Custom RAM policies-DataWorks(DataWorks)-阿里云帮助中心

Prerequisites

You are familiar with the syntax and structure of a RAM policy. For more information, see Policy syntax and structure.
You are familiar with the basics of permission management for DataWorks and its console. For more information, see Product and console permissions: RAM policy.

Usage notes

This topic provides examples of custom policies. After you create a custom RAM policy, you must attach it to a RAM user to grant the specified permissions. For more information about how to grant permissions to a RAM user, see Manage RAM user permissions.

Product-level permission policies

Policy 1: Deny a RAM user all operations

An administrator can attach this policy to a RAM user to deny access to all DataWorks features. The user cannot use the DataWorks console, use service modules, or call any OpenAPI.

Sample policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "dataworks:*",
            "Resource": "*"
        }
    ]
}

Policy 2: Deny a RAM user OpenAPI calls

An administrator can attach this policy to a RAM user to prevent them from calling any DataWorks OpenAPI.

Sample policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "dataworks:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "dataworks:Scope": "OpenAPI"
        }
      }
    }
  ]
}

Policy 3: Deny access to service pages

An administrator can attach this policy to a RAM user to deny access to all DataWorks service pages.

Note

The user can still call the APIs for these services if they have the required permissions.

Sample policy:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "dataworks:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "dataworks:Scope": "Page"
                }
            }
        }
    ]
}

Console entity permission policies

DataWorks provides the following custom policies for fine-grained permission management over specific operations in the DataWorks console.

Note

Notes on the Resource element:

When you create a custom policy, replace placeholders that start with a dollar sign ($) with their actual values. For example, replace $regionid with a specific region ID and $accountid with the UID of your Alibaba Cloud account.
The asterisk (*) is a wildcard. You can replace it with a specific value to refine the permission scope. For example, changing workspace/* to workspace/workspaceid limits the policy to the specified workspace.

Entity 1: Workspace

Action	Resource	Description
CreateWorkspace	acs:dataworks:$regionid:$accountid:workspace/*	Creates a workspace.
ModifyWorkspace	acs:dataworks:$regionid:$accountid:workspace/$workspaceName	Modifies a workspace.
DeleteWorkspace	acs:dataworks:$regionid:$accountid:workspace/$workspaceName	Deletes a workspace.
DisableWorkspace	acs:dataworks:$regionid:$accountid:workspace/$workspaceName	Disables a workspace.
EnableWorkspace	acs:dataworks:$regionid:$accountid:workspace/$workspaceName	Enables a workspace.

Example: Grant permission to modify a workspace

Sample policy:

{
    "Statement": [
        {
            "Action": "dataworks:ModifyWorkspace",
            "Effect": "Allow",
            "Resource": "acs:dataworks:$regionid:$accountid:workspace/$workspaceName"
        }
    ],
    "Version": "1"
}

Entity 2: Resource group

Action	Resource	Description	Notes
ListResourceGroup	acs:dataworks:$regionid:$accountid:exclusive_resource_group/*	Displays the Exclusive Resource Groups tab. Without this permission, the tab does not appear in the console.	The `ListResourceGroup` and `ShowResourceGroupDetail` permissions are typically used together to control access to the Exclusive Resource Groups tab. With only the `ListResourceGroup` permission: The user can see the Exclusive Resource Groups tab, but the page is blank. With both `ListResourceGroup` and `ShowResourceGroupDetail` permissions: The user can see the Exclusive Resource Groups tab and view details of resource groups allowed by the `ShowResourceGroupDetail` action. Note The `ShowResourceGroupDetail` permission is effective only if the `ListResourceGroup` permission is also granted. A user with only the `ShowResourceGroupDetail` permission cannot view the details of any exclusive resource group. The `AliyunDataWorksReadOnlyAccess` system policy already includes the `ListResourceGroup` and `ShowResourceGroupDetail` permissions.
ShowResourceGroupDetail	acs:dataworks:$regionid:$accountid:exclusive_resource_group/$resourceGroupName	Displays the details of a specified resource group by name.
CreateResourceGroup	acs:dataworks:$regionid:$accountid:exclusive_resource_group/*	Creates an exclusive resource group.	This permission allows a user to create a resource group in the DataWorks console based on an existing order, not to purchase new exclusive resources. Purchasing, scaling up, scaling down, renewing, or changing the specifications of a resource group requires the `AliyunDataWorksFullAccess` and `AliyunBSSOrderAccess` permissions.
ModifyResourceGroup	acs:dataworks:$regionid:$accountid:exclusive_resource_group/$resourceGroupName	Modifies an exclusive resource group.	-

Example 1: Grant view and manage permissions

Sample policy:

{
"Statement": [
{
"Action": "dataworks:ListResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:$accountid:exclusive_resource_group/*"
},
{
"Action": "dataworks:ShowResourceGroupDetail",
"Effect": "Allow",
"Resource": "acs:dataworks:*:$accountid:exclusive_resource_group/resourceGroupName2"
},
{
"Action": "dataworks:ModifyResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:$accountid:exclusive_resource_group/resourceGroupName2"
}
],
"Version": "1"
}

Example 2: Grant view, create, and modify permissions

Note

This permission allows creating a resource group from an existing order, not purchasing new resources.

Sample policy:

{
  "Statement": [
    {
      "Action": "dataworks:ListResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:*:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:ShowResourceGroupDetail",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:CreateResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:ModifyResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/resourceGroupName1"
    },
    {
      "Action": "dataworks:ModifyResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/resourceGroupName2"
    }
  ],
  "Version": "1"
}

Entity 3: Alerts

Action	Resource	Description
ListContacts	acs:dataworks:$regionid:$accountid:contacts_ram_user/*	Lists alert contacts.
ModifyContacts	acs:dataworks:$regionid:$accountid:contacts_ram_user/*	Modifies alert contact information.
ListAlarmResource	acs:dataworks:$regionid:$accountid:alarm_resource/*	Lists alert resources.
SetUpperLimits	acs:dataworks:$regionid:$accountid:alarm_resource/*	Sets upper limits for alerts.

Example: Grant permissions to manage alerts

Sample policy:

{
  "Statement": [
    {
      "Action": "dataworks:ListAlarmResource",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "dataworks:SetUpperLimits",
      "Effect": "Allow",
      "Resource": "acs:dataworks:$regionid:$accountid:alarm_resource/*"
    },
    {
      "Action": "dataworks:ListContacts",
      "Effect": "Allow",
      "Resource": "acs:dataworks:$regionid:$accountid:contacts_ram_user/*"
    },
    {
      "Action": "dataworks:ModifyContacts",
      "Effect": "Allow",
      "Resource": "acs:dataworks:$regionid:$accountid:contacts_ram_user/*"
    }
  ],
  "Version": "1"
}