Create a project

Procedure

1. Create development and production projects.

   When you create a project, select Standard Mode for the workspace Mode. For more information about how to create a project, see Create a MaxCompute project.

2. Add project members.

   Create RAM users and add them as project members. Assign roles such as Development and O&M.

   • For more information about how to create a RAM user, see Prepare a RAM user.

   • For more information about how to add project members and assign roles, see Grant permissions to other users.

3. Develop and debug tasks.

   Members with the Development role can develop and debug tasks in the Data Analytics module of DataWorks. To use a table from the production project, they can apply for permissions in the Data Governance module of DataWorks.

   The Data Analytics module of DataWorks supports collaborative development. All members of the project can view task code, and members with edit permissions can modify it. This means that highly sensitive code cannot be kept completely confidential. If your business requires strict confidentiality for certain tasks and data, consider developing them in a separate project with a dedicated and limited set of members.

4. Publish tasks to the production environment.

   After members with the Development role debug and package a task, members with the O&M role can review the code and publish the task to the production environment. This process ensures that tasks cannot be published to the production environment without approval.

   The production environment accesses MaxCompute through the Project Owner. As a result, the user who creates a table may not be its owner and may lack permission to view it.

5. Test production tasks as a Development role member.

   After a task is published to the production environment, a member with the Development role should run a test on the production task in the Operation Center. Even if the task completes successfully, check the log to verify that it executed correctly and generated the expected result table. Typically, you need to query tables in the development interface. By default, you do not have permission to access tables generated in the production environment. You can apply for these permissions in the Data Governance module of DataWorks.

   Because the same account is the Project Owner for both the development and production projects, prevent tasks that read data from a production table and write to a development table from being published. This could expose production data in the development environment.

Analysis

• This project is not used for data development. The data to be analyzed resides in other projects. To avoid resource isolation between different Alibaba Cloud accounts, the Project Owner of this project must be the same account as the Project Owner of the production project used for data development.

• The main purpose of the project is to query and download data. Each member needs to use their own permissions for these actions. You must set the project's Default Access Identity to Task Owner.

• After you set Default Access Identity to Task Owner, you must grant the corresponding MaxCompute role permissions to each project member. Because the requirement is that each member can operate only on the tables they create, you need to configure the default role permissions.

Procedure

1. Create a project.

   When you create a project, select Basic Mode for the workspace Mode. For more information about how to create a project, see Create a MaxCompute project.

2. Create a MaxCompute custom role and grant permissions.

   Run the following commands with your Alibaba Cloud account in the MaxCompute client.

   -- Create a custom role.
   CREATE ROLE custom_dev;
   -- Grant permissions to the custom role.
   GRANT List, CreateInstance,CreateTable,CreateFunction,CreateResource ON project prj_name TO role custom_dev;

3. Set the ObjectCreatorHasAccessPermission property for the MaxCompute project.

   Run the following command with your Alibaba Cloud account in the MaxCompute client to set this property.

   set ObjectCreatorHasAccessPermission=true;
   -- This property is true by default. You can run the following command to verify.
   SHOW SecurityConfiguration;

4. Add project members.

   Create RAM users and add them as project members.

   • For more information about how to create a RAM user, see Prepare a RAM user.

   • For more information about how to add project members, see Grant permissions to other users.

   For example, if you add a member with the Development role, this member is granted the Role_Project_Dev role in the corresponding MaxCompute project. You can run the show grants for ram$<AlibabaCloudAccount>:<RAMUsername>; command to view the role.

   odps@ xxx show grants for ram$wl xxx;
   [roles]
   role_project_dev
   Authorization Type: Policy
   [role/role_project dev]
   A    projects/xxx: *
   A    projects/xxx/instances/*: *
   A    projects/xxx/jobs/*: *
   A    projects/xxx/offlinemodels/*: *
   A    projects/xxx/packages/*: *
   A    projects/xxx/registration/functions/*: *
   A    projects/xxx/resources/*: *
   A    projects/xxx/tables/*: *
   A    projects/xxx/volumes/*: *

5. Modify member permissions.

   Run the following commands with your Alibaba Cloud account in the MaxCompute client to modify member permissions.

   -- Revoke the default role from the member.
   REVOKE role_project_dev FROM ram$阿里云账号:RAM名称;
   -- Grant the custom role to the new member.
   GRANT custom_dev TO ram$阿里云账号:RAM名称;

   If you re-assign the Development role to this member, the Role_Project_Dev role is granted again.