All Products
Search
Document Center

MaxCompute:RAM permissions

最終更新日:Dec 18, 2024

Specific resource management operations of MaxCompute can be performed only in the MaxCompute console. You can perform some of the resource management operations only after the required policies are attached to the RAM user or RAM role that you use. This topic describes the related permissions and policies.

Permissions

Important
  • If a RAM user is allowed ("Effect": "Allow") to perform the ListProjects and GetProject operations, the RAM user can view the list and information of all MaxCompute projects (including the projects to which the RAM user is not added) in the specified region within the Alibaba Cloud account.

  • If a RAM user is explicitly forbidden ("Effect": "Deny") to perform the ListProjects and GetProject operations, the RAM user cannot view the information of any MaxCompute project (including the projects to which the RAM user is added) in the specified region within the Alibaba Cloud account.

  • If no policy is attached to a RAM user to determine whether the RAM user is allowed to perform the ListProjects and GetProject operations, the RAM user can view the list and information of the existing MaxCompute projects in the specified region within the Alibaba Cloud account.

  • You can assign the tenant-level roles of MaxCompute to users to grant the users the permissions to manage network connections and tenant-level users and roles. If "Effect": "Allow" is configured in a RAM policy that is attached to a user, the user passes the authentication for the allowed operations. If no RAM policy is attached to the user, the permissions of the tenant-level role that is assigned to the user take effect. If "Effect": "Deny" is configured in a RAM policy that is attached to the user, the user fails the authentication for the denied operations.

Project management

Category

Action

ARN

ARN example

Description

Project management

odps:ListProjects

acs:odps:{#regionId}:{#accountId}:projects/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/*

View all projects in the specified region within the Alibaba Cloud account.

odps:CreateProject

Create a project.

odps:GetProject

acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1

Obtain information about a project.

odps:DeleteProject

Delete a project.

odps:UpdateProjectStatus

Freeze or restore a project.

odps:UpdateProjectDefaultQuota

Change the default quota of a project.

odps:ListOutboundInternetAddress

View the configuration of the external network.

odps:UpdateOutboundInternetAddress

Update the configuration of the external network.

odps:CreateRole

Create a project-level role.

odps:DeleteRole

Delete a project-level role.

odps:UpdateRole

Update a project-level role.

odps:UpdateUsersToAdmin

Assign the Admin role to a RAM user to set the RAM user as the administrator for a project.

odps:UpdateUsersToSuperAdmin

Assign the Super_Administrator role to a RAM user to set the RAM user as the super administrator for a project.

odps:UpdateUsersToRole

Update users with project-level roles.

odps:ListUsers

acs:odps:{#regionId}:{#accountID}:user/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):user/*

Obtain a list of the users.

odps:GetRoleAcl

acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1

Obtain the ACL-based permissions that are granted to a project-level role.

odps:GetRoleAclOnObject

Obtain ACL-based permissions on an object that are granted to a project-level role.

odps:GetRolePolicy

Obtain the policy that is attached to a project-level role.

odps:ListResources

Obtain resources.

odps:ListRoles

Obtain project-level roles.

odps:CreatePackage

acs:odps:{#regionId}:{#accountId}:package/{#packageName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):package/pkg_1

Create a package.

odps:DeletePackage

Delete a package.

odps:GetPackage

Obtain information about a package.

odps:ListPackages

Obtain information about multiple packages.

odps:UpdatePackage

Update a package.

odps:ListUserPermissionsAsStringByProject

acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1

List the permissions of users in strings by project.

odps:ListUserPermissionsByProject

List the permissions of users in the JSON format by project.

odps:ListUsersInfoByProject

List all users and the role and security information of the users in a project.

odps:ListProjectUsers

List all users in a project.

odps:CreateSchema

acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1

Create a schema.

odps:CheckRamRole

acs:odps:{#regionId}:{#accountId}:ramrole/{#roleName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):ramrole/AliyunMaxComputeEncryptionDefaultRole

Check whether SLR is authorized in the storage encryption feature.

odps:GetAsyncJobResult

acs:odps:{#regionId}:{#accountId}:asyncjob/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):asyncjob/*

Obtain the results returned by asynchronous API calls.

