Specific resource management operations of MaxCompute can be performed only in the MaxCompute console. You can perform some of the resource management operations only after the required policies are attached to the RAM user or RAM role that you use. This topic describes the related permissions and policies.
Permissions
If a RAM user is allowed ("Effect": "Allow") to perform the ListProjects and GetProject operations, the RAM user can view the list and information of all MaxCompute projects (including the projects to which the RAM user is not added) in the specified region within the Alibaba Cloud account.
If a RAM user is explicitly forbidden ("Effect": "Deny") to perform the ListProjects and GetProject operations, the RAM user cannot view the information of any MaxCompute project (including the projects to which the RAM user is added) in the specified region within the Alibaba Cloud account.
If no policy is attached to a RAM user to determine whether the RAM user is allowed to perform the ListProjects and GetProject operations, the RAM user can view the list and information of the existing MaxCompute projects in the specified region within the Alibaba Cloud account.
You can assign the tenant-level roles of MaxCompute to users to grant the users the permissions to manage network connections and tenant-level users and roles. If
"Effect": "Allow"is configured in a RAM policy that is attached to a user, the user passes the authentication for the allowed operations. If no RAM policy is attached to the user, the permissions of the tenant-level role that is assigned to the user take effect. If"Effect": "Deny"is configured in a RAM policy that is attached to the user, the user fails the authentication for the denied operations.
Overview
Category | Action | ARN | ARN example | Description |
Overview page - number of jobs | odps:GetJobCount | acs:odps:{#regionId}:{#accountId}:job/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/* | View the number of jobs in the specified status. |
SQL analysis
Category | Action | ARN | ARN example | Description |
SQL analysis | odps:GetTableInfo | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Get table information. |
odps:GetFunctionInfo | Get function information. | |||
odps:ListTablePartitions | Get table partitions information. | |||
odps:PreviewTable | Preview table data. |
Project management
Category | Action | ARN | ARN example | Description |
Project management | odps:ListProjects | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | View all projects in the specified region within the Alibaba Cloud account. |
odps:CreateProject | Create a project. | |||
odps:GetProject | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Obtain information about a project. | |
odps:DeleteProject | Delete a project. | |||
odps:UpdateProjectStatus | Freeze or restore a project. | |||
odps:UpdateProjectDefaultQuota | Change the default quota of a project. | |||
odps:ListOutboundInternetAddress | View the configuration of the external network. | |||
odps:UpdateOutboundInternetAddress | Update the configuration of the external network. | |||
odps:CreateRole | Create a project-level role. | |||
odps:DeleteRole | Delete a project-level role. | |||
odps:UpdateRole | Update a project-level role. | |||
odps:UpdateUsersToAdmin | Assign the Admin role to a RAM user to set the RAM user as the administrator for a project. | |||
odps:UpdateUsersToSuperAdmin | Assign the Super_Administrator role to a RAM user to set the RAM user as the super administrator for a project. | |||
odps:UpdateUsersToRole | Update users with project-level roles. | |||
odps:ListUsers | acs:odps:{#regionId}:{#accountID}:user/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):user/* | Obtain the list of sub-users. | |
odps:GetRoleAcl | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Obtain the ACL-based permissions that are granted to a project-level role. | |
odps:GetRoleAclOnObject | Obtain ACL-based permissions on an object that are granted to a project-level role. | |||
odps:GetRolePolicy | Obtain the policy that is attached to a project-level role. | |||
odps:ListResources | Obtain resources. | |||
odps:ListRoles | Obtain project-level roles. | |||
odps:CreatePackage | acs:odps:{#regionId}:{#accountId}:package/{#packageName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):package/pkg_1 | Create a package. | |
odps:DeletePackage | Delete a package. | |||
odps:GetPackage | Obtain information about a package. | |||
odps:ListPackages | Obtain information about multiple packages. | |||
odps:UpdatePackage | Update a package. | |||
odps:ListUserPermissionsAsStringByProject | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | List the permissions of users in strings by project. | |
odps:ListUserPermissionsByProject | List the permissions of users in the JSON format by project. | |||
odps:ListUsersInfoByProject | List all users and the role and security information of the users in a project. | |||
odps:ListProjectUsers | List all users in a project. | |||
odps:CreateSchema | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Create a schema. | |
odps:ListSchemas | View schemas. | |||
odps:DeleteSchema | Delete a schema. | |||
odps:ListFunctions | View the function list. | |||
odps:GetTrustedProjects | View the list of trusted projects. | |||
odps:GetAclAuthInfo | Get ACL-based permissions. | |||
odps:CheckRamRole | acs:odps:{#regionId}:{#accountId}:ramrole/{#roleName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):ramrole/AliyunMaxComputeEncryptionDefaultRole | Check whether the SLR is authorized in the storage encryption feature. | |
odps:GetAsyncJobResult | acs:odps:{#regionId}:{#accountId}:asyncjob/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):asyncjob/* | Obtain the result returned by an asynchronous API call. Note To resolve the timeout issue of API calls, some APIs and scenarios use asynchronous requests. After initiating a call, you must get the result asynchronously through this interface, which requires the user to have this permission. A related scenarios: retrieving a user list according to project-level roles. | |
odps:ListTables | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | View the table list. | |
odps:ListUsersByRole | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | View users to which a role is assigned. |
Quota management
Category | Action | ARN | ARN example | Description |
Quota management | odps:UpdateQuota | acs:odps:{#regionId}:{#accountId}:quotas/{#NickName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Modify a level-1 quota or a level-2 quota. |
odps:UpdateQuotaPlan | Modify a quota plan. | |||
odps:UpdateSubQuotas | Create a level-2 custom quota. | |||
odps:UpdateQuotaSchedule | Modify a time plan. | |||
odps:CreateQuotaPlan | Create a quota plan. | |||
odps:DeleteQuotaPlan | Delete a quota plan. | |||
odps:CreateQuotaSchedule | Create a time plan. | |||
odps:ListQuotaRoutingRules | acs:odps:{#regionId}:{#accountId}:quotas/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/* | View level-2 quota rules. | |
odps:CreateQuotaRoutingRule | Add a level-2 quota rule. | |||
odps:GetQuotaRoutingRule | acs:odps:{#regionId}:{#accountId}:quotas/{#quotaPath} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1#quota_1_1(Name of a level-1 quota#Name of a level-2 quota, both a name and a nickname supported) | View a level-2 quota rule. | |
odps:RemoveQuotaRoutingRule | Remove a level-2 quota rule. | |||
odps:UpdateQuotaRoutingRule | Modify a level-2 quota rule. | |||
odps:CreateQuota | acs:odps:{#regionId}:{#accountId}:quota/{#NickName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Create a quota. | |
odps:DeleteQuota | Delete a quota. | |||
odps:GetQuota | Obtain information about a quota. | |||
odps:ListQuotas | List quotas. | |||
odps:ListQuotasPlans | List quota plans. | |||
odps:GetQuotaPlan | Obtain information about a quota plan. | |||
odps:GetQuotaSchedule | Obtain information about a time-specific quota plan. |
Notebook management
Category | Action | ARN | ARN example | Description |
Notebook management | odps:CreateNotebookTemplate | acs:odps:{#regionId}:{#accountId}:notebooktemplate/{#notebookTemplatesId} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebooktemplate/notebookid | Create a Notebook instance template. |
odps:ListNotebookTemplates | List Notebook instance templates. | |||
odps:GetNotebookTemplate | Obtain details about a Notebook instance template. | |||
odps:UpdateNotebookTemplate | Update a Notebook instance template. | |||
odps:DeleteNotebookTemplate | Delete a Notebook instance template. | |||
odps:CreateNotebookStorage | acs:odps:{#regionId}:{#accountId}:notebookstorage/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookstorage/* | Create a data storage to attach to a Notebook instance. | |
odps:ListNotebookStorage | View the data storage that is attached to a Notebook instance. | |||
odps:CreateNotebookInstance | acs:odps:{#regionId}:{#accountId}:notebookinstance/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookinstance/* | Create a Notebook instance. | |
odps:ListNotebookInstances | List Notebook instances. | |||
odps:GetNotebookInstance | acs:odps:{#regionId}:{#accountId}:notebookinstance/{#notebookInstanceId} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):notebookinstance/* | Obtain details about a Notebook instance. | |
odps:StartNotebookInstance | Start a Notebook instance. | |||
odps:StopNotebookInstance | Stop a Notebook instance. | |||
odps:UpdateNotebookInstance | Update a Notebook instance. | |||
odps:DeleteNotebookInstance | Delete a Notebook instance. |
Resource observation
Category | Action | ARN | ARN example | Description |
Resource observation | odps:GetMetric | acs:odps:{#regionId}:{#accountId}:metric/{#category} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):metric/storage | Obtain monitoring curves for objects such as open storage, external table caching, job observation, and storage trends. |
Resource observation (computing resources) | odps:GetQuotaUsage | acs:odps:{#regionId}:{#accountId}:quotas/{#nickname} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Obtain the usage details of computing resources or data transmission resources. |
Resource observation (storage resources) | odps:GetStorageSizeSummary | acs:odps:{#regionId}:{#accountId}:storage/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/* | Obtain the aggregate data on the sizes of storage resources that are used on the current day. |
odps:GetStorageAmountSummary | Obtain the aggregate data on storage resource distribution on the current day. | |||
odps:GetStorageSummaryCompared | Obtain changes on the usage of storage resources. | |||
odps:ListStorageProjectsInfo | Obtain storage details about a project. | |||
odps:SumDailyBillsByItem | acs:odps:{#regionId}:{#accountId}:bills/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):bills/* | Obtain storage fees that are calculated based on the catalog price. | |
odps:SumStorageMetricsByDate | acs:odps:{#regionId}:{#accountId}:storageMetrics/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storageMetrics/* | Obtain storage usage for every day. | |
odps:ListStorageTablesInfo | acs:odps:{#regionId}:{#accountId}:storage/{#projectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/prj_1 | List the storage details about tables. | |
odps:ListStoragePartitionsInfo | List the storage details of partitions. | |||
Resource observation (data transmission services) | odps:GetTableAccessInfoTopK | acs:odps:{#regionId}:{#accountId}:quotas/{#nickname} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Obtain the top K tables that are most frequently accessed by data transmission resources. |
odps:GetTableIpAccessInfoTopK | Obtain the top K source IP addresses that are most frequently used to access data transmission resources. | |||
odps:GetTableAccessInfo | Obtain popularity information of tables that are most frequently accessed by data transmission resources. | |||
odps:ListTableSlotDetail | Obtain data transmission details of data transmission resources. | |||
odps:GetTunnelThroughputSummary | Obtain the total amount of data that is transmitted by using data transmission resources. | |||
Resource observation (job performance) | odps:ListTopJobInfo | acs:odps:{#regionId}:{#accountId}:job/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/prj_1 | List the jobs that consume the largest amount of resources and time. |
Job O&M
Category | Action | ARN | ARN example | Description |
Job O&M | odps:ListJobInfos | acs:odps:{#regionId}:{#accountId}:job/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/* | List information about all jobs. |
odps:ListJobSnapshotInfos | List snapshots of all jobs. | |||
odps:KillJobs | Terminate jobs. | |||
odps:GetJobResourceUsage | Obtain the aggregate resource information about a job. | |||
odps:GetRunningJobs | Obtain the jobs that are running. | |||
odps:GetJobSummaryByPreCompute | Obtain the aggregate data of job status. | |||
odps:GetJobLogView | acs:odps:{#regionId}:{#accountId}:job/{#instanceId} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/20240828****ju4h | Obtain the LogView URL of a job. | |
odps:GetJobAnalyzeQuotaUsage | Obtain the usage information of computing resources of a job. | |||
odps:GetJobAnalyzeQuotaDistribution | acs:odps:{#regionId}:{#accountId}:job/{#quotaNickname} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/quota_1 | Obtain the distribution of computing resources used by a job. | |
Job insight - similar job analysis | odps:GetJobInfo | acs:odps:{#regionId}:{#accountId}:job/{#instanceId} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/20241103******** | Obtain information about a job based on the instance ID. |
odps:ListSimilarJobInfos | acs:odps:{#regionId}:{#accountId}:job/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/* | List similar jobs. | |
