RAM permissions and policies for MaxCompute-MaxCompute(MaxCompute)-阿里云帮助中心

Some MaxCompute resource management operations can only be performed in the management console. Resource Access Management (RAM) controls who can run these operations. This topic lists all console operations integrated with RAM, their ARN formats, access levels, and example access policies.

Permissions

Important

The following rules apply to ListProjects and GetProject:

Allow ("Effect": "Allow"): The RAM user can view all MaxCompute projects and their details in the specified region under the Alibaba Cloud account, including projects the user has not joined.
Deny ("Effect": "Deny"): The RAM user cannot view any MaxCompute project in the specified region, including projects the user has joined.
No policy defined: The RAM user can view only the projects they have joined and their details in the specified region. Permissions for managing network connectivity and tenant-level users and roles can also be granted through MaxCompute tenant-level role authorization. If a RAM policy is configured with Allow, authentication succeeds. If no RAM policy is defined, the tenant-level role permissions take effect. If a RAM policy is configured with Deny, authentication fails.

The Access level column classifies each action as List, Read, Write, or Permissions management. Use this to identify read-only versus write actions when applying least-privilege policies.

Overview page — number of jobs

Category	Action	Access level	ARN	ARN example	Description
Overview page — number of jobs	`odps:GetJobCount`	Read	`acs:odps:{#regionId}:{#accountId}:job/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):job/*`	View the number of jobs in a specific status.

SQL analysis

Category	Action	Access level	ARN	ARN example	Description
SQL analysis	`odps:GetTableInfo`	Read	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	Get table information.
	`odps:GetFunctionInfo`	Read			Get function information.
	`odps:ListTablePartitions`	List			Get table partition information.
	`odps:PreviewTable`	Read			Preview table data.

Project management

Category	Action	Access level	ARN	ARN example	Description
Project management	`odps:ListProjects`	List	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/*`	View all projects in the specified region within the Alibaba Cloud account.
	`odps:CreateProject`	Write			Create a project.
	`odps:GetProject`	Read	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	Get information about a project.
	`odps:DeleteProject`	Write			Delete a project.
	`odps:UpdateProjectStatus`	Write			Freeze or restore a project.
	`odps:UpdateProjectDefaultQuota`	Write			Change the default quota of a project.
	`odps:ListOutboundInternetAddress`	List			View the external network configuration.
	`odps:UpdateOutboundInternetAddress`	Write			Update the external network configuration.
	`odps:CreateRole`	Write			Create a project-level role.
	`odps:DeleteRole`	Write			Delete a project-level role.
	`odps:UpdateRole`	Write			Update a project-level role.
	`odps:UpdateUsersToAdmin`	Permissions management			Set a project administrator (the Admin role).
	`odps:UpdateUsersToSuperAdmin`	Permissions management			Set a project super administrator (the Super_Administrator role).
	`odps:UpdateUsersToRole`	Permissions management			Manage members of a project-level role.
	`odps:ListUsers`	List	`acs:odps:{#regionId}:{#accountID}:user/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):user/*`	Get the list of RAM users.
	`odps:GetRoleAcl`	Read	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	Get ACL authorization information for a project-level role.
	`odps:GetRoleAclOnObject`	Read			Get ACL authorization for a role on an object.
	`odps:GetRolePolicy`	Read			Get the policy authorization content for a role.
	`odps:ListResources`	List			Get the list of resources.
	`odps:ListRoles`	List			Get the list of project-level roles.
	`odps:CreatePackage`	Write	`acs:odps:{#regionId}:{#accountId}:package/{#packageName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):package/pkg_1`	Create a package.
	`odps:DeletePackage`	Write			Delete a package.
	`odps:GetPackage`	Read			Get a package.
	`odps:ListPackages`	List			Get packages in batches.
	`odps:UpdatePackage`	Write			Update a package.
	`odps:ListUserPermissionsAsStringByProject`	List	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	List user permissions in STRING format.
	`odps:ListUserPermissionsByProject`	List			List user permissions in JSON format.
	`odps:ListUsersInfoByProject`	List			List all users in a project, including their roles and security information.
	`odps:ListProjectUsers`	List			List all users in a project.
	`odps:CreateSchema`	Write	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	Create a schema.
	`odps:ListSchemas`	List			View the list of schemas.
	`odps:DeleteSchema`	Write			Delete a schema.
	`odps:ListFunctions`	List			View the list of functions.
	`odps:GetTrustedProjects`	Read			View the list of trusted projects.
	`odps:GetAclAuthInfo`	Read			Get ACL authorization information.
	`odps:CheckRamRole`	Read	`acs:odps:{#regionId}:{#accountId}:ramrole/{#roleName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):ramrole/AliyunMaxComputeEncryptionDefaultRole`	Check whether a service-linked role (SLR) is authorized for the data encryption feature.
	`odps:GetAsyncJobResult`	Read	`acs:odps:{#regionId}:{#accountId}:asyncjob/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):asyncjob/*`	Get the result of an asynchronous API call. Required when some APIs return results asynchronously to avoid timeout issues. An example use case is retrieving a user list based on a project-level role.
	`odps:ListTables`	List	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	View the list of tables.
	`odps:ListUsersByRole`	List	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	View role members.