Note

To address API call timeout issues, some APIs and scenarios employ an asynchronous request method. With this approach, after initiating the call, the results are obtained asynchronously through a specific interface, which requires the user to have this permission. A related scenarios: retrieving a user list according to project-level roles.

Quota management

Category

Action

ARN

ARN example

Description

Quota management

odps:UpdateQuota

acs:odps:{#regionId}:{#accountId}:quotas/{#NickName} 

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota)

Modify a level-1 quota or a level-2 quota.

odps:UpdateQuotaPlan

Modify a quota plan.

odps:UpdateSubQuotas

Create a level-2 custom quota.

odps:UpdateQuotaSchedule

Modify a time plan.

odps:CreateQuotaPlan

Create a quota plan.

odps:DeleteQuotaPlan

Delete a quota plan.

odps:CreateQuotaSchedule

Create a time plan.

odps:ListQuotaRoutingRules

acs:odps:{#regionId}:{#accountId}:quotas/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/*

View level-2 quota rules.

odps:CreateQuotaRoutingRule

Add a level-2 quota rule.

odps:GetQuotaRoutingRule

acs:odps:{#regionId}:{#accountId}:quotas/{#quotaPath}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1#quota_1_1(Name of a level-1 quota#Name of a level-2 quota, both a name and a nickname supported )

View a level-2 quota rule.

odps:RemoveQuotaRoutingRule

Remove a level-2 quota rule.

odps:UpdateQuotaRoutingRule

Modify a level-2 quota rule.

odps:CreateQuota

acs:odps:{#regionId}:{#accountId}:quota/{#NickName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota)

Create a quota.

odps:DeleteQuota

Delete a quota.

odps:GetQuota

Obtain information about a quota.

odps:ListQuotas

List quotas.

odps:ListQuotasPlans

List quota plans.

odps:GetQuotaPlan

Obtain information about a quota plan.

odps:GetQuotaSchedule

Obtain information about a time-specific quota plan.

Notebook management

Category

Action

ARN

ARN example

Description

Notebook management

odps:CreateNotebookTemplate

acs:odps:{#regionId}:{#accountId}:notebooktemplate/{#notebookTemplatesId}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebooktemplate/notebookid

Create a Notebook instance template.

odps:ListNotebookTemplates

List Notebook instance templates.

odps:GetNotebookTemplate

Obtain details about a Notebook instance template.

odps:UpdateNotebookTemplate

Update a Notebook instance template.

odps:DeleteNotebookTemplate

Delete a Notebook instance template.

odps:CreateNotebookStorage

acs:odps:{#regionId}:{#accountId}:notebookstorage/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookstorage/*

Create a data storage to attach to a Notebook instance.

odps:ListNotebookStorage

View the data storage that is attached to a Notebook instance.

odps:CreateNotebookInstance

acs:odps:{#regionId}:{#accountId}:notebookinstance/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookinstance/*

Create a Notebook instance.

odps:ListNotebookInstances

List Notebook instances.

odps:GetNotebookInstance

acs:odps:{#regionId}:{#accountId}:notebookinstance/{#notebookInstanceId}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookinstance/*

Obtain details about a Notebook instance.

odps:StartNotebookInstance

Start a Notebook instance.

odps:StopNotebookInstance

Stop a Notebook instance.

odps:UpdateNotebookInstance

Update a Notebook instance.

odps:DeleteNotebookInstance

Delete a Notebook instance.

Resource observation

Category

Action

ARN

ARN example

Description

Resource observation

odps:GetMetric

acs:odps:{#regionId}:{#accountId}:metric/{#category}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):metric/storage

Obtain monitoring curves for objects such as open storage, external table caching, job observation, and storage trends.

Resource observation (computing resources)

odps:GetQuotaUsage

acs:odps:{#regionId}:{#accountId}:quotas/{#nickname}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota)

Obtain the usage details of computing resources or data transmission resources.

