DocsICP FilingConsole
官方文档
首页

Manage user permissions in the console

更新时间:
复制 MD 格式
产品详情
我的收藏

MaxCompute lets you grant permissions to RAM accounts, such as RAM users and RAM roles, using roles in the MaxCompute console. This topic describes how to grant different types of permissions and provides policy examples.

Grant project-level management permissions

MaxCompute project-level management permissions include the ability to configure project security, manage project-level users and role permissions, manage packages, use label-based access control, and clean up expired permissions. For more information, see List of project management permissions.

Procedure

  1. 登录MaxCompute控制台,在左上角选择地域。

  2. 在左侧导航栏,选择Manage Configurations > Projects

  3. On the Projects page, find the target project and click Manage in the Actions column.

  4. On the Project Settings page, select the Role Permissions tab.

    On the Role Permissions tab, you can create an Admin role or modify the permissions of an existing Admin role.

    Note

    By default, only an Alibaba Cloud account has the permission to manage roles for a project. To grant permissions using a RAM account, such as a RAM user or a RAM role, the account must have the required project management permissions.

    • Create an Admin role

      1. Click Create Project-level Role to create a project-level role with MaxCompute permissions.

      2. In the Create Role dialog box, configure the role information as prompted and click OK.

        Set Role Type to Admin, and then enter an authorization policy.

    • Modify the permissions of an existing Admin role.

      On the Role Permissions tab, find the target role and click Modify Authorization in the Actions column. After you modify the policy, click Confirm to save the changes.

    For more information about the values for Action and Resource, see List of project management permissions. For more information about the authorization syntax, see Policy overview. This topic provides policy examples based on management modules.

  5. Find the target project-level role and click Manage Members in the Actions column. In the Manage Members dialog box, you can view the members assigned to the role, assign the role to users, or remove users from the role, which revokes it.

Policy examples

Note

  • The management permissions for a module often involve multiple actions and resource permissions. Therefore, the examples use a wildcard (*) to grant permissions on multiple objects at once.

  • For more information about the values for Action and Resource, see List of project management permissions.

  • For more information about the authorization syntax, see Policy overview.

  • Replace project_name in the examples with the name of your MaxCompute project.

Role management

The following policy grants permissions to manage roles.

{
  "Statement": [
    {
      "Action": [
        "odps:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:odps:*:projects/project_name/authorization/roles",
        "acs:odps:*:projects/project_name/authorization/roles/*/*"
      ]
    }
  ],
  "Version": "1"
}

Package management

The following policy grants permissions to manage packages.

{
  "Statement": [
    {
      "Action": [
        "odps:*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:odps:*:projects/project_name/authorization/packages",
        "acs:odps:*:projects/project_name/authorization/packages/*",
        "acs:odps:*:projects/project_name/authorization/packages/*/*/*"
      ]
    }
  ],
  "Version": "1"
}
Note

To manage packages in the console, you need the list permission on the project. Therefore, you must first grant the list permission on the current project to the user. For information about how to grant permissions in the console, see Grant project-level operation permissions on objects. For information about how to grant permissions by using commands, see Manage user permissions by using commands.

Project security

The following policy grants permissions to modify project security configurations.

{
  "Statement":[
    {
      "Action":[
        "odps:*"
      ],
      "Effect":"Allow",
      "Resource":[
        "acs:odps:*:projects/project_name/authorization/configurations/*"
      ]
    }
  ],
  "Version":"1"
}

User management

The following policy grants permissions to manage project users.

{
  "Statement":[
    {
      "Action":[
        "odps:*"
      ],
      "Effect":"Allow",
      "Resource":[
        "acs:odps:*:projects/project_name/authorization/users"
      ]
    }
  ],
  "Version":"1"
}

All management permissions

The following policy grants all management permissions.

{
  "Statement":[
    {
      "Action":[
        "odps:*"
      ],
      "Effect":"Allow",
      "Resource":[
        "acs:odps:*:projects/project_name/authorization/*"
      ]
    }
  ],
  "Version":"1"
}

Grant project-level operation permissions on objects

Project-level operation permissions apply to objects within a project, such as tables, functions, and resources. Examples of these permissions include CreateTable, CreateInstance, and SelectTable. For more information, see List of permissions for projects and objects within projects.