Quota management

Category	Action	Access level	ARN	ARN example	Description
Quota management	`odps:UpdateQuota`	Write	`acs:odps:{#regionId}:{#accountId}:quotas/{#NickName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quotas/quota_1(Level-1 quota name)`	Modify a level-1 or level-2 quota.
	`odps:UpdateQuotaPlan`	Write			Modify a quota plan.
	`odps:UpdateSubQuotas`	Write			Create a level-2 custom quota.
	`odps:UpdateQuotaSchedule`	Write			Modify a time plan.
	`odps:CreateQuotaPlan`	Write			Create a quota plan.
	`odps:DeleteQuotaPlan`	Write			Delete a quota plan.
	`odps:CreateQuotaSchedule`	Write			Create a time plan.
	`odps:ListQuotaRoutingRules`	List	`acs:odps:{#regionId}:{#accountId}:quotas/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quotas/*`	View the list of level-2 quota rules.
	`odps:CreateQuotaRoutingRule`	Write			Add a level-2 quota rule.
	`odps:GetQuotaRoutingRule`	Read	`acs:odps:{#regionId}:{#accountId}:quotas/{#quotaPath}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quotas/quota_1#quota_1_1(Level-1 quota name#Level-2 quota name. You can use a nickname or a name.)`	View a level-2 quota rule.
	`odps:RemoveQuotaRoutingRule`	Write			Remove a level-2 quota rule.
	`odps:UpdateQuotaRoutingRule`	Write			Modify a level-2 quota rule.
	`odps:CreateQuota`	Write	`acs:odps:{#regionId}:{#accountId}:quota/{#NickName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quotas/quota_1(Level-1 quota name)`	Create a quota.
	`odps:DeleteQuota`	Write			Delete a quota.
	`odps:GetQuota`	Read			Get a quota.
	`odps:ListQuotas`	List			Query the list of quotas.
	`odps:ListQuotasPlans`	List			Query the list of quota plans.
	`odps:GetQuotaPlan`	Read			Get a quota plan.
	`odps:GetQuotaSchedule`	Read			Get a time-based quota plan.

Notebook management

Category	Action	Access level	ARN	ARN example	Description
Notebook management	`odps:CreateNotebookTemplate`	Write	`acs:odps:{#regionId}:{#accountId}:notebooktemplate/{#notebookTemplatesId}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):notebooktemplate/notebookid`	Create a Notebook instance template.
	`odps:ListNotebookTemplates`	List			View the list of Notebook instance templates.
	`odps:GetNotebookTemplate`	Read			View the details of a Notebook instance template.
	`odps:UpdateNotebookTemplate`	Write			Update a Notebook instance template.
	`odps:DeleteNotebookTemplate`	Write			Delete a Notebook instance template.
	`odps:CreateNotebookStorage`	Write	`acs:odps:{#regionId}:{#accountId}:notebookstorage/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):notebookstorage/*`	Create and attach storage for a Notebook instance.
	`odps:ListNotebookStorage`	List			View the storage attached to a Notebook instance.
	`odps:CreateNotebookInstance`	Write	`acs:odps:{#regionId}:{#accountId}:notebookinstance/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):notebookinstance/*`	Create a Notebook instance.
	`odps:ListNotebookInstances`	List			View the list of Notebook instances.
	`odps:GetNotebookInstance`	Read	`acs:odps:{#regionId}:{#accountId}:notebookinstance/{#notebookInstanceId}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):notebookinstance/*`	View the details of a Notebook instance.
	`odps:StartNotebookInstance`	Write			Start a Notebook instance.
	`odps:StopNotebookInstance`	Write			Stop a Notebook instance.
	`odps:UpdateNotebookInstance`	Write			Update a Notebook instance.
	`odps:DeleteNotebookInstance`	Write			Delete a Notebook instance.

