scenario

The master account is not managed by the big data team. The owner of the MaxCompute project can only manage the master account. Package cross-project resource sharing configuration, etc.), so it is very necessary to have a sub-account with super administrator privileges.

The admin role of MaxCompute is used to manage the permissions of subaccounts in the MaxCompute project. The admin role of MaxCompute is used to manage the permissions of subaccounts in the MaxCompute project.

About super_administrator role

Super_Administrator role: MaxCompute A built-in management role that has the rights to operate all types of resources in a project and management rights. For details about the management rights, see the management Role documents. This role can be assigned to the sub-account by the project owner. After the sub-account obtains this role, it can replace the owner to carry out various management operations required by the project in the process of data development, including common project-level flag setting and all permission management operations.

Assign the subaccount to the super administrator

Prerequisite Suggestions:

  • Assign the super_administrator role to a subaccount that has permission to create a project, so that this account can manage both the DataWorks project and the corresponding Max Compute project. > how to account authorization can create project may refer to [] this document (https://help.aliyun.com/document_detail/74248.html?spm=a2c4g.11186623.2.20.2ac614bbBpKuoe#tit Le – VQQ – tk3-15 k).
  • To create a project, only one subaccount can be assigned as super_administrator role. Other subaccounts can be assigned as admin role if basic rights management is required
  • You need to clarify the responsibilities of the subaccount holder. It is recommended that one subaccount be assigned to one developer to avoid account sharing for better data security.

Confirm which subaccount can be used as the super administrator (and the subaccount can create project space), and when the project is created, the owner of Projec is still the primary account. The primary account can authorize the super_administrator role to the subaccount in the following ways.

  • Authorization by MaxCompute client: Assume that primary account user [email protected] is the Owner of project space project_a, and Allen is the RAM subaccount in [email protected]. Open the project space project_a. use project_a; Add RAM subaccount Allen for project space project_a. add user [email protected]:Allen; Grant Super_Administrator role permissions to subaccount Allen. grant super_administrator TO [email protected]:Allen; Grant the Admin role rights to subaccount Allen. grant admin TO [email protected]:Allen;
  • Licensed by DataWorks:
  1. Log in to DataWorks and go to the workspace configuration page.
  2. Add a subaccount as a project space member (already added to be ignored). 1) Click Member Management on the navigation bar to access the member management page. 2) Click in the upper right corner to add a member. 3) On the Add member page, select the organization member to be added from the account list. The account list is displayed. 4) Select roles and click OK.
  3. Authorize the Super_Administrator role for the subaccount. 1) Click MaxCompute advanced configuration in the left navigation bar. 2) Click the navigation bar to customize the user role. 3) Click The member next to the role to be authorized, and select the organization member to be added from the account list. The account list is displayed. ! [image.png](https://ucc.alicdn.com/pic/developer-ecology/bb8db4b3c8a64032b79c870d527d5e5c.png)20/jpeg/36371/158089356042 3-D5235e7C-b42F-4809-805b-faa68d5C9d08.jpeg) Click OK to authorize the account.
  • CMD grants; If the Super_Administrator role exists, the rights are successfully assigned.

Manage members and rights

The subaccount with the super_administrator role already has the query and operation rights of all project resources, so it does not need to authorize itself. The following are suggestions for managing other members and their permissions.

Members of the management

  • MaxComopute supports cloud accounts and RAM sub-accounts (sub-accounts can only be the Project owner’s sub-accounts). To better ensure data security, it is recommended that the users added to the Project be RAM sub-accounts of the owner’s main account. The primary account can control the sub-accounts. For example, the primary account can cancel or update the corresponding sub-accounts. If DataWorks is used to manage project members, only the owner’s RAM sub-account can be added.
  • RAM subaccounts can only be added using the primary account (this is not a fact that MaxCompute can change), so for a project member who has the super_administrator role, Other sub-accounts can be added to the project only after the primary account has been created.
  • It is recommended to add only users who need to perform data development in the current project (that is, perform job in the current project). For users with data interaction business requirements, it is recommended to share resources across projects through package. Avoid adding users to a project to add complexity to member management.
  • If the employee changes post or dimission, the corresponding sub-account should be removed from the project first, and then the owner should be informed to cancel the sub-account. If a subaccount holder with the super_administrator role changes posts or leaves, the primary account needs to remove and deregister the account.

Rights management

  • You are advised to associate permissions with roles and roles with users.
  • You are advised to implement the minimum sufficient rule to avoid security risks caused by excessive permissions.
  • When using data across projects, it is recommended to implement the package method to avoid the resource provider increasing the cost of member management and only need to manage the package.

Permission to audit

Permissions can be audited through the related views provided by MaxCompute’s metadata service Information_Schema service.

Resource utilization and cost management

As the principal of MaxComopute, I should not only pay attention to members and permissions, but also to resource use and cost.

  • As for the cost, you can refer to the document “View bill Details”. For the sub-account, the master account needs to grant related permissions to the role of the sub-account in RAM access control – Role Management: AliyunBSSFullAccess – Permission to manage the expense center (BSS); Or AliyunBSSReadOnlyAccess – read-only access to the fee Center (BSS); AliyunBSSOrderAccess — BSS privileges to view, pay, and cancel orders) > Note that the expense center privileges are not associated with the super_administrator role of the MaxCompute Project.
  • In terms of resource usage management, if you use annual and monthly computing resources in the MaxCompute package, you can use the MaxCompute manager to query and manage resource usage.

Read more: https://yq.aliyun.com/articles/744382?utm_content=g_1000103979

On the cloud to see yunqi: more cloud information, on the cloud case, best practices, product introduction, visit: https://yqh.aliyun.com/