Resource observation (storage resources)

odps:GetStorageSizeSummary

acs:odps:{#regionId}:{#accountId}:storage/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/*

Obtain the aggregate data on the sizes of storage resources that are used on the current day.

odps:GetStorageAmountSummary

Obtain the aggregate data on storage resource distribution on the current day.

odps:GetStorageSummaryCompared

Obtain changes on the usage of storage resources.

odps:ListStorageProjectsInfo

Obtain storage details about a project.

odps:SumDailyBillsByItem

acs:odps:{#regionId}:{#accountId}:bills/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):bills/*

Obtain storage fees that are calculated based on the catalog price.

odps:SumStorageMetricsByDate

acs:odps:{#regionId}:{#accountId}:storageMetrics/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storageMetrics/*

Obtain storage usage for every day.

odps:ListStorageTablesInfo

acs:odps:{#regionId}:{#accountId}:storage/{#projectName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/prj_1

List the storage details about tables.

odps:ListStoragePartitionsInfo

List the storage details of partitions.

Resource observation (data transmission services)

odps:GetTableAccessInfoTopK

acs:odps:{#regionId}:{#accountId}:quotas/{#nickname}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota)

Obtain the top K tables that are most frequently accessed by data transmission resources.

odps:GetTableIpAccessInfoTopK

Obtain the top K source IP addresses that are most frequently used to access data transmission resources.

odps:GetTableAccessInfo

Obtain popularity information of tables that are most frequently accessed by data transmission resources.

odps:ListTableSlotDetail

Obtain data transmission details of data transmission resources.

odps:GetTunnelThroughputSummary

Obtain the total amount of data that is transmitted by using data transmission resources.

Resource observation (job performance)

odps:ListTopJobInfo

acs:odps:{#regionId}:{#accountId}:job/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/prj_1

List the jobs that consume the largest amount of resources and time.

Job O&M

Category

Action

ARN

ARN example

Description

Job O&M

odps:ListJobInfos

acs:odps:{#regionId}:{#accountId}:job/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/*

List information about all jobs.

odps:ListJobSnapshotInfos

List snapshots of all jobs.

odps:KillJobs

Terminate jobs.

odps:GetJobResourceUsage

Obtain the aggregate resource information about a job.

odps:GetRunningJobs

Obtain the jobs that are running.

odps:GetJobSummaryByPreCompute

Obtain the aggregate data of job status.

odps:GetJobLogView

acs:odps:{#regionId}:{#accountId}:job/{#instanceId}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/20240828****ju4h

Obtain the LogView URL of a job.

odps:GetJobAnalyzeQuotaUsage

Obtain the usage information of computing resources of a job.

odps:GetJobAnalyzeQuotaDistribution

acs:odps:{#regionId}:{#accountId}:job/{#quotaNickname}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/quota_1

Obtain the distribution of the computing resources of a job.

Materialized views

Category

Action

ARN

ARN example

Description

Materialized views

odps:ListGlobalConfig

acs:odps:{#regionId}:{#accountId}:globalconfig/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):globalconfig/*

List switches for global configurations. Only materialized views are supported.

odps:GetGlobalConfig

acs:odps:{#regionId}:{#accountId}:globalconfig/{#configName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):globalconfig/mvrecommendation

Obtain the switch for a single global configuration. Only materialized views are supported.

odps:CloseGlobalConfig

Turn off the switch for a single global configuration. Only materialized views are supported.

odps:UpdateGlobalConfig

Change the status of a single global configuration. Only materialized views are supported.

odps:ListMvRecommendationSupportProjects

acs:odps:{#regionId}:{#accountId}:projects/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/*

List projects for which materialized view recommendation is enabled.

odps:CheckMvRecommendationSupportProjects

Check projects for which materialized view recommendation is enabled.

odps:ListMvRecommendations

List recommended materialized views.

odps:GetMvRecommendation

Obtain information about a recommended materialized view.

odps:AddMvRecommendationSupportProject

acs:odps:{#regionId}:{#accountId}:projects/{#projectName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1

Add a project for which materialized view recommendation is enabled.

odps:RemoveMvRecommendationSupportProject

Remove a project for which materialized view recommendation is enabled.

odps:CreateMaterializedView

Create a materialized view.

odps:GetMaterializedViewStatus

Obtain the creation status of a materialized view.

odps:ListMaterializedViews

List all materialized views that are created.

odps:GetMaterializedView

Obtain information about a materialized view.

odps:UpdateMaterializedView

Update information about a materialized view.

odps:DeleteMaterializedView

Delete a materialized view.

odps:ListProjectMvRecommendations

List the recommended materialized views of a project.

odps:GetProjectMvRecommendation

Obtain information about the recommended materialized views of a project.

odps:ListMvRecommendationsByProject

List recommended materialized views by project.

odps:GetMvRecommendationByProject

Obtain information about recommended materialized views by project.

odps:ListMvRecommendationJobInfo

List job information involved in recommended materialized views.

odps:ListMaterializedViewJobInfo

List job information involved in materialized views.