Resource observation

Category	Action	Access level	ARN	ARN example	Description
Resource observation	`odps:GetMetric`	Read	`acs:odps:{#regionId}:{#accountId}:metric/{#category}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):metric/storage`	View monitoring curves, including open storage, external table cache, job observation, and storage trends.
Resource observation (computing resources)	`odps:GetQuotaUsage`	Read	`acs:odps:{#regionId}:{#accountId}:quotas/{#nickname}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quotas/quota_1(Level-1 quota name)`	View the usage details of computing resources or data transmission resources.
	`odps:QueryQuotaMetric`	Read	`acs:odps:{#regionId}:{#accountId}:quota/{#metric}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quota/cpu`	View the resource usage of computing resources.
Resource observation (storage resources)	`odps:GetStorageSizeSummary`	Read	`acs:odps:{#regionId}:{#accountId}:storage/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storage/*`	Get the summary data of storage usage for the current day.
	`odps:GetStorageAmountSummary`	Read			Get the summary data of storage distribution for the current day.
	`odps:GetStorageSummaryCompared`	Read			Get storage usage change data.
	`odps:ListStorageProjectsInfo`	List			Get project storage details.
	`odps:SumDailyBillsByItem`	Read	`acs:odps:{#regionId}:{#accountId}:bills/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):bills/*`	Get storage costs (list price).
	`odps:SumStorageMetricsByDate`	Read	`acs:odps:{#regionId}:{#accountId}:storageMetrics/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storageMetrics/*`	Get daily storage usage.
	`odps:ListStorageTablesInfo`	List	`acs:odps:{#regionId}:{#accountId}:storage/{#projectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storage/prj_1`	Get table storage details.
	`odps:ListStoragePartitionsInfo`	List			Get partition storage details.
Resource observation (Data Transmission Service)	`odps:GetTableAccessInfoTopK`	Read	`acs:odps:{#regionId}:{#accountId}:quotas/{#nickname}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quotas/quota_1(Level-1 quota name)`	View the top-K tables by access frequency for data transmission resources.
	`odps:GetTableIpAccessInfoTopK`	Read			View the top-K source IP addresses by access frequency for data transmission resources.
	`odps:GetTableAccessInfo`	Read			View the access frequency information of tables for data transmission resources.
	`odps:ListTableSlotDetail`	List			View the data transmission details of data transmission resources.
	`odps:GetTunnelThroughputSummary`	Read			View the data transmission volume summary of data transmission resources.
	`odps:QueryTunnelMetric`	Read	`acs:odps:{#regionId}:{#accountId}:tunnel/{#metric}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):tunnel/slot`	View the resource usage of Data Transmission Service.
	`odps:QueryTunnelMetricDetail`	Read		`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quota/request`	View the top-N details of resource usage for Data Transmission Service.
Resource observation (job performance)	`odps:ListTopJobInfo`	List	`acs:odps:{#regionId}:{#accountId}:job/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storage/prj_1`	Get the top jobs by resource consumption and duration.

Job O&M

Category	Action	Access level	ARN	ARN example	Description
Job O&M	`odps:ListJobInfos`	List	`acs:odps:{#regionId}:{#accountId}:job/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):job/*`	View the list of job information.
	`odps:ListJobSnapshotInfos`	List			View the list of job snapshots.
	`odps:KillJobs`	Write			Stop jobs.
	`odps:GetJobResourceUsage`	Read			View the summary of job resource information.
	`odps:GetRunningJobs`	List			View the list of running jobs.
	`odps:GetJobSummaryByPreCompute`	Read			View the summary of job statuses.
	`odps:GetJobLogView`	Read	`acs:odps:{#regionId}:{#accountId}:job/{#instanceId}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):job/20240828****ju4h`	Get the Logview of a job.
	`odps:GetJobAnalyzeQuotaUsage`	Read	`acs:odps:{#regionId}:{#accountId}:job/{#instanceId}`		View the computing resource usage of a job.
	`odps:GetJobAnalyzeQuotaDistribution`	Read	`acs:odps:{#regionId}:{#accountId}:job/{#quotaNickname}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):job/quota_1`	View the computing resource usage distribution of a job.
Job Insights — similar job analysis	`odps:GetJobInfo`	Read	`acs:odps:{#regionId}:{#accountId}:job/{#instanceId}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):job/20241103********`	Get information about a single job by its instance ID.
Job Insights — similar job analysis	`odps:ListSimilarJobInfos`	List	`acs:odps:{#regionId}:{#accountId}:job/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):job/*`	View the list of similar jobs.
Job observation	`odps:ListJobMetric`	List	`acs:odps:{#regionId}:{#accountId}:job/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):job/*`	View job-related metrics.
View complete Logview logs	`odps:GetTaskType`	Read	`acs:odps:{#regionId}:{#accountId}:jobInsight/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):jobInsight/*`	View complete Logview logs
	`odps:GetMatrixByParserTypeAndId`	Read
	`odps:GetErrorMsg`	Read
	`odps:GetSubStatusHistory`	Read
	`odps:GetOperationHistory`	Read
	`odps:SaveLogview`	Write
	`odps:GetFuxiSensor`	Read
	`odps:MessageInfo`	Read
	`odps:GetLogviewNotification`	Read
Console feature gray check	`odps:GetGray`	Read	`acs:odps:{#regionId}:{#accountId}:gray/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):gray/*`	Check the gray release status of console features.

