Troubleshooting MaxCompute and DataWorks Permission Problems

Join us at the Alibaba Cloud ACtivate Online Conference on March 5–6 to challenge assumptions, exchange ideas, and explore what is possible through digital transformation.

Alibaba Cloud MaxCompute and DataWorks are two independent products, and their permission systems have similarities as well as differences. Before handling the permission problems, you must first understand the respective permission systems of these two products.

MaxCompute and DataWorks Permission Systems



Viewing Roles on MaxCompute

Role nameCorresponding product and permissionadminDefault MaxCompute admin rolerole_project_adminDataWorks project administratorrole_project_deployDataWorks deployer rolerole_project_devDataWorks developer rolerole_project_guestDataWorks guest rolerole_project_peDataWorks O&M rolerole_project_schedulerDataWorks scheduler accountrole_project_securityDataWorks security administrator

The admin role is the default admin role of MaxCompute. This role can access all objects in the project and manage and authorize users or roles. Compared with the project owner, the admin role cannot assign the admin permissions to any user, specify the security configurations of the project, or change the authentication model of the project. The permissions of the admin role cannot be modified. Generally, if the permissions are not modified, the user who is assigned the admin role has only one account “project owner”.

odps@ clouder_bi>describe role admin;
Authorization Type: Admin

The MaxCompute project owner can assign the admin role to other sub-accounts, allowing them to perform permission model management for MaxCompute.

You can run “describe role” to view the permissions and user list of a role that starts with “role_”. Using the role_project_dev as an example:

odps@ clouder_bi>describe role role_project_dev;

Authorization Type: Policy
A projects/clouder_bi: *
A projects/clouder_bi/instances/*: *
A projects/clouder_bi/jobs/*: *
A projects/clouder_bi/offlinemodels/*: *
A projects/clouder_bi/packages/*: *
A projects/clouder_bi/registration/functions/*: *
A projects/clouder_bi/resources/*: *
A projects/clouder_bi/tables/*: *
A projects/clouder_bi/volumes/*: *

Troubleshooting Permission-related Problems

Viewing the permissions granted to the current user or a specified user

show grants; --View permissions of the current user.
show grants for <username>; --View access permissions of a specified user. Only the project owner and admin are authorized to perform this operation.
show grants for RAM$Primary account:Sub-account;

Viewing the authorization list of a specified object

show acl for <objectName> [on type <objectType>];--View the list of authorized users and roles of a specified object
Supported object types: project, table, job, volume, instance, resource, function, package, topology, matrix, xflow, offline model, and stream job

Checking whether the ACL is effective

show SecurityConfiguration;--View the security configuration of the project

In addition to the command line, you can check whether the ACL switch is enabled on the + +DataWorks > Project Management > MaxCompute Config+ + page.

Querying the policy configuration of the current project

get policy;--Obtain the project-level policy configuration
get policy on role <rolename>;--Obtain the policy configuration of the specified role


Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: