DocsICP FilingConsole
官方文档
首页

Permission control for global services

更新时间:
复制 MD 格式
产品详情
我的收藏

DataWorks provides fine-grained permission control over global-level services using tenant-level roles. You can assign built-in roles or create custom roles to manage user access. This topic describes how to manage member permissions for global-level services.

Background

In DataWorks, a service is a global-level service if its page does not display a workspace name in the top navigation bar. A typical example is DataMap.

  • For these services, DataWorks provides tenant-level roles, which you can assign to RAM users based on their job functions.

    DataWorks provides a set of built-in roles with predefined permissions. For example, a specific tenant-level role might grant view and management permissions for categories within Data Map.

  • If the built-in roles do not meet your requirements, you can create a custom tenant-level role to define specific access or management permissions for a global-level service.

    For more information, see Available roles and permissions.

Permission control for global-level services in DataWorks is based on the role-based access control (RBAC) model. After you assign a DataWorks tenant-level role to a user, the user gains the role's permissions to access the corresponding DataWorks services. For more information, see Overview of the DataWorks permission model.

Limitations

  • Only DataWorks Enterprise Edition workspaces support creating custom tenant-level roles. For more information, see Features by edition. You can upgrade your DataWorks workspace to Enterprise Edition. For more information, see Edition selection and billing.

  • Only an Alibaba Cloud account, a Tenant Administrator, or a RAM user with the AliyunDataWorksFullAccess or AdministratorAccess policy attached can manage roles for tenant members.

Available roles and permissions

By default, all RAM users are members of a DataWorks tenant. Tenant members can access most tenant-level services but cannot perform management operations. You can use built-in or custom tenant-level roles to grant users management permissions for a tenant-level service, or to control their read and write access to specific global-level services.

Built-in tenant roles

The following table describes the built-in tenant-level roles provided by DataWorks and the permissions of each role.

Role

Description

Tenant Owner

Has the highest level of permissions in DataWorks. This role is assigned to the Alibaba Cloud account by default and cannot be changed.

  • The super administrator for DataWorks, with the ability to manage role assignments for tenant members.

  • Can view, read, write, and manage all global-level services in DataWorks.

Tenant Administrator

  • Has the highest permissions on tenant-level services and can assign roles to tenant members.

  • Can view, read, write, and manage all global-level services in DataWorks.

Note

This role does not include management and operational permissions on the DataWorks management console. For more information about console-related permissions, see Manage product and console access by using RAM policies.

Tenant Member

All RAM users and roles under the current Alibaba Cloud account are Tenant Members by default.

  • Can view, read from, and write to tenant-level services.

  • Cannot perform service management operations by default.

Security Administrator

  • All permissions in Security Center (view, read, write, and manage).

  • Permissions to manage custom approval policies in Approval Center.

  • All permissions in Data Security Guard (view, read, write, and manage).

Compliance Administrator

  • Permissions for cross-border data risk detection in Security Center.

  • Permissions to approve requests for cross-border data self-assessment.

Open Platform Administrator

Read and write permissions on the developer backend.

Data Governance Administrator

Read and write permissions for the Data Governance Center. Role holders can view governance assessment reports, governance issues, and check events from a global perspective, and perform corresponding corrective actions.

Note

Some operations in the Data Governance Center require roles and permissions from the corresponding services. For more information, see Overview of Data Governance Center.

Custom tenant-level role

Defines custom permissions for a specific tenant-level service.

Custom tenant roles

You can create a custom tenant-level role to control access to specific global-level services. The following table lists the global-level services that support permission control through custom roles.

Service

Permissions

Data Security Guard

  • No Permissions: Denies access to Data Security Guard.

  • Available: Grants full read-only permissions or full operational permissions.

Data Map

  • No Permissions: Denies access to Data Map.

  • Available: Grants regular usage permissions.

Note

To control metadata access, such as hiding project metadata or specific tables in Data Map, or preventing non-workspace members from accessing tables within a project, see Appendix: Overview of permission control in Data Map.

Data Governance Center

  • No Permissions: Denies access to Data Governance Center.

  • Available: Grants regular usage or data governance management permissions.

Data Analysis

  • No Permissions: Denies access to Data Analysis.

  • Available: Grants regular usage permissions.

Approval Center

  • No Permissions: Denies access to Approval Center.

  • Available: Grants regular usage permissions or permissions to manage approval processes.

Security Center

  • No Permissions: Denies access to Security Center.

  • Available: Grants regular usage permissions.

Manage tenant member roles

All RAM users under your Alibaba Cloud account are tenant members in DataWorks by default and can access global-level services. You can assign roles to control which global-level services a RAM user can access or to grant them management permissions.

Step 1: Go to Tenant Members and Roles

  1. Go to the Management Center.

  2. In the left navigation bar of the Management Center, click Tenant Members and Roles.

Step 2 (Optional): Create a custom role

You cannot modify the permissions of built-in roles. If the built-in roles do not meet your needs, you can go to the Tenant role tab to create a custom role and specify its permissions for global-level services.

  1. On the Tenant role tab, click Create Custom Role.

  2. Specify a name for the custom role and configure its permissions for various global-level services.

  3. Click Create.

    Note

    A success message appears. You can now assign this role to members.

Step 3: Assign roles

  1. Go to the Tenant Member tab.

  2. Find the desired member and, in the Role column, add or remove roles to grant or revoke permissions.

Previous:Manage permissions on workspace-level servicesNext:Permission control for compute engines and data