Job observation | odps:ListJobMetric | acs:odps:{#regionId}:{#accountId}:job/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):job/* | View job-related metrics. |
Migration services (MMA)
Category | Action | ARN | ARN example | Description |
Migration services | odps:ListMmsDataSources | acs:odps:{#regionId}:{#accountId}:mmsdatasource/{#datasourceId} | acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsdatasource/2000029 | List data sources. |
odps:GetMmsDataSource | Obtain details about a data source. | |||
odps:CreateMmsDataSource | Create a data source. | |||
odps:UpdateMmsDataSource | Update a data source. | |||
odps:DeleteMmsDataSource | Delete a data source. | |||
odps:CreateMmsFetchMetadataJob | Create a task used to update metadata. | |||
odps:ListMmsJobs | List migration plans. | |||
odps:GetMmsJob | Obtain information about a migration plan. | |||
odps:CreateMmsJob | Create a migration plan. | |||
odps:DeleteMmsJob | Delete a migration plan. | |||
odps:StartMmsJob | Start a migration plan. | |||
odps:StopMmsJob | Stop a migration plan. | |||
odps:RetryMmsJob | Retry a migration plan. | |||
odps:ListMmsTasks | List migration tasks. | |||
odps:GetMmsTask | Obtain information about a migration task. | |||
odps:ListMmsTaskLogs | List logs for migration tasks. | |||
odps:GetMmsAsyncTask | Obtain information about an asynchronous task. | |||
odps:UpdateMmsAsyncTask | Update the status of an asynchronous task. | |||
odps:DeleteMmsAsyncTask | Delete an asynchronous task. | |||
odps:ListMmsDbs | List databases in a data source. | |||
odps:GetMmsDb | Obtain information about a specific database in a data source. | |||
odps:ListMmsTables | List tables in a data source. | |||
odps:GetMmsTable | Obtain information about a specific table in a data source. | |||
odps:ListMmsPartitions | List partitions in a data source. | |||
odps:GetMmsPartition | Obtain information about a specific partition in a data source. | |||
odps:ListMmsAgents | acs:odps:{#regionId}:{#accountId}:mmsagent | acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsagent | List agents that are run within an Alibaba Cloud account. | |
odps:CreateMmsAuthFile | acs:odps:{#regionId}:{#accountId}:mmsauthfile | acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):mmsauthfile | Create an authentication file. | |
odps:GetMmsProgress | acs:odps:{#regionId}:{#accountId}:* | acs:odps:cn-shanghai:12345(ID of the Alibaba Cloud account):* | View the progress of a migration task. | |
odps:GetMmsSpeed |
Cost management
Category | Action | ARN | ARN example | Description |
Cost analysis | odps:SumBills | acs:odps:{#regionId}:{#accountId}:bills/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):bills/* | View the cost analysis. |
odps:SumBillsByDate | ||||
odps:SumDailyBillsByItem | ||||
odps:SumComputeMetricsByRecord | acs:odps:{#regionId}:{#accountId}:computeMetrics/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):computeMetrics/* | View the computing usage analysis. | |
odps:SumComputeMetricsByUsage | ||||
odps:ListComputeMetricsByInstance | ||||
odps:ListComputeMetricsBySignature | ||||
odps:SumStorageMetricsByDate | acs:odps:{#regionId}:{#accountId}:storageMetrics/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storageMetrics/* | View the storage usage analysis. | |
odps:SumStorageMetricsByType | ||||
odps:ListInstances | acs:odps:*:{#accountId}:instance/* | acs:odps:*:12345(ID of the Alibaba Cloud account):instance/* | List instances. |
Disaster recovery
Category | Action | ARN | ARN example | Description |
Disaster recovery | odps:CreateDisasterRecovery | acs:odps:{#regionId}:{#accountId}:disasterrecoveries/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):disasterrecoveries/* | Create zone-disaster recovery. |
odps:DeleteCrossRegionReplication | acs:odps:{#regionId}:{#accountId}:crossregionreplication/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):crossregionreplication/* | Delete cross-region disaster recovery. | |
odps:DeleteDisasterRecovery | acs:odps:{#regionId}:{#accountId}:disasterrecoveries/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):disasterrecoveries/* | Delete zone-disaster recovery. | |
odps:GetCrossRegionReplication | acs:odps:{#regionId}:{#accountId}:crossregionreplication/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):crossregionreplication/* | Get project-level observation information about cross-region disaster recovery. | |
odps:GetDisasterRecovery | acs:odps:{#regionId}:{#accountId}:disasterrecoveries/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):Product/* | Get project-level observation information about zone-disaster recovery. | |