MaxCompute Migration Assist (MMA)

Category

Action

ARN

ARN example

Description

MMA

odps:ListMmsDataSources

acs:odps:{#regionId}:{#accountId}:mmsdatasource/{#datasourceId}

acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsdatasource/2000029

List data sources.

odps:GetMmsDataSource

Obtain details about a data source.

odps:CreateMmsDataSource

Create a data source.

odps:UpdateMmsDataSource

Update a data source.

odps:DeleteMmsDataSource

Delete a data source.

odps:CreateMmsFetchMetadataJob

Create a task used to update metadata.

odps:ListMmsJobs

List migration plans.

odps:GetMmsJob

Obtain information about a migration plan.

odps:CreateMmsJob

Create a migration plan.

odps:DeleteMmsJob

Delete a migration plan.

odps:StartMmsJob

Start a migration plan.

odps:StopMmsJob

Stop a migration plan.

odps:RetryMmsJob

Retry a migration plan.

odps:ListMmsTasks

List migration tasks.

odps:GetMmsTask

Obtain information about a migration task.

odps:ListMmsTaskLogs

List logs for migration tasks.

odps:GetMmsAsyncTask

Obtain information about an asynchronous task.

odps:UpdateMmsAsyncTask

Update the status of an asynchronous task.

odps:DeleteMmsAsyncTask

Delete an asynchronous task.

odps:ListMmsDbs

List databases in a data source.

odps:GetMmsDb

Obtain information about a specific database in a data source.

odps:ListMmsTables

List tables in a data source.

odps:GetMmsTable

Obtain information about a specific table in a data source.

odps:ListMmsPartitions

List partitions in a data source.

odps:GetMmsPartition

Obtain information about a specific partition in a data source.

odps:ListMmsAgents

acs:odps:{#regionId}:{#accountId}:mmsagent

acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsagent

List agents that are run within an Alibaba Cloud account.

odps:CreateMmsAuthFile

acs:odps:{#regionId}:{#accountId}:mmsauthfile

acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsauthfile

Create an authentication file.

Cost management

Category

Action

ARN

ARN example

Description

Cost analysis

odps:SumBills

acs:odps:{#regionId}:{#accountId}:bills/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):bills/*

View the cost analysis.

odps:SumBillsByDate

odps:SumDailyBillsByItem

odps:SumComputeMetricsByRecord

acs:odps:{#regionId}:{#accountId}:computeMetrics/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):computeMetrics/*

View the computing usage analysis.

odps:SumComputeMetricsByUsage

odps:ListComputeMetricsByInstance

odps:ListComputeMetricsBySignature

odps:SumStorageMetricsByDate

acs:odps:{#regionId}:{#accountId}:storageMetrics/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storageMetrics/*

View the storage usage analysis.

odps:SumStorageMetricsByType

odps:ListInstances

acs:odps:*:{#accountId}:instance/*

acs:odps:*:12345(ID of the Alibaba Cloud account):instance/*

List instances.

Cost optimization - optimization plans for reconfiguring subscription computing resources

odps:CreateQuotaHistoryRequestAnalysis

acs:odps:{#regionId}:{#accountId}:quotas/{#NickName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota)

Initiate a request to analyze the usage of the quota group configured for a subscription project.

odps:GetQuotaHistoryRequestAnalysis

Obtain the results of analysis on the usage of the quota group configured for a subscription project.

odps:CreateQuotaScheduleEffectAnalysis

Initiate a request to evaluate the situations of cost optimization conducted on a subscription project.

odps:GetQuotaScheduleEffectAnalysis

Obtain the results of evaluation on the situations of cost optimization conducted on a subscription project.

odps:CreateQuotaScheduleSuggestion

Initiate a request to obtain recommended configurations for cost optimization conducted on a subscription project.

odps:GetQuotaScheduleSuggestion

Obtain the recommended configurations for cost optimization conducted on a subscription project.

