Manage permissions on DLF-DataWorks(DataWorks)-阿里云帮助中心

DataWorks provides visual tools to manage permissions for Data Lake Formation (DLF) and DLF-Legacy, including features for permission application, approval, and auditing. This helps you manage your data lake permissions from a single location. You can track your applications on the Permission Application Records page and handle approvals on the My Approval Tasks page. This topic describes how to control data access in DLF.

Prerequisites

You have configured DLF as the metadata storage service for your compute engine.

For example, if you use an EMR compute engine, you must set DLF as its metadata storage service and enable the DLF-Auth component to use DLF-Legacy's permission features. For more information, see DLF-Auth.
You are familiar with DLF data permissions. For more information, see Overview of data permissions.

Background information

The first time you use DataWorks to manage permissions for Data Lake Formation (DLF), you are prompted to authorize access. This process automatically creates a service-linked role named AliyunServiceRoleForDataWorksAccessDLF. For more information about the policy of the AliyunServiceRoleForDataWorksAccessDLF role, see Service-linked role for DataWorks to access DLF.

The data access control feature in DataWorks supports the following two DLF engine types:

Data Lake Formation (DLF): DLF 3.0, which provides fine-grained permission management and supports permissions at the metabase, table, and field levels.
DLF-Legacy: An earlier version of DLF that retains the original permission management method.

DLF data access control workflow

DLF管控流程

Role	Description
requester	A requester can apply for table permissions on the Permission Application page. After submitting a request, the requester can view their application records on the Permission Application Records page.
approver	An approver uses the My Approval Tasks page to review pending permission requests and view their approval history. Note A RAM user must have the Admin (Data Lake Administrator) or super_administrator (Super Administrator) role to approve permission requests. For more information about DLF role management, see Role management.
auditor	An auditor, who can be an Alibaba Cloud account or a workspace administrator, can go to the Permission Audit page to view the table permissions of workspace members. Auditors can also revoke permissions from members in the workspace.

Accessing data access control

Log on to the DataWorks console. In the target region, click Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Go to Security Center.

Permission application

In the Security Center, choose Data Platform Security > Data access control > Permission Application to open the Permission Application tab. In the Application Content section, select an Engine Type.
The DLF-related engine types are:
- Data Lake Formation (DLF): DLF 3.0.
- DLF-Legacy: An earlier version of DLF.
Note
The following steps use Data Lake Formation (DLF) as an example. The procedure for DLF-Legacy is similar, but the specific permissions may differ.
Set the Granularity of authorization and Catalog, and then select the objects for which you want to apply for permissions.
The authorization granularity options are:
- Metabase-Level Permissions: Select the required metabases from the list, and then select the required permissions in the Metabase permissions column.
  
  Permissions include Describe, Alter, Drop, CreateTable, CreateFunction, and List.
- Table-Level Permissions: In the Tables to Be Added section, select the target tables. Select the required permissions in the corresponding columns.
  
  Permissions include Select, Update, Alter, Drop, and more.
- Field-Level Permissions: In the Tables to Be Added section, select the target tables. Click the expand icon next to a table name to view all its fields, and then select the required field permissions in the Select column.
  
  Note
  Only internal Paimon tables in DLF support field-level permission management.

Configure the Application information.

Parameter	Description
User	Select the user or role that requires permissions. Current login account: Applies for permissions for the currently logged-in account. Apply on Behalf of Others: Apply for permissions for another Alibaba Cloud account. If you select this option, you must specify the Username. DLF role: Apply for permissions for a DLF role. You can select multiple DLF roles from the drop-down list. This option is available only when the engine type is Data Lake Formation (DLF).
Application duration	Select the validity period for the permissions. If the engine type is Data Lake Formation (DLF), only Permanent is supported. If the engine type is DLF-Legacy, you can specify a custom duration. The permissions are automatically revoked upon expiration.
Reason for Application	Enter the reason for the application.

Click Apply for Permissions to submit the request.

You can view the request details and track its approval status on the Permission Application Records tab.

Permission approval

Note

Only users with the Admin or super_administrator role can approve permission requests.

View pending requests.

In the left-side navigation pane, choose Application and Approval > My Approval Tasks, and then click the Data Access Control tab. Set Engine Type to Data Lake Formation (DLF) or DLF-Legacy and use the filter conditions to find requests awaiting your approval.

Note
If a single application includes permission requests for multiple tables, the system automatically splits it into multiple applications based on the table owners.
View request details.

Find the target request and click Approval in the Operation column. In the Approval details dialog box, you can view the Application Details and Approval record.
Approve or reject the request.

Based on the request details and your requirements, enter your Approval Comments and then click Agree or Reject.

Alternatively, on the My Approval Tasks page, you can select multiple requests and click Batch Agree or Batch Reject. Then, enter your Approval Comments to process the selected requests in bulk.

View permission approval records

On the Permission Application Processing Record page, you can filter by Application account number, Approval Results, Workspace, and other conditions to view the approval records of the current Alibaba Cloud account.

You can also click View details in the Operation column of the target request to view detailed information.