Operation permissions

更新时间:
复制 MD 格式

Answers to frequently asked questions about managing operation permissions in DataWorks.

How do I grant users permissions on service modules?

Assign a role to each RAM user based on the level of access they need:

Role type What it controls
Built-in role Permissions on service modules based on predefined permission sets. See Permissions of built-in workspace-level roles.
Custom workspace-level role Read/write permissions on specific service modules for finer-grained control. See Manage permissions on workspace-level services.

How do I grant users operation permissions on compute engines?

Operation permissions depend on the compute engine type and its configuration. After you assign a workspace-level role, the permissions that take effect differ by engine.

MaxCompute

Built-in roles map directly to MaxCompute project roles in the development environment, so a built-in role automatically inherits all permissions of its mapped MaxCompute role there. In the production environment, no such mapping exists — built-in roles cannot directly manage production MaxCompute resources.

Environment How nodes run Table naming format
DataStudio (development) As the Alibaba Cloud account or RAM user submitting the code Dev tables: projectname_dev.tablename; prod tables: projectname.tablename
Operation Center (production) As the account selected when associating the MaxCompute data source Prod tables: projectname.tablename
By default, a RAM user has no access to production environment data unless they were selected when the MaxCompute data source was associated with the workspace. To grant access, apply for the required permissions through Data Map. For details, see the Request permissions section of "Manage permissions on MaxCompute."

For example, a user with the administrator or development role has permissions on most service modules and all the permissions on a workspace in the development environment, but no permissions in the production environment by default.

E-MapReduce (EMR)

Permissions on DataWorks service modules follow the built-in role's defined permissions. Permissions on EMR data sources use the account selected when the data source was associated with the workspace.

The account used to run nodes depends on the workspace mode:

Mode Environment Account used
Shortcut mode DataStudio (development) Hadoop user
Shortcut mode Operation Center (production) Hadoop user
Security mode DataStudio (development) Account selected for the development environment when configuring the compute engine
Security mode Operation Center (production) Account selected for the production environment when configuring the compute engine

In security mode, configure Lightweight Directory Access Protocol (LDAP) permission mappings for workspace members. When an Alibaba Cloud account or RAM user commits code in DataWorks, the same-named user in EMR runs the node. For details on the permission mapping between DataWorks members and EMR users, see Register an EMR cluster to DataWorks.

To manage per-user data permissions in an EMR compute engine, use EMR Ranger. This ensures that Alibaba Cloud accounts, node owners, or RAM users have different data permissions when running EMR nodes in DataWorks.

Other compute engines

For data sources other than MaxCompute and EMR, whether a node running in DataStudio can access data source resources depends entirely on the account selected when the data source was associated with the workspace.

How do I restrict DataWorks console access to my enterprise's internal network?

Log on to the RAM console and create a security policy that allows access only from the public IP addresses mapped to your enterprise's private IP addresses. For step-by-step instructions, see Manage security settings of RAM users.