Request, approve, and audit data access permissions for MaxCompute-DataWorks(DataWorks)-阿里云帮助中心

The data access control feature in DataWorks allows you to manage permissions to access data in the MaxCompute compute engine, including requesting, approving, and auditing permissions. You can view your permission requests on the My Applications page and process approvals on the My Approval Tasks page. This topic describes how to manage data access control for MaxCompute.

Background

To access tables, resources, and functions from a MaxCompute data source in the production environment of a DataWorks workspace in standard mode, you must request the corresponding permissions. This ensures the security and control of your assets in the production environment.

This topic applies to scenarios where you need to access tables, resources, or functions from a MaxCompute data source in the production environment.

Note

In the development environment of a workspace running in standard mode, DataWorks adds members to the MaxCompute project role by default. This grants members read permissions on all data. For more information, see Resource access and permissions for the MaxCompute engine in different workspace modes.
In a workspace that runs in standard mode, DataWorks does not add members to the project role of MaxCompute by default in the production environment.
After a user requests permissions for MaxCompute tables, resources, or functions, the permissions take effect only after an approver approves the permission request.

Prerequisites

You have bound a MaxCompute compute resource.
You are familiar with the details of data permission control for MaxCompute.
You understand the differences between basic mode and standard mode for DataWorks workspaces.

Data access control workflow

Scenarios

Scenario	Description
A user in a development environment needs to access a table, resource, or function in the production environment of the same workspace.	By default, if a DataWorks RAM user is not configured with an access identity for the compute engine of the production environment, the RAM user cannot directly operate on production tables in the workspace from Data Studio. To obtain permissions on production tables, the RAM user must submit a request in Security Center. After the request is approved, the RAM user can then operate on the tables from Data Studio.
A user in a development environment or production environment needs to access tables, resources, or functions in the development environment or production environment of a different workspace.	By default, a RAM user who is not a member of a workspace cannot access development or production tables across projects from Data Studio. To perform cross-project operations on development or production tables, the RAM user must submit a request in Security Center. After the request is approved, the RAM user can then operate on the tables from Data Studio.

Permission request workflow

The data access control feature allows you to Permission Application, Permission Application Processing, and Permission Audit. You can also view Permission Application Records and Permission Application Processing Record. If a RAM user does not have the required table permissions during development, the user can go to the Permission Application page to apply for the permissions. After an approver, such as a workspace administrator or table owner, approves the request on the Permission Application Processing page, the permissions take effect.

Note

DataWorks Security Center provides a default workflow for permission requests and approvals. You can also customize approval workflows in Approval Center. When you request permissions on MaxCompute table columns, DataWorks uses the requested columns to determine which approval workflow to use.

Note

Custom approval and permission audit management are not supported for resource and function permission requests.

Permission requester: You can request permissions for MaxCompute tables on the Security Center page. After the request is approved, you can view the approval result and confirm that the permissions have taken effect on the My Applications page.
Permission approver: After receiving a request, go to the My Approval Tasks page to view its details and decide whether to approve or reject it. On the My Approval Tasks page, you can view approval results for processed requests affecting your account's tables, resources, and functions.
Permission Audit: An Alibaba Cloud account or a workspace administrator can manage members' table permissions on the Permission Audit page. You can also revoke permissions from specific members.

Request permissions

To request permissions on the Data Access Control page, you must configure information in the Application Content and Application information sections.

Log on to the DataWorks console. In the left-side navigation pane, choose Data Governance > Security Center. On the page that appears, click Go to Security Center.
In the left-side navigation pane of Security Center, choose Data Platform Security > Data Access Control.

On the Data Access Control page, click the Request Permissions tab to request permissions on MaxCompute tables, resources, or functions.

Table permissions

When you apply for table permissions, after adding the target table, you can apply for Table-level permissions or Selected Columns as needed.