odps:ListAvailableReplicationRegions | acs:odps:{#regionId}:{#accountId}:crossregionreplication/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):crossregionreplication/* | Get available backup areas for cross-region disaster recovery. | |
odps:ListCrossRegionReplications | acs:odps:{#regionId}:{#accountId}:crossregionreplication/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):crossregionreplication/* | Get project-level observation information about cross-region disaster recovery in batches. | |
odps:ListDisasterRecoveries | acs:odps:{#regionId}:{#accountId}:disasterrecoveries/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):disasterrecoveries/* | Get project-level observation information about zone-disaster recovery in batches. | |
odps:SwitchCrossRegionReplication | acs:odps:{#regionId}:{#accountId}:crossregionreplication/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):crossregionreplication/* | Initiate a cross-region disaster recovery switch. | |
odps:CreateCrossRegionReplication | acs:odps:{#regionId}:{#accountId}:crossregionreplication/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):crossregionreplication/* | Create cross-region disaster recovery. |
Tenant management
Category | Action | ARN | ARN example | Description |
Tenant management - tenant properties | odps:GetTenantSetting | acs:odps:{#accountId}:tenant/settings/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/settings/* | Obtain the configurations of a tenant. |
odps:UpdateTenantSetting | acs:odps:{#accountId}:tenant/settings/{#key} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/settings/namespaceSchema | Update the configurations of a tenant. | |
Tenant management - network connections (NetworkLink) | odps:ListNetworkLinks | acs:odps:{#regionId}:{#accountId}:networklink/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/* | View all network connections within a tenant. |
odps:CreateNetworkLink | Create a network connection. | |||
odps:GetNetworkLink | acs:odps:{#regionId}:{#accountId}:networklink/{#networkLinkName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):networkLinks/networklink_1(name of the network connection) | Obtain information about a network connection. | |
odps:RemoveNetworkLink | Delete a network connection. | |||
Tenant management - image management | odps:ListImage | acs:odps:{#regionId}:{#accountId}:image/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/* | List custom images. |
odps:AddImage | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/* | Create a custom image. | ||
odps:GetImage | acs:odps:{#regionId}:{#accountId}:image/{#name} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/image1 | Obtain information about a custom image. | |
odps:RemoveImage | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):image/{name} | Delete a custom image. | ||
Tenant management - external data sources | odps:ListTenantObjectBindings | acs:odps:{#regionId}:{#accountId}:tenant/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenant/* | List projects with which tenant resources are associated. |
odps:UpdateTenantObjectBindings | Update the project with which a specific tenant resource is associated. | |||
odps:UpdateForeignServer | acs:odps:{#regionId}:{#accountId}:foreignservers/{#foreignServerName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):foreignservers/foreign_1 | Update an external data source. | |
odps:DeleteForeignServer | Delete an external data source | |||
odps:GetForeignServer | Obtain information about an external data source | |||
odps:ListForeignServers | acs:odps:{#regionId}:{#accountId}:foreignservers/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):foreignservers/* | List external data sources | |
odps:CreateForeignServer | Create an external data source. | |||
Tenant-level user and role management | odps:ListTenantUsers | acs:odps:{#accountId}:tenantUsers/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantUsers/* | List tenant-level users. |
odps:AddTenantUsers | Add tenant-level users. | |||
odps:RemoveTenantUsers | Delete tenant-level users. | |||
odps:UpdateTenantRolesToUser | Change the tenant-level role of a user. | |||
odps:ListAllTenantRoles | acs:odps{#accountId}}:tenantRoles/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/* | List tenant-level roles. | |
odps:CreateTenantRole | Create a tenant-level role. | |||
odps:UpdateTenantRolePolicy | acs:odps:{#accountId}:tenantRoles/{#roleName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):tenantRoles/tenantrole_1(Name of the tenant-level role) | Update the policy that is attached to a tenant-level role. | |
