Data service permission management-Dataphin(Dataphin)-阿里云帮助中心

This topic describes how to grant and revoke API permissions and service unit permissions.

Permission revocation

You cannot revoke a super administrator's permissions.

Access permissions

On the Dataphin homepage, from the top navigation bar, choose Management Center > Permission Management.
In the left-side navigation pane, choose Permission Management > Data Service Permissions.

Grant and revoke permissions

API permissions

Grant API permissions

On the API Permissions tab, click Batch Grant in the upper-right corner, or click Grant in the Actions column of the desired API.

On the API Authorization page, configure the following parameters.

Parameter		Description
API permission object	Service project	Select one or more service projects for which to grant API permissions.
	Account type	Select the account type to which you want to grant API permissions. You can select application or personal account. By default, application is selected. Application: You can grant permissions only to applications when the API operation type is Create, Update, or Delete. Be cautious when a personal account uses an API in Basic mode in the development environment to access data from the production environment. If the API is in the development environment and in Dev-Prod mode, it accesses data from the development data environment.
	API	Select APIs based on the service project and API group. You can perform a fuzzy search by API name, batch search and add them, or click the icon to filter precisely by API group. Batch Search and Add: Click Batch Search and Add. In the Batch Search dialog box, enter the names of the APIs to add. You can perform an exact search by using the `service project.API name` format. Separate multiple API names with a semicolon (;), a comma (,), or a line break. You can add up to 50 APIs. Note When applying for API permissions for a personal account, select a service project that the current user has joined to ensure the permissions can be granted.
	API runtime environment	This parameter is required when the account type is application. Select the API's runtime environment. You can select both development environment and production environment. Note The API runs based on the selected runtime environment. When the API runtime environment is set to the development environment, the API runs based on the configuration submitted to that environment. When it is set to the production environment, the API runs based on the configuration published to that environment.
	Application	This parameter is required when the account type is application. Select applications from an application group. You can only select applications that the current user has joined. You can perform a fuzzy search by application name, batch search and add them, or click the icon to filter precisely by application group. Batch Search and Add: Click Batch Search and Add. In the Batch Search dialog box, enter the names of the applications to add. You can perform an exact search by using the `application group.application name` format. Separate multiple application names with a semicolon (;), a comma (,), or a line break. You can add up to 50 applications.
Authorization scope		The optional fields that require authorization are selected based on the API runtime environment: the production environment or the development environment. If the API is associated with row-level permissions, the system displays a Row-level permissions are in effect status. You can click the View Row-level Permissions button. In the View Row-level Permissions panel, you can switch between environments to view the corresponding row-level permission information. Note Proceed with caution when the API is in the development environment in Basic mode and it accesses data in the production data environment. If the API runtime environment is the production environment, you can select the response parameters from the current online version of the API. If it is the development environment, you can select the response parameters from the latest version in the development environment. When an application with proxy permission calls an API, the system returns data based on the row-level permissions of the proxied user. If the application does not have proxy permission, the system returns data based on the application's own row-level permissions. When the API operation type is Create, Update, or Delete, the API accesses data based on its runtime environment, and no field selection is required.
Permission configuration	Permission type	By default, usage permission is selected and cannot be changed. If the account type is application, you can also select proxy permission. Usage permission: You can only apply for usage permission when the API operation type is Create, Update, or Delete. Proxy permission: This permission takes effect when an API has row-level permissions enabled and operates in proxy mode. Proxy mode is enabled by configuring row-level permission parameters in the public parameters section of the API call page, which you can access by navigating to data service > Application Management > Authorized API Services. You must apply for proxy permission to call an API that is associated with row-level permissions.
	Validity period	Select 30 Days, 90 Days, 180 Days, or Permanent. Alternatively, select Custom to specify an expiration date.
	Authorization reason	Enter an authorization reason to help approvers understand the request. The reason cannot exceed 128 characters.

Click OK to complete the API permission grant.

Revoke API permissions

On the API Permissions tab, click Batch Revoke in the upper-right corner, or click Revoke in the Actions column for the target API.

On the API Permission Revocation page, configure the following parameters.

Parameter		Description
API permission object	Service project	Select one or more service projects from which to revoke permissions.
	Account type	Select the account type from which to revoke permissions. You can select application or personal account.
	API	Select the APIs whose permissions you want to revoke. You can perform a fuzzy search by API name, batch search and add them, or click the icon to filter precisely by API group. Batch Search and Add: Click Batch Search and Add. In the Batch Search dialog box, enter the names of the APIs to add. You can perform an exact search by using the `service project.API name` format. Separate multiple API names with a semicolon (;), a comma (,), or a line break. You can add up to 50 APIs.
	Authorized account	This parameter is required when the account type is personal account. Select the personal accounts from which to revoke permissions.
	API runtime environment	This parameter is required when the account type is application. Select the runtime environments from which to revoke permissions. You can select production environment or development environment.
	Application	This parameter is required when the account type is application. Select the applications from which to revoke permissions. You can perform a fuzzy search by application name, batch search and add them, or click the icon to filter precisely by application group. Batch Search and Add: Click Batch Search and Add. In the Batch Search dialog box, enter the names of the applications to add. You can perform an exact search by using the `application group.application name` format. Separate multiple application names with a semicolon (;), a comma (,), or a line break. You can add up to 50 applications.
Permission configuration	Permission type	Select the permission type to revoke. If the account type is application, you can revoke usage and proxy permissions. When you revoke usage permission, the associated proxy permission is also revoked automatically. This cannot be changed. If the account type is personal account, you can only revoke usage permission.
Permission configuration	Revocation reason	Enter a reason for the revocation. This helps approvers understand the revocation. The reason cannot exceed 128 characters.

Click Submit to complete the API permission revocation.

Service unit

Grant service unit permissions

On the Service Unit Permissions page, click Grant in the Actions column of the desired service unit.

In the Service Unit Authorization dialog box, configure the following parameters.

Parameter	Description
Account type	Only personal account is supported.
Authorized account	Select the account(s) to authorize.
Validity period	Select a validity period.
Permission type	You can select usage permission and development permission.
Authorization reason	Enter an authorization reason. The reason cannot exceed 128 characters.

Click Submit to complete the service unit permission grant.

Revoke service unit permissions

On the Service Unit Permissions page, click Revoke in the Actions column for the target service unit.

In the Service Unit Permission Revocation dialog box, configure the following parameters.

Parameter	Description
Account type	Only personal account is supported.
Authorized account	Select the account(s) from which to revoke permissions.
Revocation reason	Enter a revocation reason. The reason cannot exceed 128 characters.

Click Submit to complete the service unit permission revocation.