Migration services (MMA)

Category	Action	Access level	ARN	ARN example	Description
Migration services	`odps:ListMmsDataSources`	List	`acs:odps:{#regionId}:{#accountId}:mmsdatasource/{#datasourceId}`	`acs:odps:cn-shanghai:12345(Alibaba Cloud account ID):mmsdatasource/2000029`	View the list of data sources.
	`odps:GetMmsDataSource`	Read			Get the details of a data source.
	`odps:CreateMmsDataSource`	Write			Create a data source.
	`odps:UpdateMmsDataSource`	Write			Update a data source.
	`odps:DeleteMmsDataSource`	Write			Delete a data source.
	`odps:CreateMmsFetchMetadataJob`	Write			Create a metadata update task.
	`odps:ListMmsJobs`	List			Get the list of migration plans.
	`odps:GetMmsJob`	Read			Get a migration plan.
	`odps:CreateMmsJob`	Write			Create a migration plan.
	`odps:DeleteMmsJob`	Write			Delete a migration plan.
	`odps:StartMmsJob`	Write			Start a migration plan.
	`odps:StopMmsJob`	Write			Stop a migration plan.
	`odps:RetryMmsJob`	Write			Retry a migration plan.
	`odps:ListMmsTasks`	List			Get the list of migration tasks.
	`odps:GetMmsTask`	Read			Get a migration task.
	`odps:ListMmsTaskLogs`	List			Get the list of migration task logs.
	`odps:GetMmsAsyncTask`	Read			Get an asynchronous task.
	`odps:UpdateMmsAsyncTask`	Write			Update the status of an asynchronous task.
	`odps:DeleteMmsAsyncTask`	Write			Delete an asynchronous task.
	`odps:ListMmsDbs`	List			Get the list of databases in a data source.
	`odps:GetMmsDb`	Read			Get a database in a data source.
	`odps:ListMmsTables`	List			Get the list of tables in a data source.
	`odps:GetMmsTable`	Read			Get a table in a data source.
	`odps:ListMmsPartitions`	List			Get the list of partitions in a data source.
	`odps:GetMmsPartition`	Read			Get a partition in a data source.
	`odps:ListMmsAgents`	List	`acs:odps:{#regionId}:{#accountId}:mmsagent`	`acs:odps:cn-shanghai:12345(Alibaba Cloud account ID):mmsagent`	Get the list of agents running under the Alibaba Cloud account.
	`odps:CreateMmsAuthFile`	Write	`acs:odps:{#regionId}:{#accountId}:mmsauthfile`	`acs:odps:cn-shanghai:12345(Alibaba Cloud account ID):mmsauthfile`	Create an authentication file.
	`odps:GetMmsProgress`	Read	`acs:odps:{#regionId}:{#accountId}:*`	`acs:odps:cn-shanghai:12345(Alibaba Cloud account ID):*`	View the progress of a migration task.
	`odps:GetMmsSpeed`	Read	`acs:odps:{#regionId}:{#accountId}:*`	`acs:odps:cn-shanghai:12345(Alibaba Cloud account ID):*`	View the speed of a migration task.

Cost management

Category	Action	Access level	ARN	ARN example	Description
Cost analysis	`odps:SumBills`	Read	`acs:odps:{#regionId}:{#accountId}:bills/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):bills/*`	View cost analysis data.
	`odps:SumBillsByDate`	Read			View cost analysis data by date.
	`odps:SumDailyBillsByItem`	Read			View daily cost analysis data by item.
	`odps:SumComputeMetricsByRecord`	Read	`acs:odps:{#regionId}:{#accountId}:computeMetrics/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):computeMetrics/*`	View computing usage analysis.
	`odps:SumComputeMetricsByUsage`	Read			View computing usage analysis by usage type.
	`odps:ListComputeMetricsByInstance`	List			View computing usage analysis by instance.
	`odps:ListComputeMetricsBySignature`	List			View computing usage analysis by signature.
	`odps:SumStorageMetricsByDate`	Read	`acs:odps:{#regionId}:{#accountId}:storageMetrics/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storageMetrics/*`	View storage usage analysis by date.
	`odps:SumStorageMetricsByType`	Read			View storage usage analysis by type.
	`odps:ListInstances`	List	`acs:odps::{#accountId}:instance/`	`acs:odps::12345(Alibaba Cloud account ID):instance/`	List instances.

Disaster recovery management

Category	Action	Access level	ARN	ARN example	Description
Disaster recovery management	`odps:CreateDisasterRecovery`	Write	`acs:odps:{#regionId}:{#accountId}:disasterrecoveries/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):disasterrecoveries/*`	Create a zone-disaster recovery.
	`odps:DeleteCrossRegionReplication`	Write	`acs:odps:{#regionId}:{#accountId}:crossregionreplication/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):crossregionreplication/*`	Delete a cross-region disaster recovery.
	`odps:DeleteDisasterRecovery`	Write	`acs:odps:{#regionId}:{#accountId}:disasterrecoveries/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):disasterrecoveries/*`	Delete a zone-disaster recovery.
	`odps:GetCrossRegionReplication`	Read	`acs:odps:{#regionId}:{#accountId}:crossregionreplication/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):crossregionreplication/*`	Get project-level observation information about cross-region disaster recovery.
	`odps:GetDisasterRecovery`	Read	`acs:odps:{#regionId}:{#accountId}:disasterrecoveries/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):Product/*`	Get project-level observation information about zone-disaster recovery.
	`odps:ListAvailableReplicationRegions`	List	`acs:odps:{#regionId}:{#accountId}:crossregionreplication/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):crossregionreplication/*`	Get available backup regions for cross-region disaster recovery.
	`odps:ListCrossRegionReplications`	List	`acs:odps:{#regionId}:{#accountId}:crossregionreplication/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):crossregionreplication/*`	Get project-level observation information about cross-region disaster recovery in batches.
	`odps:ListDisasterRecoveries`	List	`acs:odps:{#regionId}:{#accountId}:disasterrecoveries/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):disasterrecoveries/*`	Get project-level observation information about zone-disaster recovery in batches.
	`odps:SwitchCrossRegionReplication`	Write	`acs:odps:{#regionId}:{#accountId}:crossregionreplication/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):crossregionreplication/*`	Initiate a cross-region disaster recovery switchover.
	`odps:CreateCrossRegionReplication`	Write	`acs:odps:{#regionId}:{#accountId}:crossregionreplication/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):crossregionreplication/*`	Create a cross-region disaster recovery.

Tenant management

Category	Action	Access level	ARN	ARN example	Description
Tenant management — tenant properties	`odps:GetTenantSetting`	Read	`acs:odps:{#accountId}:tenant/settings/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):tenant/settings/*`	View tenant configurations.
	`odps:UpdateTenantSetting`	Write	`acs:odps:{#accountId}:tenant/settings/{#key}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):tenant/settings/namespaceSchema`	Modify tenant configurations.
Tenant management — network connectivity (NetworkLink)	`odps:ListNetworkLinks`	List	`acs:odps:{#regionId}:{#accountId}:networklink/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):networkLinks/*`	View all network connections within a tenant.
	`odps:CreateNetworkLink`	Write			Create a network connection.
	`odps:GetNetworkLink`	Read	`acs:odps:{#regionId}:{#accountId}:networklink/{#networkLinkName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):networkLinks/networklink_1(NetworkLink name)`	Get information about a network connection.
	`odps:RemoveNetworkLink`	Write			Delete a network connection.
Tenant management — image management	`odps:ListImage`	List	`acs:odps:{#regionId}:{#accountId}:image/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):image/*`	Query the list of custom images.
	`odps:AddImage`	Write		`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):image/*`	Create a custom image.
	`odps:GetImage`	Read	`acs:odps:{#regionId}:{#accountId}:image/{#name}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):image/image1`	Query information about a custom image.
	`odps:RemoveImage`	Write		`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):image/{name}`	Delete a custom image.
Tenant management — external data sources	`odps:ListTenantObjectBindings`	List	`acs:odps:{#regionId}:{#accountId}:tenant/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):tenant/*`	List projects to which tenant-side resources are bound.
	`odps:UpdateTenantObjectBindings`	Write			Update a project to which a tenant-side resource is bound.
	`odps:UpdateForeignServer`	Write	`acs:odps:{#regionId}:{#accountId}:foreignservers/{#foreignServerName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):foreignservers/foreign_1`	Update an external data source.
	`odps:DeleteForeignServer`	Write			Delete an external data source.
	`odps:GetForeignServer`	Read			Get an external data source.
	`odps:ListForeignServers`	List	`acs:odps:{#regionId}:{#accountId}:foreignservers/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):foreignservers/*`	View the list of external data sources.
	`odps:CreateForeignServer`	Write			Create an external data source.
Tenant-level user and role management	`odps:ListTenantUsers`	List	`acs:odps:{#accountId}:tenantUsers/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):tenantUsers/*`	View the list of tenant-level users.
	`odps:AddTenantUsers`	Write			Add tenant-level users.
	`odps:RemoveTenantUsers`	Write			Delete tenant-level users.
	`odps:UpdateTenantRolesToUser`	Permissions management			Modify the tenant-level role of a single user.
	`odps:ListAllTenantRoles`	List	`acs:odps{#accountId}}:tenantRoles/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):tenantRoles/*`	View the list of tenant-level roles.
	`odps:CreateTenantRole`	Write			Create a tenant-level role.
	`odps:UpdateTenantRolePolicy`	Permissions management	`acs:odps:{#accountId}:tenantRoles/{#roleName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):tenantRoles/tenantrole_1(Tenant-level role name)`	Update the policy authorization of a tenant-level role.
	`odps:GetTenantRolePolicy`	Read			Get the policy authorization of a single tenant-level role.
	`odps:RemoveTenantRole`	Write			Delete a tenant-level role.

Intelligent optimization

Intelligent materialized views — recommendation and management

Category	Action	Access level	ARN	ARN example	Description
Materialized view	`odps:ListGlobalConfig`	List	`acs:odps:{#regionId}:{#accountId}:globalconfig/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):globalconfig/*`	View global configuration switches. Currently, only materialized views are supported.
	`odps:GetGlobalConfig`	Read	`acs:odps:{#regionId}:{#accountId}:globalconfig/{#configName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):globalconfig/mvrecommendation`	Get a global configuration switch. Currently, only materialized views are supported.
	`odps:CloseGlobalConfig`	Write			Close a global configuration switch. Currently, only materialized views are supported.
	`odps:UpdateGlobalConfig`	Write			Modify a global configuration switch. Currently, only materialized views are supported.
	`odps:ListMvRecommendationSupportProjects`	List	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/*`	View the list of projects for which materialized view recommendation is enabled.
	`odps:CheckMvRecommendationSupportProjects`	Read			Check the list of projects for which materialized view recommendation is enabled.
	`odps:ListMvRecommendations`	List			View the list of recommended materialized views.
	`odps:GetMvRecommendation`	Read			View information about a recommended materialized view.
	`odps:AddMvRecommendationSupportProject`	Write	`acs:odps:{#regionId}:{#accountId}:projects/{#projectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	Add a project for which materialized view recommendation is enabled.
	`odps:RemoveMvRecommendationSupportProject`	Write			Remove a project from materialized view recommendation.
	`odps:CreateMaterializedView`	Write			Create a materialized view.
	`odps:GetMaterializedViewStatus`	Read			View the creation status of a materialized view.
	`odps:ListMaterializedViews`	List			View all created materialized views.
	`odps:GetMaterializedView`	Read			View information about a materialized view.
	`odps:UpdateMaterializedView`	Write			Update a materialized view.
	`odps:DeleteMaterializedView`	Write			Delete a materialized view.
	`odps:ListProjectMvRecommendations`	List			View the list of recommended materialized views for a project.
	`odps:GetProjectMvRecommendation`	Read			View information about a recommended materialized view for a project.
	`odps:ListMvRecommendationsByProject`	List			View the list of recommended materialized views for a project.
	`odps:GetMvRecommendationByProject`	Read			View information about a recommended materialized view for a project.
	`odps:ListMvRecommendationJobInfo`	List			View job information related to a recommended materialized view.
	`odps:ListMaterializedViewJobInfo`	List			View job information related to a materialized view.
	`odps:GetMaterializedViewsUtility`	Read	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/*`	Get benefit information of materialized views.
	`odps:GetMaterializedViewsUtilityByProject`	Read	`acs:odps:{#regionId}:{#accountId}:projects/{#projectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj`	Get benefit information of materialized views for a specific project.
	`odps:GetMvRecommendationsUtility`	Read	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/*`	Get benefit information of recommended materialized views.
	`odps:GetMvRecommendationsUtilityByProject`	Read	`acs:odps:{#regionId}:{#accountId}:projects/{#projectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj`	Get benefit information of recommended materialized views for a specific project.

Intelligent materialized views — automatic materialized views

Category	Action	Access level	ARN	ARN example	Description
Intelligent optimization - intelligent materialized views - automatic materialized views	`odps:GetAutoMvUtility`	Read	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/*`	View the benefits of automatic materialized views.
	`odps:GetAutoMvUtilityByProject`	Read	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	View the benefits of automatic materialized views for a specific project.
	`odps:ListAutoMv`	List	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/*`	View the list of automatic materialized views.
	`odps:ListAutoMvByProject`	List	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	View the list of automatic materialized views for a specific project.
	`odps:GetAutoMvUtilityTrend`	Read	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/*`	View the benefit trend chart of automatic materialized views.
	`odps:GetAutoMvUtilityTrendByProject`	Read	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	View the benefit trend chart of automatic materialized views for a specific project.
	`odps:GetAutoMvDetail`	Read	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	View the details of automatic materialized views for a specific project.
	`odps:ListAutoMvProjects`	List	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/*`	View the configuration information of automatic materialized views for all projects.
	`odps:UpdateAutoMvProject`	Write	`acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prj_1`	Update the configuration of automatic materialized views for a project.

Computing resource configuration optimization

Category	Action	Access level	ARN	ARN example	Description
Cost optimization — upgrade/downgrade recommendations for subscription computing resources	`odps:CreateQuotaHistoryRequestAnalysis`	Write	`acs:odps:{#regionId}:{#accountId}:quotas/{#NickName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quotas/quota_1(Level-1 quota name)`	Initiate a request to analyze quota group usage for cost optimization (subscription).
	`odps:GetQuotaHistoryRequestAnalysis`	Read			Get the result of quota group usage analysis for cost optimization (subscription).
	`odps:CreateQuotaScheduleEffectAnalysis`	Write			Initiate a request to evaluate the current situation for cost optimization (subscription).
	`odps:GetQuotaScheduleEffectAnalysis`	Read			Get the result of the current situation evaluation for cost optimization (subscription).
	`odps:CreateQuotaScheduleSuggestion`	Write			Initiate a request for recommended configurations for cost optimization (subscription).
	`odps:GetQuotaScheduleSuggestion`	Read			Get the result of recommended configurations for cost optimization (subscription).
Cost optimization — upgrading/downgrading a pay-as-you-go project to a subscription quota	`odps:ListQuotaRecentlyActiveProjects`	List	`acs:odps:{#regionId}:{#accountId}:quotas/{#NickName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):quotas/quota_1(Level-1 quota name)`	Get the list of projects for cost optimization (pay-as-you-go).
	`odps:CreateQuotaHistoryRequestAnalysisWithProjects`	Write	`acs:odps:{#regionId}:{#accountId}:projects/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):projects/prjname`	Initiate a request to analyze project and quota group usage for cost optimization (pay-as-you-go).
	`odps:GetQuotaHistoryRequestAnalysisWithProjects`	Read			Get the result of project and quota group usage analysis for cost optimization (pay-as-you-go).
	`odps:CreateQuotaScheduleEffectAnalysisWithProjects`	Write			Initiate a request to evaluate the current situation for cost optimization (pay-as-you-go).
	`odps:GetQuotaScheduleEffectAnalysisWithProjects`	Read			Get the result of the current situation evaluation for cost optimization (pay-as-you-go).
	`odps:CreateQuotaScheduleSuggestionWithProjects`	Write			Initiate a request for recommended configurations for cost optimization (pay-as-you-go).
	`odps:GetQuotaScheduleSuggestionWithProjects`	Read			Get the result of recommended configurations for cost optimization (pay-as-you-go).