odps:GetTenantRolePolicy | Obtain the policy that is attached to a tenant-level role. | |||
odps:RemoveTenantRole | Delete a tenant-level role. |
Intelligent optimization
Intelligent materialized views - recommendation and management
Category | Action | ARN | ARN example | Description |
Materialized views | odps:ListGlobalConfig | acs:odps:{#regionId}:{#accountId}:globalconfig/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):globalconfig/* | List global configurations. Only materialized views are supported. |
odps:GetGlobalConfig | acs:odps:{#regionId}:{#accountId}:globalconfig/{#configName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):globalconfig/mvrecommendation | Get a single global configuration. Only materialized views are supported. | |
odps:CloseGlobalConfig | Close a single global configuration. Only materialized views are supported. | |||
odps:UpdateGlobalConfig | Update a single global configuration. Only materialized views are supported. | |||
odps:ListMvRecommendationSupportProjects | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | List projects for which materialized view recommendation is enabled. | |
odps:CheckMvRecommendationSupportProjects | Check projects for which materialized view recommendation is enabled. | |||
odps:ListMvRecommendations | List recommended materialized views. | |||
odps:GetMvRecommendation | Get information about a recommended materialized view. | |||
odps:AddMvRecommendationSupportProject | acs:odps:{#regionId}:{#accountId}:projects/{#projectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Add a project for which materialized view recommendation is enabled. | |
odps:RemoveMvRecommendationSupportProject | Remove a project for which materialized view recommendation is enabled. | |||
odps:CreateMaterializedView | Create a materialized view. | |||
odps:GetMaterializedViewStatus | Get the creation status of a materialized view. | |||
odps:ListMaterializedViews | List all materialized views that are created. | |||
odps:GetMaterializedView | Get information about a materialized view. | |||
odps:UpdateMaterializedView | Update information about a materialized view. | |||
odps:DeleteMaterializedView | Delete a materialized view. | |||
odps:ListProjectMvRecommendations | List recommended materialized views by project. | |||
odps:GetProjectMvRecommendation | Get information about recommended materialized views by project. | |||
odps:ListMvRecommendationsByProject | List recommended materialized views by project. | |||
odps:GetMvRecommendationByProject | Get information about recommended materialized views by project. | |||
odps:ListMvRecommendationJobInfo | List job information involved in recommended materialized views. | |||
odps:ListMaterializedViewJobInfo | List job information involved in materialized views. | |||
odps:GetMaterializedViewsUtility | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | Get information about the benefits of materialized views. | |
odps:GetMaterializedViewsUtilityByProject | acs:odps:{#regionId}:{#accountId}:projects/{#projectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj | Get information about the benefits of materialized views for a specific project. | |
odps:GetMvRecommendationsUtility | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | Get information about the benefits of recommended materialized views. | |
odps:GetMvRecommendationsUtilityByProject | acs:odps:{#regionId}:{#accountId}:projects/{#projectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj | Get information about the benefits of recommended materialized views for a specific project. |
Intelligent materialized views - automatic materialized views
Category | Action | ARN | ARN example | Description |
Intelligent optimization - intelligent materialized views - automatic materialized views | odps:GetAutoMvUtility | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | Get the benefits of automatic materialized views. |
odps:GetAutoMvUtilityByProject | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Get the benefits of automatic materialized views for a specific project. | |
odps:ListAutoMv | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | List automatic materialized views. | |
odps:ListAutoMvByProject | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | List automatic materialized views for a specific project. | |
odps:GetAutoMvUtilityTrend | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | Get the trend chart of benefits of automatic materialized views. | |
odps:GetAutoMvUtilityTrendByProject | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Get the trend chart of benefits of automatic materialized views for a specific project. | |
