Add and authorize users for a MaxCompute project-MaxCompute(MaxCompute)-阿里云帮助中心

Background

After creating a MaxCompute project, only the project owner or users with a MaxCompute built-in role can access the project. To allow other users to collaborate, the project owner must add them to the project.

MaxCompute supports the following user types and operations.

Category	User type	Actions	Description	Performed by	Operation entry
account-level	RAM users and RAM roles	Add a user (account-level)	Adds a user and assigns an account-level role.	An Alibaba Cloud account or a user assigned the account-level Super_Administrator role.	MaxCompute console - User Management (for assigning account-level roles)
		Modify a user (account-level)	Modifies a user's account-level role.
		Remove a user (account-level)	Removes a user with an account-level role.
project-level	Alibaba Cloud account	Add an Alibaba Cloud account (project-level)	Adds another Alibaba Cloud account to a MaxCompute project.	A project owner or a user assigned a MaxCompute built-in role.	MaxCompute client SQL analysis MaxCompute Studio DataWorks
		Remove an Alibaba Cloud account (project-level)	Removes an Alibaba Cloud account from the MaxCompute project.
	RAM user	Add a RAM user (project-level)	Adds a RAM user to the project from its owning Alibaba Cloud account.
		Remove a RAM user (project-level)	Removes a RAM user from the MaxCompute project.
	RAM role	Add a RAM role (project-level)	Adds a RAM role that is created in the Resource Access Management (RAM) console to the MaxCompute project.
		Remove a RAM role (project-level)	Removes a RAM role from the MaxCompute project.
	View the user list (project-level)		Views users in the MaxCompute project.

Usage limits

In the MaxCompute console, adding users is supported only in the following regions: China (Hangzhou), China (Shanghai), China (Beijing), China (Zhangjiakou), and China (Shenzhen).

Add an account-level user

Follow these steps to add a user in the MaxCompute console:

Log in to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose Tenant Management > User management .
On the User management page, click Add Member .
In the Add Member dialog box, select the RAM users or RAM roles from the Account Name to Be Added list, and then in the Set Roles in Batches section, select one or more account-level roles.
Review your settings and click OK .

Modify a user (account-level)

Note

You can only modify a user's account-level role, not their username.

Follow these steps to modify a user in the MaxCompute console:

Log on to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose tenant management > user management .
On the user management page, select a new role for the target user from the Role drop-down list.

Delete a user (account level)

To delete a user in the MaxCompute console:

Log on to the MaxCompute console and select a region in the upper-left corner.
In the left-side navigation pane, choose Tenant Management > User Management .
On the User Management page, find the user that you want to remove, and in the Actions column, click Remove .
In the Delete Member dialog box, click OK .

Add an Alibaba Cloud account user (project-level)

To authorize another Alibaba Cloud account, the project owner must first add that account to the project.

Syntax
```
add user ALIYUN$<account_name>;
```

Parameters

Parameter	Required	Description
account_name	Yes	The name of the Alibaba Cloud account. Example: `odps_test_user@aliyun.com`.

Example

This example adds the Alibaba Cloud account odps_test_user@aliyun.com to the project test_project_a.
```
add user ALIYUN$odps_test_user@aliyun.com;
```

Remove an Alibaba Cloud account (project-level)

If a user no longer needs to access a MaxCompute project, remove them from the project. Once removed, the user loses all permissions to access resources within that project.

Syntax
```
remove user ALIYUN$<account_name>;
```
Usage notes
- Before you remove a user with assigned roles, you must first revoke all their roles. For more information about how to view the roles assigned to a user, see View permission information. For more information about how to revoke roles, see Revoke roles from a user.
- When a user is removed, their permissions are retained. If the user is added back to the project later, their previous permissions are automatically restored. To permanently clear a user's permissions, see Clear residual permissions of a removed user.

Parameters

Parameter

Required

Description

account_name

Yes

The name of the Alibaba Cloud account. For example, odps_test_user@aliyun.com.

Run the list users; command in the MaxCompute client to get the account information.

Examples
- Example 1: Remove the Alibaba Cloud account odps_test_user@aliyun.com from the test_project_a project. This example assumes that no roles are assigned to the account.
```
remove user ALIYUN$odps_test_user@aliyun.com;
```
- Example 2: Remove the Alibaba Cloud account odps_test_user@aliyun.com from the test_project_a project. This example assumes the account has the Worker role.
```
-- Revoke the role from the user.
revoke Worker from ALIYUN$odps_test_user@aliyun.com;
-- Remove the user.
remove user ALIYUN$odps_test_user@aliyun.com;
```

Add a RAM user (project-level)

To grant authorization to a RAM user, the project owner must first add the user to the project.

Syntax

add user RAM$[<account_name>:]<display_name>;

Limitations
- You can add only RAM users from your Alibaba Cloud account to a project. To add a RAM user from another Alibaba Cloud account, you must first add the Alibaba Cloud account that owns the RAM user to your project. Then, the owner of that account can sign in to the MaxCompute project and add the RAM user.
- Before you add a RAM user to a MaxCompute project, verify that the project supports the RAM account system by running thelist accountproviders; command. IfRAM is not in the command output, run theadd accountprovider ram; command to enable the RAM account system for the project.
- When a user is removed, their permissions are retained. If the user is added back to the project later, their previous permissions are automatically restored. To permanently clear a user's permissions, see Clear residual permissions of a removed user.
Usage notes

MaxCompute uses the RAM account system for identity but ignores the RAM permission system. Therefore, when an Alibaba Cloud account adds its RAM users to a MaxCompute project, MaxCompute does not apply the permissions that are defined for those users in RAM.

Parameters

Parameter

Required

Description

account_name

No

The name of the Alibaba Cloud account to which the RAM user belongs. For example, odps_test_user@aliyun.com.

display_name

Yes

The display name of the RAM user.

To obtain the display name, sign in to the RAM console. In the left-side navigation pane, choose Identities > Users. You can find the display name on the Users page.

Example

This example adds the RAM user RAM$odps_test_user@aliyun.com:ram_test to the test_project_a project.

add user RAM$ram_test;
-- This statement is equivalent to the following statement:
add user RAM$odps_test_user@aliyun.com:ram_test;

Remove a RAM user (project-level)

When a RAM user is no longer part of a MaxCompute project, remove the user from the project. Once removed, the user loses all permissions to access any resource within that project.

Syntax

remove user RAM$[<account_name>:]<display_name>;

Usage notes
- You must revoke any assigned roles before removing a RAM user. Otherwise, residual user information remains in the project. The user then appears as p4_xxxxxxxxxxxxxxxxxxxx and cannot be removed. However, this does not affect normal project operations. For more information about how to view the roles assigned to a user, see View permission information. For more information about how to revoke a role, see Revoke a role from a user.
- When a user is removed, their permissions are retained. If the user is added back to the project later, their previous permissions are automatically restored. To permanently clear a user's permissions, see Clear residual permissions of a removed user.

Parameters

Parameter

Required

Description

account_name

No

The name of the Alibaba Cloud account to which the RAM user belongs. For example, odps_test_user@aliyun.com.

display_name

Yes

The display name of the RAM user.

To obtain the display name, sign in to the RAM console. In the left-side navigation pane, choose Identities > Users. You can find the display name on the Users page.

Examples

Example 1: Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test from the test_project_a project. This example assumes the RAM user has no assigned roles.
```
remove user RAM$ram_test;
-- This is equivalent to the following statement.
remove user RAM$odps_test_user@aliyun.com:ram_test;
```

Example 2: Remove the RAM user RAM$odps_test_user@aliyun.com:ram_test from the test_project_a project. This example assumes the RAM user has the Worker role.

-- Revoke the role from the user.
revoke Worker from RAM$odps_test_user@aliyun.com:ram_test;
-- Remove the user.
remove user RAM$ram_test;
-- This is equivalent to the following statement.
remove user RAM$odps_test_user@aliyun.com:ram_test;
-- If RAM users are no longer needed, remove the RAM account provider.
remove accountprovider ram;

Add a RAM role (project-level)

You can create a RAM role and modify its policy in the RAM console, and then add it to a MaxCompute project. RAM users in the project can then assume this role to perform operations.

Unlike the roles described in Role planning, which are specific to a MaxCompute project, a RAM role is a platform-level identity managed in Resource Access Management (RAM). For more information about using RAM roles, see Assume a RAM role.

Command format

add user `RAM$<account_name>:role/<RAM role name>`;

Usage notes

The backticks (`) in the command are required.

Parameters

Parameter

Required

Description

account_name

Yes

The Alibaba Cloud account to which the RAM role belongs. Example: odps_test_user@aliyun.com.

RAM role name

Yes

The name of the RAM role.

Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles. The RAM role name is displayed on the Roles page.

Example

Add the RAM role ram_role to the test_project_a project:
```
add user `RAM$odps_test_user@aliyun.com:role/ram_role`;
```

Related operations

If you plan to use this role for operations in DataWorks, you must also update its policy to grant permission to access the DataWorks service. This allows DataWorks to submit periodically scheduled jobs to MaxCompute.For instructions on configuring a RAM role trust policy, see (Advanced) RAM role trust policy.

Remove a RAM role (project-level)

Removes a RAM role from a MaxCompute project.

Syntax

remove user `RAM$<account_name>:role/<RAM_role_name>`;

Usage notes

The backticks (`) in the command are required.

Parameters

Parameter

Required

Description

account_name

Yes

The Alibaba Cloud account to which the RAM role belongs. Example: odps_test_user@aliyun.com.

RAM role name

Yes

The name of the RAM role.

Log on to the RAM console. In the left-side navigation pane, choose Identities > Roles. The RAM role name is displayed on the Roles page.

Example

This example removes the RAM role ram_role from the test_project_a project.
```
remove user `RAM$odps_test_user@aliyun.com:role/ram_role`;
```

User list (project-level)

Lists the users in a MaxCompute project.

Syntax
```
list users;
```

Example

This command lists the users in a MaxCompute project.

list users;

The command returns the following output.

ALIYUN$odps_test_user@aliyun.com
RAM$odps_test_user@aliyun.com:ram_test
RAM$odps_test_user@aliyun.com:role/ram_role

Next steps

After completing user planning, you can grant permissions: Manage user permissions using commands.