DataWorks provides roles that have different permissions for you to implement more finer-grained permission management. You can add the required users to your workspace and assign the required roles to the users. You can also create custom roles and grant permissions to the roles based on your business requirements.

Background information

Multiple users can be added to the same DataWorks workspace. In this case, if the users have excessive permissions on the workspace, the data security of the workspace may be affected by inappropriate permission use. However, if the users have insufficient permissions on the workspace, they may be unable to use the required features. To resolve this issue, DataWorks provides identities such as members and roles. You can assign different roles to users based on their requirements on the use of workspaces.

If the default roles that are provided by DataWorks cannot meet your requirements, you can create custom roles and grant the required permissions to the roles.

DataWorks provides the following identities:
  • Member: the Alibaba Cloud accounts or RAM users that are added to a DataWorks workspace.
  • Cloud account: Alibaba Cloud accounts or RAM users.
  • Role: the carriers that have permissions in a workspace and can be assumed by the members of the workspace. DataWorks provides the following roles:
    • Workspace administrator: the administrators that have all the permissions on the features in a workspace. For example, the workspace administrator role can be used to assign the required role to a RAM user and remove a member that is not the workspace owner from a workspace.
    • Deployment engineer: the engineers that have the permissions to deploy nodes.
    • Developer: the developers that have the permissions to develop and commit nodes.
    • Model designer: the designers that have the permissions to use the data modeling feature.
    • Visitor: the visitors that have the read-only permissions on a DataWorks workspace.
    • Workspace owner: the owner that has the highest level of permissions on a workspace.
    • O&M engineer: the engineers that have the permissions to allocate resources and deploy nodes.
    • Security administrator: the administrators that have the permissions to use Data Security Guard.
    For more information about the permissions of different roles, see Permission list.

Limits

  • Only the workspaces of DataWorks Enterprise Edition support custom roles. For more information, see Differences among DataWorks editions. If your workspace is not of the Enterprise Edition, you can upgrade the workspace to this edition. For more information, see DataWorks advanced editions.
  • Only workspace administrators and the owner of a workspace can add users, change the roles of users, remove users, and create custom roles.
  • You can use only an Alibaba Cloud account or the RAM user whose role is an administrator or a super administrator of a MaxCompute project to map a custom DataWorks role to a role of the MaxCompute project.

Logic of role assignment

A DataWorks workspace in standard mode can be associated with two projects of each compute engine type. One of the two projects serves as the development environment, and the other serves as the production environment. In addition, preset DataWorks roles are mapped to the roles of associated compute engines to facilitate data development.

The following example describes the permission change of a MaxCompute project when a RAM user is added to the workspace that is associated with the MaxCompute project. For more information about the mappings between preset DataWorks roles and the roles of an associated MaxCompute project, see Permission relationships between MaxCompute and DataWorks.

Note If a RAM user is not specified to perform operations for the scheduling engine, the RAM user does not have permissions to access or manage tables in the production environment after the RAM user is added to a workspace. To allow the RAM user to access and manage tables in the production environment, you must apply for the required permissions in Security Center. For more information, see Apply for table permissions.

Scenario 1: Assign a preset DataWorks role to a RAM user

The administrators of a workspace can add a RAM user to the workspace and assign the workspace administrator role to the RAM user.

  • Logic of role assignment in DataWorks: If you assign the developer role to a RAM user that is added to a workspace, the RAM user can develop and commit code in the workspace but cannot deploy code to the production environment. Only the workspace owner and users whose role is a workspace administrator or O&M engineer can deploy code to the production environment.
  • Logic of role assignment in MaxCompute: If you assign the developer role to a RAM user that is added to a workspace, the Role_Project_Dev role of the MaxCompute project that is associated with the workspace is assigned to the RAM user. The Role_Project_Dev role has permissions on the MaxCompute project and tables in the project.

Scenario 2: Assign a custom DataWorks role to a RAM user

The administrator of a workspace can add a RAM user to the workspace and assign a custom DataWorks role to the RAM user.

