Manage data access permissions for MaxCompute

更新时间:
复制 MD 格式

DataWorks provides data access control to manage permissions for accessing data in the MaxCompute engine. This includes workflows for requesting, approving, and auditing permissions. You can track your requests on the My Applications page and manage approvals on the My Approval Tasks page. This topic describes how to manage data access permissions for MaxCompute.

Background

To access tables, resources, and functions from a MaxCompute data source in the production environment of a DataWorks workspace in standard mode, you must request the corresponding permissions. This helps secure and control your data in the production environment.

This topic applies to scenarios where you need to access tables, resources, or functions from a MaxCompute data source in a production environment.

Note
  • In a workspace that runs in standard mode, DataWorks adds members to the project role of MaxCompute by default for the development environment. This grants members read permissions on all data. For more information, see Resource access and permissions for the MaxCompute engine in different workspace modes.

  • In a workspace that runs in standard mode, DataWorks does not add members to the project role of MaxCompute by default for the production environment.

  • Permissions requested for MaxCompute tables, resources, or functions take effect only after an approver approves the request.

Prerequisites

Data access control workflow

Use case

Scenario

A user in a development environment needs to access a table, resource, or function in the production environment of the same workspace.

By default, a RAM user cannot access production tables from the data development interface without an access identity for the production compute engine. To gain access, the user must request permissions on the data access control page. After the request is approved, the user can perform operations on the tables in the data development interface.

A user in a development or production environment needs to access a table, resource, or function in the development or production environment of another workspace.

By default, a RAM user who is not a member of a workspace cannot access development or production tables across projects in the data development interface. To gain cross-project access, the user must request permissions on the data access control page. After the request is approved, the user can perform operations on the tables in the data development interface.

Permission request workflow

The data access control feature allows you to perform Permission Application, Permission Application Processing, and Permission Audit operations. You can also view Permission Application Records and Permission Application Processing Record. If a RAM user does not have the required table permissions during development, the user can request the corresponding permissions on the Permission Application page. After an approver (workspace administrator or table owner) approves the request on the Permission Application Processing page, the permissions are granted.

Note

The Security Center of DataWorks provides a default permission request approval workflow. You can also customize the approval workflow in the Approval Center. When you request column-level permissions on MaxCompute tables, DataWorks identifies the type of approval workflow based on the requested columns.

image
Note

Permission requests for resources and functions do not support custom approval workflows or permission audit management.

  • Permission requester: You can request permissions on MaxCompute tables on the data access control page. After the request is approved, you can view the approval result and confirm that the permissions have taken effect on the My Applications page.

  • Permission approver: After receiving a request, the approver can view the request details on the My Approval Tasks page and decide whether to approve or reject the request. For processed requests, the approver can view the approval results for tables, resources, and functions under the current Alibaba Cloud account on the My Approval Tasks page.

  • Permission Audit: The Alibaba Cloud account owner or workspace administrator can go to the Permission Audit page to manage and audit table permissions granted to workspace members. You can revoke permissions from specific members of the workspace.

Permission request

To request permissions on the data access control page, you must configure the Application Content and Application information sections.

  1. Log on to the DataWorks console, switch to the target region, and then click Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Go to Security Center.

  2. In the left-side navigation pane of Security Center, go to Data Platform Security > Data Access Control.

  3. On the Data Access Control page, click the permission request tab to request permissions on MaxCompute tables, resources, or functions.

    Table permission request

    When you request table permissions, after adding the target tables, you can request Table-level permissions or Selected Columns permissions as needed.

    Configuration item

    Description

    Application Content

    Data Source Type

    Select the MaxCompute type.

    Application Type

    Table

    Workspace

    Select the workspace where the target Table resides.

    MaxCompute Project

    The MaxCompute project associated with the workspace where the Table resides.

    Schema

    The schema where the table resides.

    Tables to Be Added

    Request table-level permissions

    You can request table-level Select, Update, Download, Describe, Alter, and Drop permissions.

    Request column-level permissions

    You can request column-level Select, Update, and Download permissions.

    Note
    • If labelsecurity is not enabled for the MaxCompute project, and you successfully request table-level Select and Update permissions, newly added columns in the table automatically inherit the Select and Update permissions.

    • If labelsecurity is enabled for the MaxCompute project, request column-level permissions instead. After table-level permissions are granted, newly added columns do not automatically inherit the table-level permissions.

    Resource permission request

    Configuration item

    Description

    Application Content

    Data Source Type

    Select the MaxCompute type.

    Application Type

    Resource

    Workspace

    Select the workspace where the target resource resides.

    Project

    The MaxCompute project associated with the workspace where the resource resides.

    Resource Name

    The resource for which you want to request permissions.

    Function permission request

    Configuration item

    Description

    Application Content

    Data Source Type

    Select the MaxCompute type.

    Application Type

    Function

    Workspace

    Select the workspace where the target function resides.

    Project

    The MaxCompute project associated with the workspace where the function resides.

    Function Name

    The name of the function for which you want to request permissions.