Cost optimization -

configuration of a subscription quota for a pay-as-you-go project

odps:ListQuotaRecentlyActiveProjects

acs:odps:{#regionId}:{#accountId}:quotas/{#NickName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota)

List pay-as-you-go projects for which cost optimization is performed.

odps:CreateQuotaHistoryRequestAnalysisWithProjects

acs:odps:{#regionId}:{#accountId}:projects/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prjname

Initiate a request to analyze the usage of the quota group configured for a pay-as-you-go project.

odps:GetQuotaHistoryRequestAnalysisWithProjects

Obtain the results of analysis on the usage of the quota group configured for a pay-as-you-go project.

odps:CreateQuotaScheduleEffectAnalysisWithProjects

Initiate a request to evaluate the situations of cost optimization conducted on a pay-as-you-go project.

odps:GetQuotaScheduleEffectAnalysisWithProjects

Obtain the results of evaluation on the situations of cost optimization conducted on a pay-as-you-go project.

odps:CreateQuotaScheduleSuggestionWithProjects

Initiate a request to obtain recommended configurations for cost optimization conducted on a pay-as-you-go project.

odps:GetQuotaScheduleSuggestionWithProjects

Obtain the recommended configurations for cost optimization conducted on a pay-as-you-go project.

Tenant management

Category

Action

ARN

ARN example

Description

Tenant management - tenant properties

odps:GetTenantSetting

acs:odps:{#accountId}:tenant/settings/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/settings/*

Obtain the configurations of a tenant.

odps:UpdateTenantSetting

acs:odps:{#accountId}:tenant/settings/{#key}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/settings/namespaceSchema

Update the configurations of a tenant.

Tenant management - network connections (NetworkLink)

odps:ListNetworkLinks

acs:odps:{#regionId}:{#accountId}:networklink/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/*

View all network connections within a tenant.

odps:CreateNetworkLink

Create a network connection.

odps:GetNetworkLink

acs:odps:{#regionId}:{#accountId}:networklink/{#networkLinkName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/networklink_1(Name of a network connection)

Obtain information about a network connection.

odps:RemoveNetworkLink

Delete a network connection.

Tenant management - image management

odps:ListImage

acs:odps:{#regionId}:{#accountId}:image/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/*

List custom images.

odps:AddImage

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/*

Create a custom image.

odps:GetImage

acs:odps:{#regionId}:{#accountId}:image/{#name}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/image1

Obtain information about a custom image.

odps:RemoveImage

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/{name}

Delete a custom image.

Tenant management - external data sources

odps:ListTenantObjectBindings

acs:odps:{#regionId}:{#accountId}:tenant/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/*

List projects with which tenant resources are associated.

odps:UpdateTenantObjectBindings

Update the project with which a specific tenant resource is associated.

odps:UpdateForeignServer

acs:odps:{#regionId}:{#accountId}:foreignservers/{#foreignServerName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):foreignservers/foreign_1

Update an external data source.

odps:DeleteForeignServer

Delete an external data source.

odps:GetForeignServer

Obtain information about an external data source.

odps:ListForeignServers

acs:odps:{#regionId}:{#accountId}:foreignservers/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):foreignservers/*

List external data sources.

odps:CreateForeignServer

Create an external data source.

Tenant-level user and role management

odps:ListTenantUsers

acs:odps:{#accountId}:tenantUsers/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantUsers/*

List tenant-level users.

odps:AddTenantUsers

Add tenant-level users.

odps:RemoveTenantUsers

Delete tenant-level users.

odps:UpdateTenantRolesToUser

Change the tenant-level role of a user.

odps:ListAllTenantRoles

acs:odps{#accountId}}:tenantRoles/*

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/*

List tenant-level roles.

odps:CreateTenantRole

Create a tenant-level role.

odps:UpdateTenantRolePolicy

acs:odps:{#accountId}:tenantRoles/{#roleName}

acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/tenantrole_1(Name of the tenant-level role)

Update the policy that is attached to a tenant-level role.

odps:GetTenantRolePolicy

Obtain the policy that is attached to a tenant-level role.

odps:RemoveTenantRole

Delete a tenant-level role.

