This topic describes the users and permissions related to MaxCompute.
Users and roles are closely related to permissions. A role is a collection of permissions.
You can add a user to a MaxCompute project and authorize the user to perform specific operations on specific objects. For more information about user management, see User planning and management. For more information about authorization operations, see MaxCompute permissions.
You can quickly assign roles that are defined in MaxCompute to users based on the operation scope of the users. For more information about authorization operations, see Assign a role to a user.
You can also create a role based on your business requirements and assign the role to users after you grant the role permissions. For more information about how to create a role, see Role planning.
For more information about how to view the permissions of a user or role, see View permissions.
Users and roles supported by MaxCompute
The following table describes the users and roles supported by MaxCompute.
Category | Item | Description |
User | Alibaba Cloud account | An account that is created on the Alibaba Cloud official website. |
RAM user | A user that you can create by using an Alibaba Cloud account. RAM users are used to assist Alibaba Cloud accounts in data processing. | |
RAM role | A RAM role is a virtual Resource Access Management (RAM) identity that you can create within your Alibaba Cloud account. A RAM role does not have a specific logon password or AccessKey pair. A RAM role can be used only after the RAM role is assumed by a trusted entity. | |
Role | Super_Administrator | A built-in management role of MaxCompute and the super administrator of a project. A user that is assigned the Super_Administrator role has operation permissions on all resources in the project and administrator permissions. The project owner or users that are assigned the Super_Administrator role can assign the Super_Administrator role to other users. |
Admin | A built-in management role of MaxCompute. A user that is assigned the Admin role has operation permissions and some basic administrator permissions. The project owner can assign the Admin role to other users. | |
Custom role | A non-built-in role of MaxCompute. This role needs to be customized. You can define roles based on the roles whose names start with Role_ in DataWorks. |
Only the owner of a project and the roles that are described in the preceding table have all operation permissions on the project. Only the owner of a project has the permissions to access objects in the project. Other users cannot access the objects in the project unless they are granted the required permissions by the project owner.
DataWorks also has roles. For more information about the roles in DataWorks and MaxCompute, see Permission relationships between MaxCompute and DataWorks. If you want to add or grant permissions to users in the DataWorks console, you can perform the operations by following the instructions that are provided in Add a workspace member and configure roles.
Operations and related roles
The following table describes the operations that Alibaba Cloud accounts and RAM users or RAM roles can perform by using different tools or on different platforms. The following table also describes the required roles.
Operation Type | Operation | Supported tool or platform | Alibaba Cloud account | Role of Alibaba Cloud account | RAM user or RAM role | RAM user or RAM role in a MaxCompute project | Requirement |
Activation of the MaxCompute service and resource purchase | Activate, purchase, renew, upgrade, and downgrade the MaxCompute service and top up your account |
| Supported. By default, only the Alibaba Cloud account has permissions to manage the MaxCompute service. | N/A | Supported | N/A. |
|
Project management | Create and delete a project |
| Supported. | Project owner | Supported | N/A. | If you use a RAM user, attach the CreateProject and DeleteProject policies to the RAM user. |
Access data across projects |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted cross-project access permissions. | Use your Alibaba Cloud account to complete authorization. | |
Modify the default calculation quota for a project | MaxCompute console (new version) | Supported. | Project owner | Supported | N/A. | If you use a RAM user, attach the UpdateProjectDefaultQuota policy to the RAM user. | |
Configure an IP address whitelist |
| Supported. | Project owner | Supported | MaxCompute roles: Super_Administrator and custom roles that are granted security configuration permissions across multiple projects. For more information, see Project security configuration permissions. | Use your Alibaba Cloud account to complete authorization. | |
Scan a full table |
| Supported. | Project owner | Supported | MaxCompute role: Super_Administrator. | Use your Alibaba Cloud account to complete authorization. | |
Protect project data |
| Supported. | Project owner | Supported | MaxCompute role: Super_Administrator. | Use your Alibaba Cloud account to complete authorization. | |
Change the project status | MaxCompute console (new version) | Supported. | Project owner | Supported | N/A. | If you use a RAM user, attach the UpdateProjectStatus policy to the RAM user. | |
Add, authorize, and manage project members |
| Supported. | Project owner | Supported | MaxCompute roles: Super_Administrator and custom roles that are granted project management permissions across projects. For more information, see Permissions on project management. | Use your Alibaba Cloud account to complete authorization. | |
Quota management | Modify a level-1 or level-2 quota | MaxCompute console (new version) | Supported. | N/A | Supported | N/A. | If you use a RAM user, attach the UpdateQuota policy to the RAM user. |
Create a level-2 custom quota | MaxCompute console (new version) | Supported. | N/A | Supported | N/A. | If you use a RAM user, attach the UpdateSubQuotas policy to the RAM user. | |
Create, modify, and delete a quota plan | MaxCompute console (new version) | Supported. | N/A | Supported | N/A. | If you use a RAM user, attach the CreateQuotaPlan, UpdateQuotaPlan, and DeleteQuotaPlan policies to the RAM user. | |
Create and modify a time plan | MaxCompute console (new version) | Supported. | N/A | Supported | N/A. | If you use a RAM user, attach the createQuotaSchedule and UpdateQuotaSchedule policies to the RAM user. | |
Job O&M | View, perform O&M on, and monitor jobs | MaxCompute Management | Supported. | Project owner | Supported | MaxCompute role: Super_Administrator. | If you use a RAM user, use your Alibaba Cloud account to assign the Super_Administrator role to the RAM user. |
Code development | JAVA UDF |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to develop Java user-defined functions (UDFs). | N/A. |
Python UDF |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to develop Python UDFs. | N/A. | |
Data management | View the table list |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view a list of tables. | N/A. |
Create a table |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create tables. | N/A. | |
Update tables |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to update tables. | N/A. | |
Drop a table |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to drop tables. | N/A. | |
Grant access to a single table by configuring an access control list (ACL) |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles. | N/A. | |
Preview metadata |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view metadata. | N/A. | |
Preview a table cross projects |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view tables cross projects. | Use an Alibaba Cloud account to complete authorization. | |
Resource management | View the resource list |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view resources. | N/A. |
Create and delete resources |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create and delete resources. | N/A. | |
Upload resources |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to upload resources. | N/A. | |
Function development | View the function list and details |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view functions. | N/A. |
Create and delete functions |
| Supported. | Project owner | Supported | MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create and delete functions. | N/A. |