write"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/functions/*"]},
            {
            "Action": ["odps:Drop"],
            "Effect": "Deny",
            "Resource": ["acs:odps:*:projects/project_name/tables/*"]}],
    "Version": "1"}

If data storage by schema is enabled for a project, you must modify the policy based on the following sample code. For more information about data storage by schema, see Schema-related operations.

{
    "Statement": [{
            "Action": ["odps:Describe","odps:Select"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/schemas/*/tables/tmp_*"]},
        {
            "Action": ["odps:Read","odps:Write"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/schemas/*/resources/*"]},
            {
            "Action": ["odps:Read","odps:Write"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/schemas/*/functions/*"]},
            {
            "Action": ["odps:Drop"],
            "Effect": "Deny",
            "Resource": ["acs:odps:*:projects/project_name/schemas/*/tables/*"]}],
    "Version": "1"}

Grant tenant-level management permissions

Tenant-level management permissions refer to the management of tenant-level user and role permissions. Tenant-level management permissions include the permissions to add or remove tenants, add or remove tenant-level roles, view tenant-level users and roles and their permissions, assign tenant-level roles to users, revoke tenant-level roles from users, add tenant-level roles to projects, and remove tenant-level roles from projects.

Note

Only Alibaba Cloud accounts or RAM users that are assigned the tenant-level Super_Administrator or Admin role can be used to perform access control based on tenant-level roles.

If you want to grant management permissions to a RAM user or RAM role, you must use an Alibaba Cloud account to assign the Super_Administrator or Admin role to the RAM user or RAM role. The tenant-level Super_Administrator and Admin roles have multiple management permissions. Proceed with caution. For more information about the permissions, see Role planning. For more information about tenant-level roles, see Perform access control based on tenant-level roles.

Log on to the MaxCompute console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Tenants > Users.
On the Users page, find the desired user and click Modify Role in the Actions column. Then, in the Edit Role dialog box, select a required role from the Available Roles section to assign the role to the user.

Grant tenant-level operation permissions on objects

Tenant-level operation permissions on objects include the operation permissions on the tenant-level objects, such as quotas and network connections. For example, you can grant the Usage permission to use quotas or the CreateNetworkLink permission to create a network connection. Tenant-level operation permissions on objects allow you to manage multiple projects by using one account. This facilitates permission management. For more information about tenant-level roles, see Perform access control based on tenant-level roles.

Procedure

Log on to the MaxCompute console. In the top navigation bar, select a region.
In the left-side navigation pane, choose Tenants > Roles.

On the Roles page, create a tenant-level role or manage the permissions of an existing custom role.

Note

Only Alibaba Cloud accounts or RAM users that are assigned the tenant-level Super_Administrator or Admin role can be used to perform access control based on tenant-level roles.

Add a tenant-level role

On the Roles page, click Add Role.

In the Add Role dialog box, configure the parameters. The following table describes the parameters.

Parameter	Description

Parameter	Description
Role Name	The name of the role that you want to add. The name must be unique within your Alibaba Cloud account. The name must start with a letter and can contain only letters, underscores (_), and digits. The name must be 6 to 64 characters in length.
Policy Content	The policy that you want to attach to the role. You can write code for the policy based on the policy template that is provided.

Click OK.

Modify the permissions of an existing tenant-level role
1. On the Roles page, find the desired role and click Manage Permissions in the Actions column. In the Edit Role dialog box, modify the policy document.
2. Click OK.

On the Users page, find the desired user and click Modify Role in the Actions column. Then, in the Edit Role dialog box, select a required role from the Available Roles section to assign the role to the user.

Policy examples

Note

In the following sample code, an asterisk (*) is used as a wildcard to grant permissions to a group of objects at a time.
For more information about the items that you can specify in the Action and Resource elements, see Permissions on objects in a tenant.

Example 1: Grant a tenant-level role the Usage permission on all quotas in all regions and the CreateNetworkLink, List, and Execute permissions on all network connections.

{
    "Statement":[
      {
            "Action":[
                "odps:Usage"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:regions/*/quotas/*"
            ]
      },
      {
            "Action":[
                "odps:CreateNetworkLink",
                "odps:List",
                "odps:Execute"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:networklinks/*"
            ]
      }
    ],
    "Version":"1"
}

Example 2: Grant a tenant-level role all operation permissions on MaxCompute projects project_1 and project_2.
```
{
    "Statement":[
        {
            "Action":[
                "odps:*"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:projects/project_1",
                "acs:odps:*:projects/project_1/*",
                "acs:odps:*:projects/project_2",
                "acs:odps:*:projects/project_2/*"
            ]
        }
    ],
    "Version":"1"
}
```
Note
After you use a tenant-level role to grant permissions to specific objects in a project, you must add the tenant-level role to the project for the permissions to take effect. Only the project owner or a user that is assigned the Super_Administrator or Admin role of the project can add tenant-level roles to the project. To make a tenant-level role take effect, you must perform the following operations: On the Role Permissions tab of the Project Settings page, select Tenant from the Role Level drop-down list, find the desired role, and then click Enable in the Actions column.

Grant project-level management permissions

Procedure

Policy examples

Grant project-level operation permissions on objects

Procedure

Examples

Grant tenant-level management permissions

Grant tenant-level operation permissions on objects

Procedure

Policy examples

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)