Answers to frequently asked questions about managing operation permissions in DataWorks.
How do I grant users permissions on service modules?
Assign a role to each RAM user based on the level of access they need:
| Role type | What it controls |
|---|---|
| Built-in role | Permissions on service modules based on predefined permission sets. See Permissions of built-in workspace-level roles. |
| Custom workspace-level role | Read/write permissions on specific service modules for finer-grained control. See Manage permissions on workspace-level services. |
How do I grant users operation permissions on compute engines?
Operation permissions depend on the compute engine type and its configuration. After you assign a workspace-level role, the permissions that take effect differ by engine.
MaxCompute
Built-in roles map directly to MaxCompute project roles in the development environment, so a built-in role automatically inherits all permissions of its mapped MaxCompute role there. In the production environment, no such mapping exists — built-in roles cannot directly manage production MaxCompute resources.
| Environment | How nodes run | Table naming format |
|---|---|---|
| DataStudio (development) | As the Alibaba Cloud account or RAM user submitting the code | Dev tables: projectname_dev.tablename; prod tables: projectname.tablename |
| Operation Center (production) | As the account selected when associating the MaxCompute data source | Prod tables: projectname.tablename |
By default, a RAM user has no access to production environment data unless they were selected when the MaxCompute data source was associated with the workspace. To grant access, apply for the required permissions through Data Map. For details, see the Request permissions section of "Manage permissions on MaxCompute."
For example, a user with the administrator or development role has permissions on most service modules and all the permissions on a workspace in the development environment, but no permissions in the production environment by default.
E-MapReduce (EMR)
Permissions on DataWorks service modules follow the built-in role's defined permissions. Permissions on EMR data sources use the account selected when the data source was associated with the workspace.
The account used to run nodes depends on the workspace mode:
| Mode | Environment | Account used |
|---|---|---|
| Shortcut mode | DataStudio (development) | Hadoop user |
| Shortcut mode | Operation Center (production) | Hadoop user |
| Security mode | DataStudio (development) | Account selected for the development environment when configuring the compute engine |
| Security mode | Operation Center (production) | Account selected for the production environment when configuring the compute engine |
In security mode, configure Lightweight Directory Access Protocol (LDAP) permission mappings for workspace members. When an Alibaba Cloud account or RAM user commits code in DataWorks, the same-named user in EMR runs the node. For details on the permission mapping between DataWorks members and EMR users, see Register an EMR cluster to DataWorks.
To manage per-user data permissions in an EMR compute engine, use EMR Ranger. This ensures that Alibaba Cloud accounts, node owners, or RAM users have different data permissions when running EMR nodes in DataWorks.
Other compute engines
For data sources other than MaxCompute and EMR, whether a node running in DataStudio can access data source resources depends entirely on the account selected when the data source was associated with the workspace.
How do I restrict DataWorks console access to my enterprise's internal network?
Log on to the RAM console and create a security policy that allows access only from the public IP addresses mapped to your enterprise's private IP addresses. For step-by-step instructions, see Manage security settings of RAM users.