odps:GetAutoMvDetail | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Get details of automatic materialized views for a specific project. | |
odps:ListAutoMvProjects | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/* | Get configuration information of automatic materialized views for all projects. | |
odps:UpdateAutoMvProject | acs:odps:{#regionId}:{#accountId}:projects/{#ProjectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prj_1 | Update configuration information of automatic materialized views for a project. |
Computing resource configuration optimization
Category | Action | ARN | ARN example | Description |
Cost optimization - optimization plans for reconfiguring subscription computing resources | odps:CreateQuotaHistoryRequestAnalysis | acs:odps:{#regionId}:{#accountId}:quotas/{#NickName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | Initiate a request to analyze the usage of the quota group configured for a subscription project. |
odps:GetQuotaHistoryRequestAnalysis | Get the results of analysis on the usage of the quota group configured for a subscription project. | |||
odps:CreateQuotaScheduleEffectAnalysis | Initiate a request to evaluate the situations of cost optimization conducted on a subscription project. | |||
odps:GetQuotaScheduleEffectAnalysis | Get the results of evaluation on the situations of cost optimization conducted on a subscription project. | |||
odps:CreateQuotaScheduleSuggestion | Initiate a request to get recommended configurations for cost optimization conducted on a subscription project. | |||
odps:GetQuotaScheduleSuggestion | Get the recommended configurations for cost optimization conducted on a subscription project. | |||
Cost optimization - configuration of a subscription quota for a pay-as-you-go project | odps:ListQuotaRecentlyActiveProjects | acs:odps:{#regionId}:{#accountId}:quotas/{#NickName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):quotas/quota_1(Name of a level-1 quota) | List pay-as-you-go projects for which cost optimization is performed. |
odps:CreateQuotaHistoryRequestAnalysisWithProjects | acs:odps:{#regionId}:{#accountId}:projects/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):projects/prjname | Initiate a request to analyze the usage of the quota group configured for a pay-as-you-go project. | |
odps:GetQuotaHistoryRequestAnalysisWithProjects | Get the results of analysis on the usage of the quota group configured for a pay-as-you-go project. | |||
odps:CreateQuotaScheduleEffectAnalysisWithProjects | Initiate a request to evaluate the situations of cost optimization conducted on a pay-as-you-go project. | |||
odps:GetQuotaScheduleEffectAnalysisWithProjects | Get the results of evaluation on the situations of cost optimization conducted on a pay-as-you-go project. | |||
odps:CreateQuotaScheduleSuggestionWithProjects | Initiate a request to get recommended configurations for cost optimization conducted on a pay-as-you-go project. | |||
odps:GetQuotaScheduleSuggestionWithProjects | Get the recommended configurations for cost optimization conducted on a pay-as-you-go project. |
Tiered storage configuration optimization
Category | Action | ARN | ARN example | Description |
Cost optimization - storage cost optimization | odps:GetStorageSuggestion | acs:odps:{#regionId}:{#accountId}:storage/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/* | Get storage cost optimization suggestions. |
odps:GetStorageSuggestionByProject | acs:odps:{#regionId}:{#accountId}:storage/{#projectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/prj | Get storage cost optimization suggestions for a specific project. | |
odps:GetStorageSuggestionSummary | acs:odps:{#regionId}:{#accountId}:storage/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/* | Summary of storage cost optimization. | |
odps:GetStorageSuggestionSummaryByProject | acs:odps:{#regionId}:{#accountId}:storage/{#projectName} | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/prj | Summary of storage cost optimization for a specific project. | |
odps:GetStorageSummaryCompared | acs:odps:{#regionId}:{#accountId}:storage/* | acs:odps:cn-hangzhou:12345(ID of the Alibaba Cloud account):storage/* | Comparison of storage observation. |
Description of the Condition element
The Condition element is used to specify the conditions that are required for a policy to take effect. The Condition element consists of one or more conditions. Each condition consists of condition operators, condition keys, and condition values. For more information about the Condition element, see Condition.