  • Logic of role assignment in DataWorks: If you assign a custom DataWorks role to a RAM user that is added to a workspace, the RAM user is granted only the permissions of the custom role on DataWorks modules.
  • Logic of role assignment in MaxCompute:
    • If the custom DataWorks role is not mapped to a role of the associated MaxCompute project, the RAM user is granted the permissions of the custom role on DataWorks modules but cannot run commands to perform operations such as data query in the MaxCompute project.
    • If the custom DataWorks role is mapped to a role of the associated MaxCompute project, the RAM users is granted the permissions of the custom role on DataWorks modules and the permissions of the mapped MaxCompute role.

Go to the Manage Members tab

  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Workspaces.
  3. Go to the Workspace Management page of a workspace.
    You can use one of the following methods to go to the Workspace Management page:
    • On the Workspaces page, find the workspace that you want to configure and click Workspace Settings in the Actions column. In the Workspace Settings panel, click More. The Workspace Management page appears. Click More
    • On the Workspaces page, find the workspace that you want to configure and click Data Analytics in the Actions column. On the DataStudio page, click the Workspace Management icon in the upper-right corner. The Workspace Management page appears. Workspace Management page
  4. In the left-side navigation pane, click User Management. The Manage Members tab appears.

Manages members

On the Manage Members tab, you can perform the following operations:
  • View member information.
    You can view the cloud accounts of members and roles that are assigned to the members in the current workspace. You can also specify the member name, cloud account, or role category to search for a specific member. Then, you can view the member information and the number of members to which the role has been assigned. This allows you to manage members and roles assigned to the members in a centralized manner. View member information
  • Add a user.
    1. Click Add Member in the upper-right corner of the Manage Members tab to add a user to the current workspace.
    2. In the Add Member dialog box, select one or more RAM users from the Available Accounts list. Add a user
      • Workspace administrator: the administrators that have all the permissions on the features in a workspace. For example, the workspace administrator role can be used to assign the required role to a RAM user and remove a member that is not the workspace owner from a workspace.
      • Deployment engineer: the engineers that have the permissions to deploy nodes.
      • Developer: the developers that have the permissions to develop and commit nodes.
      • Model designer: the designers that have the permissions to use the data modeling feature.
      • Visitor: the visitors that have the read-only permissions on a DataWorks workspace.
      • Workspace owner: the owner that has the highest level of permissions on a workspace.
      • O&M engineer: the engineers that have the permissions to allocate resources and deploy nodes.
      • Security administrator: the administrators that have the permissions to use Data Security Guard.
    3. Click the > icon to move the selected RAM users to the Added Accounts list.
    4. Select one or more roles that you want to assign to the selected RAM users.
    5. Click Confirm.
  • Remove a member.
    On the Manage Members tab, find a member that you want to remove from the workspace and click Remove in the Actions column to remove the member from the workspace. If you want to remove multiple members from the workspace, you can select them and click Batch removal to remove them at a time. Remove a member

Manage roles

On the Roles tab, you can perform the following operations:
  • Create a custom role.
    1. Click Create Custom Role in the upper-right corner of the Roles tab.
    2. In the Create Custom Role dialog box, enter a name for your custom role, such as test.
    3. Grant permissions on the required DataWorks modules to the role.
      • Unauthorized: indicates that the role has no permissions on the related module.
      • Read-only: indicates that the role can only view the data in the related module.
      • Read and Write: indicates that the role can modify the data in the related module.
      Permissions on DataWorks
    4. Map a custom role to a role of a compute engine.
      You can map a custom role to a role of a compute engine. For example, you can map the custom role test to the Admin role of a MaxCompute project. In this case, the Admin role is assumed by the custom role when the custom role accesses the MaxCompute project. For more information about the permission mappings between MaxCompute and DataWorks, see Permission relationships between MaxCompute and DataWorks.
      Note

      You can use only an Alibaba Cloud account or the RAM user whose role is an administrator or a super administrator of a MaxCompute project to map a custom DataWorks role to a role of the MaxCompute project.

      Map a custom role to a role of a compute engine
    5. Click Configure.
  • View or edit roles.
    You can view the preset roles and custom roles that have been configured for the workspace on the Roles tab. You can also edit or delete custom roles. For more information about the permissions of preset roles, see Permission list.View roles

View the permissions of users

You can execute the following statements in a MaxCompute_SQL node to query the permissions of different users:
show grants -- Query the access permissions of your member account. 
show grants for <username> -- Query the access permissions of the specified member. Only workspace administrators are allowed to execute this statement. 

For more information, see Check permissions.