All Products
Search

This Product

    MaxCompute:Set a RAM user as the super administrator for a MaxCompute project

    Document Center

    MaxCompute:Set a RAM user as the super administrator for a MaxCompute project

    Last Updated:Aug 19, 2025

    This topic describes how to set a Resource Access Management (RAM) user as the super administrator for a MaxCompute project. It also provides suggestions for managing members and permissions.

    Background information

    For data security, an Alibaba Cloud account is typically managed by specific personnel. Most users who use MaxCompute have only RAM user accounts. However, because the project owner must be an Alibaba Cloud account, many permission management operations in MaxCompute can be performed only by the project owner. These operations include setting project-level flags and configuring cross-project resource sharing using packages. Therefore, a RAM user with super administrator permissions is required.

    MaxCompute provides a built-in management role named Super_Administrator. This role has all permissions for all types of resources in a project and project management permissions. For more information about the permissions, see Role planning.

    A project owner can grant the Super_Administrator role to a RAM user. After this role is granted, the RAM user can perform various management operations on the project on behalf of the project owner. These operations include setting common project-level flags and managing all resource permissions.

    Procedure

    Assign the Super_Administrator role to a RAM user that has permissions to create projects. This way, the RAM user can manage both DataWorks workspaces and the corresponding MaxCompute projects.

    Note

    • For more information about how to grant a RAM user the permissions to create projects, see Grant DataWorks management permissions to a RAM user.

    • Clarify the responsibilities of the RAM user. To better ensure data security, associate each RAM user with a single developer and avoid sharing accounts.

    • In a project, you can assign the Super_Administrator role to only one RAM user. You can grant the Admin role to other users who require basic management permissions.

    After you select a RAM user, have that RAM user create a project. The project owner is still the Alibaba Cloud account. The Alibaba Cloud account can grant the Super_Administrator role to the RAM user in one of the following ways:

    • Grant permissions on the MaxCompute client (odpscmd)

      Assume that the Alibaba Cloud account [email protected] is the owner of the project project_a and Allen is a RAM user under [email protected].

      1. Use the Alibaba Cloud account to run the following commands to grant the permissions. 

        -- Switch to the project_a project.
USE project_a;
-- Add the RAM user Allen to project_a.
ADD USER [email protected]:Allen;
-- Grant the Super_Administrator role to Allen.
GRANT super_administrator TO [email protected]:Allen;
-- Grant the Admin role to Allen.
GRANT admin TO [email protected]:Allen;

      2. As the authorized RAM user, run the following command to view your permissions. If the return value contains the Super_Administrator role, the authorization is successful. 

        SHOW GRANTS;

    • Grant permissions in DataWorks

      1. Log on to DataWorks, go to the Management Center, and switch to the target workspace.

      2. (Optional) Add the RAM user as a project member. If the RAM user is already a project member, skip this step.

        1. In the navigation pane on the left of the Workspace Configuration page, click Workspace Members And Roles, and go to the Workspace Members tab.

        2. In the upper-right corner, click Add Members.

        3. On the Add Members page, select the organization members that you want to add from the Accounts To Add list. The selected members are displayed in the Added Accounts list.

          Note

          In the Add Members dialog box, click Refresh to sync the RAM users of the current Alibaba Cloud account to the Accounts To Add list.

        4. Select the roles and click Confirm to add the members.

      3. Grant the Super_Administrator role to the RAM user.

        Go to the Workspace Members tab of the Workspace Members And Roles page. In the Role column of the target member, select Workspace Administrator to complete the authorization.

      4. As the authorized RAM user, run the following command to view your permissions. If the return value contains the Super_Administrator role, the authorization is successful. 

        SHOW GRANTS;

    • Grant permissions in the MaxCompute console

      1. Log on to the MaxCompute console and select a region in the upper-left corner.

      2. In the navigation pane on the left, choose Workspace > Project Management.

      3. In the Actions column of the target project, click Manage. Then, click the Role Permissions tab.

      4. On the Role Permissions tab, click Manage Members next to the Super_Administrator role.

      5. In the Manage Members dialog box, add the RAM user and click OK to complete the authorization.

        As the authorized RAM user, you can run the following command to view your permissions. If the return value contains the Super_Administrator role, the authorization is successful. 

        SHOW GRANTS;

    Usage notes

    • Member management

      • MaxCompute supports Alibaba Cloud accounts and RAM users. For better data security, add only RAM users that belong to the project owner as project members.

        The Alibaba Cloud account can control RAM users. In scenarios such as employee transfers or resignations, the Alibaba Cloud account can log off or update the corresponding RAM user to ensure data security.

        Note

        If you use DataWorks to manage project members, you can add only RAM users that belong to the project owner as project members.

      • Only an Alibaba Cloud account can create RAM users. Even a super administrator with the Super_Administrator role must wait for the Alibaba Cloud account to create a RAM user before adding the user to the project.

      • Add only users who need to perform data development in the current project as project members. Data development involves running jobs in the project. For users who have data interaction requirements, use packages to share resources across projects. This prevents adding too many users to the project, which would increase the complexity of member management.

      • If an employee is transferred or resigns, first remove the employee's RAM user from the project. Then, notify the project owner to log off the RAM user. If the employee who is transferred or resigns is a RAM user with the Super_Administrator role, the Alibaba Cloud account must remove and log off the RAM user.

    • Permission management

      • Manage permissions by role. This means associating permissions with roles and associating roles with users.

      • Apply the principle of least privilege to prevent security risks caused by excessive permissions.

      • When you share data across projects, use packages. This way, resource providers only need to manage packages and can avoid the costs of managing additional members.

      Note

      A RAM user with the Super_Administrator role already has the permissions to query and perform operations on all resources in a project. You do not need to grant additional permissions to this user.

    • Permission audit

      You can audit permissions using the views provided by the global meta service of MaxCompute. For more information, see Metadata view list.

    • Cost management

      For more information about cost management, see View billing details. For a RAM user to query billing data, the Alibaba Cloud account must grant the RAM user the required permissions in the User Center. For more information about how to grant permissions, see Grant permissions to a RAM role. The following permissions are required:

      • AliyunBSSFullAccess: permissions to manage the User Center.

      • AliyunBSSReadOnlyAccess: read-only permissions for the User Center.

      • AliyunBSSOrderAccess: permissions to view, pay for, and cancel orders in the User Center.

      Note

      The permissions for the User Center are not associated with the Super_Administrator role of the MaxCompute project. You must grant these permissions to the user separately.

    • Resource usage management

      • If you use subscription computing resources of MaxCompute, you can use the MaxCompute console to view computing resource usage and manage all computing resources. For more information, see Resource observation and Quota management for computing resources.

      • If you use pay-as-you-go computing resources of MaxCompute, you can use the related views provided by the global meta service of MaxCompute to view computing resource usage. For example, you can use the TASKS_HISTORY view to view the detailed execution information of audit jobs, such as the execution time, job content, and resource consumption. For more information, see TASKS_HISTORY.

        Note

        The views provided by the global meta service retain data for only the last 15 days. To store data for a longer period, regularly read and save the data.