Control access to Hologres data

Prerequisites

• A Hologres instance is created. For more information, see Purchase a Hologres instance.

• A Hologres data source is added. For more information, see Hologres data source.

• Metadata has been collected for Hologres. For more information, see metadata collection.

• The Permission Policy for the database containing the Hologres tables must be the standard PostgreSQL authorization model. For more information, see Switch permission models.

Permission request

To request permissions on the data access control page, you must configure the Application Content and Application information sections.

1. Log on to the DataWorks console, switch to the target region, and then click Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Enter Security Center.

2. In the left-side navigation pane of Security Center, go to the Data Platform Security > Data Access Control page.

3. On the Data Access Control page, click the permission request tab to request permissions for MaxCompute tables, resources, or functions.

   Table permission request

   When you request table permissions, after adding the target tables, you can request Table-level permissions or Selected Columns as needed.

   Configuration item		Description
   Application Content	Data Source Type	Select the MaxCompute type.
   	Application Type	Table
   	Workspace	Select the workspace where the target table resides.
   	MaxCompute Project	The MaxCompute project associated with the workspace where the table resides.
   	Schema	The schema where the table resides.
   Tables to Be Added	Request table-level permissions	You can request the Select, Update, Download, Describe, Alter, and Drop permissions at the table level.
   	Request column-level permissions	You can request the Select, Update, and Download permissions at the column level.

   Note

   • If labelsecurity is not enabled for the MaxCompute project and you successfully request the Select and Update permissions at the table level, newly added columns in the table automatically inherit the Select and Update permissions.

   • If labelsecurity is enabled for the MaxCompute project, request column-level permissions instead. This is because newly added columns do not automatically inherit table-level permissions after you request table-level permissions.

   Resource permission request

   Configuration item		Description
   Application Content	Data Source Type	Select the MaxCompute type.
   	Application Type	Resource
   	Workspace	Select the workspace where the target resource resides.
   	Project	The MaxCompute project associated with the workspace where the resource resides.
   	Resource Name	The resource for which you want to request permissions.

   Function permission request

   Configuration item		Description
   Application Content	Data Source Type	Select the MaxCompute type.
   	Application Type	Function
   	Workspace	Select the workspace where the target function resides.
   	Project	The MaxCompute project associated with the workspace where the function resides.
   	Function Name	The name of the function for which you want to request permissions.

4. Configure the Application information section.

   Configuration item		Description
   Application information	User	Select the account for which you want to request permissions on the target resource. Current login account: Requests the target table permissions for the Alibaba Cloud account that is currently logged on to the DataWorks workspace. Account Used for Scheduling: Requests the target table permissions for the RAM user that is configured as the scheduling access identity. Apply on Behalf of Others: Requests the target table permissions for another Alibaba Cloud account on behalf of the currently logged-on account. If you select this option, you must configure the Username parameter.
   	Application duration	You can customize the validity period of the permissions. The permissions are automatically revoked after the specified period expires. Note Before you use this feature, make sure that Policy authorization is enabled for the MaxCompute project where the table resides. For more information, see Details of MaxCompute data permission control. For more information about MaxCompute Policy, see MaxCompute Policy overview.
   	Reason for Application	Briefly describe the reason for requesting the permissions to help the approver understand the request.

5. Click Apply for Permissions to submit the request.

   You can view the approval details and approval records of the current request on the Permission Application Records tab.

Step 2: Configure an authorized identity

DataWorks uses a specified user, known as the authorized identity, to access a Hologres instance.

1. On the data access control page, in the Application Content section, set Hologres to Hologres. If an authorized identity is not configured for the current instance, the following message appears. Click Determine.

   The message title is Configure authorized identity. The message reads: "The administrator has not configured an authorized identity for the current instance. This identity is used to issue authorization commands to the Hologres instance. Contact the Alibaba Cloud account owner or a RAM user with the AdministratorAccess policy to configure it on this page first."

2. Click Authorized Identity and then click Configure Authorization Identity.

3. In the Hologres instance authorization identity configuration window, specify an authorized identity for each Hologres instance listed. For each instance, select an Alibaba Cloud account or a RAM user to execute authorization commands, then click OK to save the configuration.

   Note

   If the authorized identity is a RAM user, ensure that the RAM user has the AliyunHologresReadOnlyAccess policy and is assigned the SuperUser role on the Hologres instance.

Request permissions

1. Go to the Permission Application tab.

2. Select the tables for which you want to request permissions.

   1. Set Data Source Type to Hologres, and then specify the Hologres Instance and Database.

   2. In the Tables to Be Added section on the left, select the data tables for which you want to request permissions.

   3. In the table, select the permissions you want to request. The supported table-level permissions are Select, Insert, Update, Delete, Truncate, and ALL.

      • If you select the checkbox in the header row of a permission column, that permission is requested for all selected tables.

      • To remove a permission for a specific table, clear the corresponding checkbox for that table.

3. Configure the Application information section.

   Parameter	Description
   User	Select the account that requires permissions. Current login account: Request permissions for the Alibaba Cloud account that is currently logged in to the DataWorks workspace. Apply on Behalf of Others: Request permissions for another Alibaba Cloud account. If you select this option, you must specify the Other identity parameter.
   Reason for Application	Enter the reason for requesting permissions on the tables.

   Table-level permissions for Hologres are permanent. You cannot set an expiration time.

4. Click Apply for Permissions to submit your request.

   You can view the approval details and records for your request on the Permission Application Records page.

Permission approval

1. View pending requests.

   In the navigation pane on the left, choose Application and Approval > Permission Application Processing, and then click the Data access control tab. Set Data Source Type to Hologres and use the filters to view the permission requests that require your approval.

   Note

   If a single permission request includes tables with different owners, the system automatically splits it into multiple requests based on the table owner.

2. View approval details.

   Find the target request and click Approval in the Operation column. In the Approval details dialog box, you can view information such as the Application Details and Approval record of the request.

3. Approve or deny the request.

   Based on the request details and your business requirements, enter your Approval Comments and click Agree or Reject.

   Alternatively, on the Permission Application Processing page, you can select multiple requests, click Batch Agree or Batch Reject, enter your Approval Comments, and process the requests in bulk.

Permission request and approval records

• To view permission request records, in the navigation pane on the left, choose Application and Approval > Permission Application Records, and then click the Data access control tab. You can filter the records for your Alibaba Cloud account by criteria such as Approval status, Application Time, and Hologres Instance.

  You can also click View details in the Operation column for a specific request to see more information. For requests with an Approval status of Approving, you can Withdrawal the request.

• To view permission approval records, in the navigation pane on the left, choose Application and Approval > Permission Application Processing, and then click the Data access control tab. Set the task status to All. You can filter the approval records for your Alibaba Cloud account by criteria such as Application account number, Approval Results, and Hologres Instance.