The following tables describe the category of condition operators and the condition key in the Condition element of MaxCompute.
Category of condition operators
Category
Condition operator
Boolean
Bool
Condition key
Condition
Description
odps:Encryption
Specifies whether to encrypt a MaxCompute project when you create the project. Valid values:
true: The project is encrypted.
false: The project is not encrypted.
For more information about MaxCompute data encryption, see Storage encryption.
Policies
Resource Access Management (RAM) supports the following types of policies: system policies that are managed by Alibaba Cloud and custom policies that are managed by customers.
System policies
RAM provides the following system policies for MaxCompute:
AliyunMaxComputeFullAccess: This policy includes all access permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role. If you attach this policy to a RAM user or a RAM role, the RAM user or the RAM role may have excessive permissions. Proceed with caution.AliyunMaxComputeReadOnlyAccess: This policy includes all List and Get permissions on MaxCompute resources. You can directly attach this policy to a RAM user or a RAM role.
Custom policies
You can create custom policies for fine-grained permission management in the RAM console. For more information, see Create custom policies. A RAM policy consists of the Version and Statement elements. The Statement element contains the Effect, Action, Resource, and Condition fields. The Condition field is optional. The values of the Action and Resource fields are obtained from the Action and ARN values in the permission list. For more information, see Permissions. The values of the Condition field are obtained from the condition description. For more information, see Description of the Condition element. For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
The following sample code provides examples of custom policies.
Policy for managing MaxCompute projects
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:ListProjects", "odps:GetProject", "odps:CreateProject", "odps:DeleteProject", "odps:UpdateProjectDefaultQuota", "odps:UpdateProjectStatus", "odps:UpdateUsersToSuperAdmin", "odps:ListOutboundInternetAddress", "odps:UpdateOutboundInternetAddress" ], "Resource": "*" } ] }Policy for managing MaxCompute quotas
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:UpdateQuota", "odps:UpdateQuotaPlan", "odps:UpdateSubQuotas", "odps:UpdateQuotaSchedule", "odps:CreateQuotaPlan", "odps:DeleteQuotaPlan", "odps:CreateQuotaSchedule", "odps:ListQuotaRoutingRules", "odps:CreateQuotaRoutingRule", "odps:GetQuotaRoutingRule", "odps:RemoveQuotaRoutingRule", "odps:UpdateQuotaRoutingRule" ], "Resource": "*" } ] }Policy for prohibiting the creation of non-encrypted MaxCompute projects
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": "odps:CreateProject", "Resource": "*", "Condition": { "Bool": { "odps:Encryption": [ "false" ] } } } ] }Policy for viewing resource observation data in MaxCompute
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "odps:GetMetric", "odps:GetQuotaUsage", "odps:GetStorageSummaryCompared", "odps:GetStorageSizeSummary", "odps:SumDailyBillsByItem", "odps:SumStorageMetricsByDate", "odps:GetStorageAmountSummary", "odps:ListStorageProjectsInfo", "odps:ListTopJobInfo", "odps:ListStorageTablesInfo", "odps:ListStoragePartitionsInfo", "odps:GetTableAccessInfoTopK", "odps:GetTableIpAccessInfoTopK", "odps:GetTableAccessInfo", "odps:ListTableSlotDetail", "odps:GetTunnelThroughputSummary" ], "Resource": "*" } ] }