Description of the Condition element

The Condition element is used to specify the conditions that are required for a policy to take effect. The Condition element consists of one or more conditions. Each condition consists of condition operators, condition keys, and condition values. For more information about the Condition element, see Condition.

The following tables describe the category of condition operators and the condition key in the Condition element of MaxCompute.

  • Category of condition operators

    Category

    Condition operator

    Boolean

    Bool

  • Condition key

    Condition

    Description

    odps:Encryption

    Specifies whether to encrypt a MaxCompute project when you create the project. Valid values:

    • true: The project is encrypted.

    • false: The project is not encrypted.

    For more information about MaxCompute data encryption, see Storage encryption.

Policies

Resource Access Management (RAM) supports the following types of policies: system policies that are managed by Alibaba Cloud and custom policies that are managed by customers.

  • System policies

    RAM provides the following system policies for MaxCompute:

    • AliyunMaxComputeFullAccess: This policy includes all access permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role. If you attach this policy to a RAM user or a RAM role, the RAM user or the RAM role may have excessive permissions. Proceed with caution.

    • AliyunMaxComputeReadOnlyAccess: This policy includes all List and Get permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role.

  • Custom policies

    You can create custom policies for fine-grained permission management in the RAM console. For more information, see Create custom policies. A RAM policy consists of the Version and Statement elements. The Statement element contains the Effect, Action, Resource, and Condition fields. The Condition field is optional. The values of the Action and Resource fields are obtained from the Action and ARN values in the permission list. For more information, see Permissions. The values of the Condition field are obtained from the condition description. For more information, see Description of the Condition element. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.

    The following sample code provides examples of custom policies.

    • Policy for managing MaxCompute projects

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "odps:ListProjects",
                      "odps:GetProject",
                      "odps:CreateProject",
                      "odps:DeleteProject",
                      "odps:UpdateProjectDefaultQuota",
                      "odps:UpdateProjectStatus",
                      "odps:UpdateUsersToSuperAdmin",
                      "odps:ListOutboundInternetAddress",
                      "odps:UpdateOutboundInternetAddress"
                
                  ],
                  "Resource": "*"
              }
          ]
      }
    • Policy for managing MaxCompute quotas

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "odps:UpdateQuota",
                      "odps:UpdateQuotaPlan",
                      "odps:UpdateSubQuotas",
                      "odps:UpdateQuotaSchedule",
                      "odps:CreateQuotaPlan",
                      "odps:DeleteQuotaPlan",
                      "odps:CreateQuotaSchedule",
                      "odps:ListQuotaRoutingRules",
                      "odps:CreateQuotaRoutingRule",
                      "odps:GetQuotaRoutingRule",
                      "odps:RemoveQuotaRoutingRule",
                      "odps:UpdateQuotaRoutingRule"         
                  ],
                  "Resource": "*"
              }
          ]
      }
      
    • Policy for prohibiting the creation of non-encrypted MaxCompute projects

      {
       "Version": "1",
       "Statement": [
       {
       "Effect": "Deny",
       "Action": "odps:CreateProject",
                  "Resource": "*",
                  "Condition": {
                      "Bool": {
                          "odps:Encryption": [
                              "false"
                          ]
                      }
                  }
              }
          ]
      }
    • Policy for viewing resource observation data in MaxCompute

      {
          "Version": "1",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "odps:GetMetric",
                      "odps:GetQuotaUsage",
                      "odps:GetStorageSummaryCompared",
                      "odps:GetStorageSizeSummary",
                      "odps:SumDailyBillsByItem",
                      "odps:SumStorageMetricsByDate",
                      "odps:GetStorageAmountSummary",
                      "odps:ListStorageProjectsInfo",
                      "odps:ListTopJobInfo",
                      "odps:ListStorageTablesInfo",
                      "odps:ListStoragePartitionsInfo",
                      "odps:GetTableAccessInfoTopK",
                      "odps:GetTableIpAccessInfoTopK",
                      "odps:GetTableAccessInfo",
                      "odps:ListTableSlotDetail",
                      "odps:GetTunnelThroughputSummary"
                  ],
                  "Resource": "*"
              }
          ]
      }