  4. Configure Application information.

    Configuration item

    Description

    Application information

    User

    Select the account for which you want to request permissions on the target resource.

    • Current login account: Request the target table permissions for the Alibaba Cloud account that is currently logged on to the DataWorks workspace.

    • Account Used for Scheduling: Request the target table permissions for the RAM user that is configured as the scheduling access identity.

    • Apply on Behalf of Others: Request the target table permissions for another Alibaba Cloud account using the account that is currently logged on to the DataWorks workspace. If you select this option, you must configure the Username parameter.

    Application duration

    You can specify a custom validity period for the permissions. The permissions are automatically revoked after they expire.

    Note

    Before you use this feature, make sure that Policy-based authorization is enabled for the MaxCompute project where the table resides. For more information, see Details of data access control for MaxCompute. For more information about MaxCompute Policy, see MaxCompute Policy overview.

    Reason for Application

    Briefly describe the reason for requesting permissions so that the approver can understand your needs.

  5. Click Apply for Permissions to submit the request.

    You can view the approval details and approval records for the current request on the Permission Application Records tab.

Permission approval

After the permission requester submits a permission request, the permission approver can process the request on the My Approval Tasks page.

  1. In the left-side navigation pane, choose Application & Approval > My Approval Tasks, and then click the Data Access Control tab. In the Pending Approval list, you can filter by Application account number, Application Time, Workspace, Project name, Object name, and other conditions to view pending requests under the current Alibaba Cloud account.

    Note

    If a single request contains permission requests for multiple tables, the request is automatically split into multiple requests based on the table owners.

  2. Click Approval in the Operation column of the target request. In the Approval details dialog, you can view the Application Details, Approval record, and other details. You can perform the following operations in the dialog:

    • Based on the request details and your requirements, decide whether to approve the request. Enter Approval Comments, and then click Agree or Reject to process the request.

    • Modify the Application Content and Expiration Time of the request.

    Note
    • Pending steps: Displays all approvers who have the approval permissions.

    • Processed steps: Displays only the approver who processed the request.

    In addition to approving individual requests in the approval details dialog, you can also select all requests on the My Approval Tasks page and click Batch Agree or Batch Reject. Enter Approval Comments to process the target requests in a batch.

View permission request records

In the left-side navigation pane, choose Application & Approval > My Applications, and then click the Data Access Control tab. You can filter by Approval status, Application Time, Workspace, and other conditions to view the request records under the current Alibaba Cloud account.

You can also click View details in the Operation column of the target request to view the detailed information. For requests with the Approval status of Approving, you can proceed with subsequent approval operations.

View permission approval records

Important

The Permission Approval Records tab on the Data Access Control page has been deprecated. The list has been migrated to the Application & Approval > My Approval Tasks page. The original tab no longer displays the approval record list and only shows a migration notice. Follow the steps below to view permission approval records.

In the left-side navigation pane, choose Application & Approval > My Approval Tasks, and then click the Data Access Control tab. Set the task status to All. You can filter by Application account number, Approval Results, Workspace, and other conditions to view the approval records under the current Alibaba Cloud account.

You can also click View details in the Operation column of the target request to view the detailed information.

Permission Audit

After completing the permission approval, you can go to the Permission Audit tab, use the filter conditions to find and audit the target resources, view the Authorization Information, and click Reclaim permission or View permissions in the Operation column.

Note

The Permission Audit tab currently supports only the MaxCompute engine. Other engines such as Hologres, DLF, Hive, Lindorm, and StarRocks are not supported for permission audit on this tab.

Filter settings

The permission audit list loads data only after you complete the following filter settings:

  • Application type: Currently fixed to Table.

  • Data source type: Currently fixed to MaxCompute.

  • Workspace: Select the target workspace.

  • Project: Select the target MaxCompute project.

  • Schema: Displayed only when the selected project has the three-layer model enabled. Multiple selections are supported.

Note

A fixed notice is displayed at the top of the page: Permission audit does not support filtering deleted workspaces, deleted projects, or deleted objects. Deleted objects are filtered out from the audit list.

List description

After you complete the filter settings, the list displays all auditable table resources that match the current conditions. Click the expand icon at the beginning of a row to view the authorization details for the table. The expanded section contains the following columns:

Column

Description

Account

The account that has permissions on the table.

Authorization method

The source of the permission (obtained through a permission request / granted proactively / other).

Permissions

The granted permissions (Select / Update / Download / Describe / Alter / Drop, etc.).

Expiration time

The expiration time of the permission. Permanent permissions are displayed as permanent.

Reclaim and view column-level permissions

The Operation column in the expanded row provides the following two buttons:

  • Reclaim permission: Select the permissions to reclaim and confirm. The corresponding table-level permissions are immediately revoked from the account.

  • View permissions: A details dialog appears, listing all column-level permissions that the account has on the table. You can select multiple columns in the dialog and click Reclaim Column Permissions to revoke them.

Note

If the current account does not have the permission audit capability enabled, the expanded row area displays a "No Permission" placeholder page. Contact your tenant administrator to enable the permission audit capability for the account.