Tiered storage configuration optimization

Category	Action	Access level	ARN	ARN example	Description
Cost optimization — storage cost optimization	`odps:GetStorageSuggestion`	Read	`acs:odps:{#regionId}:{#accountId}:storage/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storage/*`	Get storage cost optimization suggestions.
	`odps:GetStorageSuggestionByProject`	Read	`acs:odps:{#regionId}:{#accountId}:storage/{#projectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storage/prj`	Get storage cost optimization suggestions for a specific project.
	`odps:GetStorageSuggestionSummary`	Read	`acs:odps:{#regionId}:{#accountId}:storage/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storage/*`	Get a storage cost optimization summary.
	`odps:GetStorageSuggestionSummaryByProject`	Read	`acs:odps:{#regionId}:{#accountId}:storage/{#projectName}`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storage/prj`	Get a storage cost optimization summary for a specific project.
	`odps:GetStorageSummaryCompared`	Read	`acs:odps:{#regionId}:{#accountId}:storage/*`	`acs:odps:cn-hangzhou:12345(Alibaba Cloud account ID):storage/*`	Get storage usage comparison data.

Condition element

The Condition element specifies the conditions under which a policy takes effect. A condition clause consists of a condition operator, a condition key, and a condition value. For more information, see Conditions.

MaxCompute supports the following condition operators and condition keys:

Condition operator types

Condition operator type	Supported type
Boolean	Bool

Condition keys

Condition key	Type	Description
`odps:Encryption`	Bool	Restricts whether a MaxCompute project must be encrypted during creation. Valid values: `true` (the project must be encrypted) and `false` (the project is not encrypted). For more information, see Data encryption.

Access policies

RAM supports two types of access policies: system policies managed by Alibaba Cloud and custom policies that you create.

System policies

MaxCompute provides two system policies:

AliyunMaxComputeFullAccess: Grants all permissions listed in this topic. This policy may grant excessive permissions — attach it to RAM users or RAM roles with caution.
AliyunMaxComputeReadOnlyAccess: Grants all List and Get permissions listed in this topic. Attach this policy to RAM users or RAM roles that only need read access.

Custom policies

Create custom policies in the RAM console for fine-grained permission management. For more information, see Create a custom policy.

A RAM policy consists of a Version field and one or more Statement entries. Each statement includes an Effect, one or more Action values, a Resource (Alibaba Cloud Resource Name), and an optional Condition. The Action and Resource values come from the permission tables above. The Condition value comes from the Condition element section. For more information about policy syntax, see Policy structure and syntax.

The following are example custom policies.

Policy for managing MaxCompute project objects

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "odps:ListProjects",
                "odps:GetProject",
                "odps:CreateProject",
                "odps:DeleteProject",
                "odps:UpdateProjectDefaultQuota",
                "odps:UpdateProjectStatus",
                "odps:UpdateUsersToSuperAdmin",
                "odps:ListOutboundInternetAddress",
                "odps:UpdateOutboundInternetAddress"
            ],
            "Resource": "*"
        }
    ]
}

Policy for managing MaxCompute quota objects

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "odps:UpdateQuota",
                "odps:UpdateQuotaPlan",
                "odps:UpdateSubQuotas",
                "odps:UpdateQuotaSchedule",
                "odps:CreateQuotaPlan",
                "odps:DeleteQuotaPlan",
                "odps:CreateQuotaSchedule",
                "odps:ListQuotaRoutingRules",
                "odps:CreateQuotaRoutingRule",
                "odps:GetQuotaRoutingRule",
                "odps:RemoveQuotaRoutingRule",
                "odps:UpdateQuotaRoutingRule"
            ],
            "Resource": "*"
        }
    ]
}

Policy to deny creation of unencrypted MaxCompute projects

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "odps:CreateProject",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "odps:Encryption": [
                        "false"
                    ]
                }
            }
        }
    ]
}

Policy to allow viewing MaxCompute resource observation data

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "odps:GetMetric",
                "odps:GetQuotaUsage",
                "odps:GetStorageSummaryCompared",
                "odps:GetStorageSizeSummary",
                "odps:SumDailyBillsByItem",
                "odps:SumStorageMetricsByDate",
                "odps:GetStorageAmountSummary",
                "odps:ListStorageProjectsInfo",
                "odps:ListTopJobInfo",
                "odps:ListStorageTablesInfo",
                "odps:ListStoragePartitionsInfo",
                "odps:GetTableAccessInfoTopK",
                "odps:GetTableIpAccessInfoTopK",
                "odps:GetTableAccessInfo",
                "odps:ListTableSlotDetail",
                "odps:GetTunnelThroughputSummary"
            ],
            "Resource": "*"
        }
    ]
}