Users and permissions

This topic describes the users and permissions related to MaxCompute.

Users and roles are closely related to permissions. A role is a collection of permissions.

You can add a user to a MaxCompute project and authorize the user to perform specific operations on specific objects. For more information about user management, see User planning and management. For more information about authorization operations, see MaxCompute permissions.
You can quickly assign roles that are defined in MaxCompute to users based on the operation scope of the users. For more information about authorization operations, see Assign a role to a user.
You can also create a role based on your business requirements and assign the role to users after you grant the role permissions. For more information about how to create a role, see Role planning.
For more information about how to view the permissions of a user or role, see View permissions.

Users and roles supported by MaxCompute

The following table describes the users and roles supported by MaxCompute.

Category	Item	Description

Category	Item	Description
User	Alibaba Cloud account	An account that is created on the Alibaba Cloud official website.
	RAM user	A user that you can create by using an Alibaba Cloud account. RAM users are used to assist Alibaba Cloud accounts in data processing.
	RAM role	A RAM role is a virtual Resource Access Management (RAM) identity that you can create within your Alibaba Cloud account. A RAM role does not have a specific logon password or AccessKey pair. A RAM role can be used only after the RAM role is assumed by a trusted entity.
Role	Super_Administrator	A built-in management role of MaxCompute and the super administrator of a project. A user that is assigned the Super_Administrator role has operation permissions on all resources in the project and administrator permissions. The project owner or users that are assigned the Super_Administrator role can assign the Super_Administrator role to other users.
	Admin	A built-in management role of MaxCompute. A user that is assigned the Admin role has operation permissions and some basic administrator permissions. The project owner can assign the Admin role to other users.
	Custom role	A non-built-in role of MaxCompute. This role needs to be customized. You can define roles based on the roles whose names start with Role_ in DataWorks.

Only the owner of a project and the roles that are described in the preceding table have all operation permissions on the project. Only the owner of a project has the permissions to access objects in the project. Other users cannot access the objects in the project unless they are granted the required permissions by the project owner.

Note

DataWorks also has roles. For more information about the roles in DataWorks and MaxCompute, see Permission relationships between MaxCompute and DataWorks. If you want to add or grant permissions to users in the DataWorks console, you can perform the operations by following the instructions that are provided in Add a workspace member and configure roles.

Operations and related roles

The following table describes the operations that Alibaba Cloud accounts and RAM users or RAM roles can perform by using different tools or on different platforms. The following table also describes the required roles.

Operation Type	Operation	Supported tool or platform	Alibaba Cloud account	Role of Alibaba Cloud account	RAM user or RAM role	RAM user or RAM role in a MaxCompute project	Requirement

Operation Type	Operation	Supported tool or platform	Alibaba Cloud account	Role of Alibaba Cloud account	RAM user or RAM role	RAM user or RAM role in a MaxCompute project	Requirement
Activation of the MaxCompute service and resource purchase	Activate, purchase, renew, upgrade, and downgrade the MaxCompute service and top up your account	MaxCompute console (new version) MaxCompute buy page	Supported. By default, only the Alibaba Cloud account has permissions to manage the MaxCompute service.	N/A	Supported	N/A.	If you use a RAM user, use your Alibaba Cloud account to attach the AliyunDataWorksFullAccession and liyunBSSOrderAccess system policies to the RAM user. If you use a RAM role, use your Alibaba Cloud account to attach the AliyunDataWorksFullAccession and AliyunBSSOrderAccess system policies to the RAM role.
Project management	Create and delete a project	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	N/A.	If you use a RAM user, attach the CreateProject and DeleteProject policies to the RAM user.
	Access data across projects	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted cross-project access permissions.	Use your Alibaba Cloud account to complete authorization.
	Modify the default calculation quota for a project	MaxCompute console (new version)	Supported.	Project owner	Supported	N/A.	If you use a RAM user, attach the UpdateProjectDefaultQuota policy to the RAM user.
	Configure an IP address whitelist	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: Super_Administrator and custom roles that are granted security configuration permissions across multiple projects. For more information, see Project security configuration permissions.	Use your Alibaba Cloud account to complete authorization.
	Scan a full table	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute role: Super_Administrator.	Use your Alibaba Cloud account to complete authorization.
	Protect project data	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute role: Super_Administrator.	Use your Alibaba Cloud account to complete authorization.
	Change the project status	MaxCompute console (new version)	Supported.	Project owner	Supported	N/A.	If you use a RAM user, attach the UpdateProjectStatus policy to the RAM user.
	Add, authorize, and manage project members	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: Super_Administrator and custom roles that are granted project management permissions across projects. For more information, see Permissions on project management.	Use your Alibaba Cloud account to complete authorization.
Quota management	Modify a level-1 or level-2 quota	MaxCompute console (new version)	Supported.	N/A	Supported	N/A.	If you use a RAM user, attach the UpdateQuota policy to the RAM user.
	Create a level-2 custom quota	MaxCompute console (new version)	Supported.	N/A	Supported	N/A.	If you use a RAM user, attach the UpdateSubQuotas policy to the RAM user.
	Create, modify, and delete a quota plan	MaxCompute console (new version)	Supported.	N/A	Supported	N/A.	If you use a RAM user, attach the CreateQuotaPlan, UpdateQuotaPlan, and DeleteQuotaPlan policies to the RAM user.
	Create and modify a time plan	MaxCompute console (new version)	Supported.	N/A	Supported	N/A.	If you use a RAM user, attach the createQuotaSchedule and UpdateQuotaSchedule policies to the RAM user.
Job O&M	View, perform O&M on, and monitor jobs	MaxCompute Management	Supported.	Project owner	Supported	MaxCompute role: Super_Administrator.	If you use a RAM user, use your Alibaba Cloud account to assign the Super_Administrator role to the RAM user.
Code development	JAVA UDF	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to develop Java user-defined functions (UDFs).	N/A.
Code development	Python UDF	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to develop Python UDFs.	N/A.
Data management	View the table list	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view a list of tables.	N/A.
	Create a table	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create tables.	N/A.
	Update tables	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to update tables.	N/A.
	Drop a table	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to drop tables.	N/A.
	Grant access to a single table by configuring an access control list (ACL)	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles.	N/A.
	Preview metadata	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view metadata.	N/A.
	Preview a table cross projects	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view tables cross projects.	Use an Alibaba Cloud account to complete authorization.
Resource management	View the resource list	MaxCompute console (new version) MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view resources.	N/A.
	Create and delete resources	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create and delete resources.	N/A.
	Upload resources	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to upload resources.	N/A.
Function development	View the function list and details	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to view functions.	N/A.
Function development	Create and delete functions	MaxCompute client MaxCompute Studio	Supported.	Project owner	Supported	MaxCompute roles: MaxCompute built-in roles and custom roles that are granted the permissions to create and delete functions.	N/A.

Users and roles supported by MaxCompute

Operations and related roles

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)