Procedure

  1. 登录MaxCompute控制台,在左上角选择地域。

  2. 在左侧导航栏,选择Manage Configurations > Projects

  3. On the Projects page, find the target project and click Manage in the Actions column.

  4. On the Project Settings page, select the Role Permissions tab.

    You can create a Resource role or edit an existing Resource role.

    Note

    By default, only an Alibaba Cloud account has the permission to manage roles for a project. To grant permissions using a RAM account, such as a RAM user or a RAM role, the account must have the required project management permissions.

    • Create a Resource role

      1. Click Create Project-level Role to create a project-level role with MaxCompute permissions.

      2. In the Create Role dialog box, configure the role information as prompted and click OK.

        Set Role Type to Resource. Then, grant permissions by using an ACL or a policy.

    • Modify the permissions of an existing Resource role

      • On the Role Permissions tab, find the target role and click Modify Authorization in the Actions column. Then, modify the permissions by using ACL or by editing the policy.

    For more information about permissions, see List of permissions for projects and objects within projects. For more information about the authorization syntax, see Policy overview. This topic provides examples of how to grant permissions by using ACL and policies in the console. For more details, see Grant project-level management permissions.

  5. Find the target project-level role and click Manage Members in the Actions column. In the Manage Members dialog box, you can view the members assigned to the role, assign the role to users, or remove users from the role, which revokes it.

Authorization examples

Note

  • For more information about the actions and objects for project-level object operation permissions, see List of permissions for projects and objects within projects.

  • For more information about the authorization syntax, see Policy overview.

  • Replace project_name in the examples with the name of your MaxCompute project.

ACL

You can use an ACL to grant a Resource role permissions to create tables (CreateTable) and instances (CreateInstance), list all object types in the project (List), and read metadata (Describe) and data (Select) from all tables.

Note

Do not close the progress bar or the page while the authorization is in progress. Otherwise, the authorization will be interrupted.

Policy

  • This policy grants a Resource role the permissions to create a table (CreateTable) and an instance (CreateInstance), view a list of all object types in the project (List), read the metadata of all tables (Describe), and read data from all tables (Select).

    {
    "Statement": [{
            "Action": ["odps:CreateTable","odps:CreateInstance","odps:List"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name"]},
        {
            "Action": ["odps:Describe","odps:Select"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/tables/*"]}],
    "Version": "1"}

  • This policy grants a Resource role the permissions to read the metadata (Describe) and query data (Select) from all tables whose names start with tmp, read and update all resources and functions, and denies the permission to delete any table.

    {
    "Statement": [{
            "Action": ["odps:Describe","odps:Select"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/tables/tmp_*"]},
        {
            "Action": ["odps:Read","odps:Write"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/resources/*"]},
            {
            "Action": ["odps:Read","odps:Write"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/functions/*"]},
            {
            "Action": ["odps:Drop"],
            "Effect": "Deny",
            "Resource": ["acs:odps:*:projects/project_name/tables/*"]}],
    "Version": "1"}

    If data storage by schema is enabled for the project (see Schema operations), you must modify the policy as follows:

    {
    "Statement": [{
            "Action": ["odps:Describe","odps:Select"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/schemas/*/tables/tmp_*"]},
        {
            "Action": ["odps:Read","odps:Write"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/schemas/*/resources/*"]},
            {
            "Action": ["odps:Read","odps:Write"],
            "Effect": "Allow",
            "Resource": ["acs:odps:*:projects/project_name/schemas/*/functions/*"]},
            {
            "Action": ["odps:Drop"],
            "Effect": "Deny",
            "Resource": ["acs:odps:*:projects/project_name/schemas/*/tables/*"]}],
    "Version": "1"}

Grant tenant-level management permissions

Tenant-level management permissions involve managing users and roles at the tenant level. This includes adding or removing users, creating or deleting roles, viewing users and roles, assigning or revoking roles for users, and adding roles to or removing them from projects.