Parameter		Description
Application Content	Data Source Type	Select MaxCompute.
	Application Type	`Table`
	Workspace	Select the workspace that contains the `table` that you want to request.
	MaxCompute Project	The MaxCompute project that is bound to the workspace that contains the `table`.
	Schema	The schema where the table is located.
Tables to Be Added	Request table-level permissions	You can request the following table-level permissions: `Select`, `Update`, `Download`, `Describe`, `Alter`, `Drop`.
Tables to Be Added	Request column-level permissions	You can request the following column-level permissions: `Select`, `Update`, `Download`.

Note

If labelsecurity is not enabled in a MaxCompute project, and you successfully obtain table-level Select and Update permissions, new columns added to the table automatically inherit the Select and Update permissions.
When labelsecurity is enabled for a MaxCompute project, apply for column-level permissions. This is because new columns do not automatically inherit table-level permissions.

Resource permissions

Parameter		Description
Application Content	Data Source Type	Select MaxCompute.
	Application Type	`Resource`
	Workspace	Select the workspace that contains the target `resource`.
	Project	The MaxCompute project bound to the workspace that contains the `resource`.
	Resource Name	The `resource` to request permissions for.

Function permissions

Parameter		Description
Application Content	Data Source Type	Select MaxCompute.
	Application Type	`Function`
	Workspace	Select the workspace where the target `function` is located.
	Project	The MaxCompute project that is bound to the workspace where the `function` is located.
	Function Name	The name of the `function` for which you want to request permissions.

Configure Application information.

Parameter		Description
Application information	User	Select the account that requires permissions for the target resource. Current login account: requests permissions for the currently logged-on Alibaba Cloud account. Account Used for Scheduling: requests permissions on the target table for the RAM user that is configured as the scheduling access identity. Apply on Behalf of Others: This option allows the current Alibaba Cloud account to apply for permissions on the target table on behalf of another Alibaba Cloud account. If you select this option, you must specify the Username parameter.
	Application duration	You can customize the validity period of the permissions. The permissions are automatically revoked after the specified period expires. Note Before you use this feature, make sure that Policy-based authorization is enabled for the MaxCompute project where the table is located. For more information, see Details of data permission control for MaxCompute. For more information about MaxCompute policies, see Policy-based access control.
	Reason for Application	Briefly describe the reason for the permission request to help the approver understand the request.

Click Apply for Permissions to submit the request.

On the Permission Application Records tab, you can view the approval details and approval history of the current request.

Approve permissions

After a permission requester submits a permission request, a permission approver can process the request on the My Approval Tasks page.

In the left-side navigation pane, choose Requests and Approvals > My Approval Tasks, and then click the Data Access Control tab. In the Pending list, you can filter requests by criteria such as Application account number, Application Time, Workspace, Project name, and Object name to find the requests that are pending your approval.

Note
If a single request involves multiple tables with different owners, the system automatically splits it into multiple requests based on the table owner.
Click Operation in the Approval column of the target request. In the Approval details dialog box, you can view details such as the Application Details and Approval record. You can perform the following operations in the dialog box:
- Based on the request details, enter your Approval Comments and click Agree or Reject.
- Modify the Application Content and Expiration Time of the request.
Note
- Pending steps: displays all approvers who have approval permissions.
- Processed steps: displays only the approver who processed the request.
Alternatively, on the My Approval Tasks page, you can select multiple requests and click Batch Agree or Batch Reject. Enter your Approval Comments and process them at once.

Permission request records

In the left-side navigation pane, choose Requests and Approvals > My Applications, and then click the Data Access Control tab. You can filter the records by criteria such as Approval status, Application Time, and Workspace to view all request records associated with your Alibaba Cloud account.

You can also click Operation in the View details column of a request to view its details. If a request's Approval status is Approving, you can approve it.

Permission approval records

In the left-side navigation pane, choose Requests and Approvals > My Approval Tasks, and then click the Data Access Control tab. Set the task status to All. You can then filter the records by criteria such as Application account number, Approval Results, and Workspace to view the approval records of your Alibaba Cloud account.

You can also click Operation in the View details column of a request to view its details.

Permission Audit

After a permission approval is complete, go to the Permission Audit tab and use the filters to find and audit a target resource. You can view the Authorization Information of the resource and, in the Actions column, click Reclaim permission or View permissions.