Note

Only an Alibaba Cloud account or a user with the tenant-level Super_Administrator or Admin role can manage tenant-level permissions.

To grant management permissions to a RAM account, such as a RAM user or a RAM role, you must use an Alibaba Cloud account to assign the Super_Administrator or Admin role to it. The tenant-level Super_Administrator and Admin roles provide extensive management permissions. For details about the permissions, see Role planning. Use caution when you assign these roles. For more information about tenant-level roles, see Grant tenant-level role permissions.

  1. 登录MaxCompute控制台,在左上角选择地域。

  2. 在左侧导航栏,选择Manage Configurations > Tenants 。

  3. Tenants页面,单击Users页签。

  4. Users页签,单击目标RAM用户对应Actions列的Modify Role

    在弹出的Edit Role对话框,从Available Roles区域选择要为当前用户配置的角色,并配置到Added Roles区域,单击OK完成修改。

Grant tenant-level object operation permissions

Tenant-level object operation permissions include permissions to operate on tenant-level objects, such as a quota or a network connection. Examples of these permissions include Usage and CreateNetworkLink. These permissions also allow a single account to manage objects across multiple projects, which simplifies permission management. For more information about tenant-level roles, see Grant tenant-level role permissions.

Procedure

  1. 登录MaxCompute控制台,在左上角选择地域。

  2. 在左侧导航栏,选择Manage Configurations > Tenants 。

  3. Tenants页面,单击Roles页签。

  4. On the Roles page, you can create a new tenant-level role or manage the permissions of an existing custom role.

    Note

    Only an Alibaba Cloud account or a user with the tenant-level Super_Administrator or Admin role can manage tenant-level permissions.

    • Add a tenant-level role

      Roles页签,单击Add Role,在弹出的Add Role对话框,填写自定义Role NamePolicy Content,然后单击OK完成创建。

      Parameter

      Description

      Role name

      The name of the new tenant-level role. It must be unique within your Alibaba Cloud account, 6 to 64 characters long, start with a letter, and contain only letters, digits, and underscores (_).

      Policy content

      The permission policy for the role. You can edit the policy code based on a template.

    • Modify the permissions of an existing tenant-level role

      On the Roles tab, find the target role and click Manage Permissions in the Actions column. Modify the authorization policy and click OK to save your changes.

  5. On the Users tab, find the user you want to authorize and click Modify Role in the Actions column.

    在弹出的Edit Role对话框,从Available Roles区域选择要为当前用户配置的角色,并配置到Added Roles区域,单击OK完成修改。

Policy examples

Note

  • The examples use a wildcard (*) to grant permissions on multiple objects at once.

  • For more information about specific actions and resources, see List of permissions on objects in a tenant.

  • For more information about the authorization syntax, see Policy overview.

  • This policy grants a tenant-level role the Usage permission on all quotas in all regions, and the CreateNetworkLink, List, and Execute permissions on all network connections.

    {
    "Statement":[
      {
            "Action":[
                "odps:Usage"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:regions/*/quotas/*"
            ]
      },
      {
            "Action":[
                "odps:CreateNetworkLink",
                "odps:List",
                "odps:Execute"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:networklinks/*"
            ]
      }
    ],
    "Version":"1"
}

  • This policy grants a tenant-level role all operation permissions on the MaxCompute projects project_1 and project_2.

    {
    "Statement":[
        {
            "Action":[
                "odps:*"
            ],
            "Effect":"Allow",
            "Resource":[
                "acs:odps:*:projects/project_1",
                "acs:odps:*:projects/project_1/*",
                "acs:odps:*:projects/project_2",
                "acs:odps:*:projects/project_2/*"
            ]
        }
    ],
    "Version":"1"
}
    Note

    Only the project owner or a user with the project Super_Administrator or Admin role can perform this action. After you grant permissions on a project object by using a tenant-level role, you must add that role to the project for the permissions to take effect. On the Role Permissions tab, set Role Level to Tenant. Then, find the target role and click Enable in the Actions column.

Previous:Manage user permissions using commandsNext:查询权限信息