DataWorks provides data access control to manage permissions for accessing data in the MaxCompute engine. This includes workflows for requesting, approving, and auditing permissions. You can track your requests on the My Applications page and manage approvals on the My Approval Tasks page. This topic describes how to manage data access permissions for MaxCompute.
Background
To access tables, resources, and functions from a MaxCompute data source in the production environment of a DataWorks workspace in standard mode, you must request the corresponding permissions. This helps secure and control your data in the production environment.
This topic applies to scenarios where you need to access tables, resources, or functions from a MaxCompute data source in a production environment.
-
In a workspace that runs in standard mode, DataWorks adds members to the project role of MaxCompute by default for the development environment. This grants members read permissions on all data. For more information, see Resource access and permissions for the MaxCompute engine in different workspace modes.
-
In a workspace that runs in standard mode, DataWorks does not add members to the project role of MaxCompute by default for the production environment.
-
Permissions requested for MaxCompute tables, resources, or functions take effect only after an approver approves the request.
Prerequisites
-
A MaxCompute compute resource is bound to your workspace.
-
You are familiar with the details of data access control for MaxCompute.
-
You understand the differences between basic mode and standard mode for DataWorks workspaces.
Data access control workflow
Use case
|
Scenario |
|
|
A user in a development environment needs to access a table, resource, or function in the production environment of the same workspace. |
By default, a RAM user cannot access production tables from the data development interface without an access identity for the production compute engine. To gain access, the user must request permissions on the data access control page. After the request is approved, the user can perform operations on the tables in the data development interface. |
|
A user in a development or production environment needs to access a table, resource, or function in the development or production environment of another workspace. |
By default, a RAM user who is not a member of a workspace cannot access development or production tables across projects in the data development interface. To gain cross-project access, the user must request permissions on the data access control page. After the request is approved, the user can perform operations on the tables in the data development interface. |
Permission request workflow
The data access control feature allows you to perform Permission Application, Permission Application Processing, and Permission Audit operations. You can also view Permission Application Records and Permission Application Processing Record. If a RAM user does not have the required table permissions during development, the user can request the corresponding permissions on the Permission Application page. After an approver (workspace administrator or table owner) approves the request on the Permission Application Processing page, the permissions are granted.
The Security Center of DataWorks provides a default permission request approval workflow. You can also customize the approval workflow in the Approval Center. When you request column-level permissions on MaxCompute tables, DataWorks identifies the type of approval workflow based on the requested columns.
Permission requests for resources and functions do not support custom approval workflows or permission audit management.
-
Permission requester: You can request permissions on MaxCompute tables on the data access control page. After the request is approved, you can view the approval result and confirm that the permissions have taken effect on the My Applications page.
-
Permission approver: After receiving a request, the approver can view the request details on the My Approval Tasks page and decide whether to approve or reject the request. For processed requests, the approver can view the approval results for tables, resources, and functions under the current Alibaba Cloud account on the My Approval Tasks page.
-
Permission Audit: The Alibaba Cloud account owner or workspace administrator can go to the Permission Audit page to manage and audit table permissions granted to workspace members. You can revoke permissions from specific members of the workspace.
Permission request
To request permissions on the data access control page, you must configure the Application Content and Application information sections.
-
Log on to the DataWorks console, switch to the target region, and then click in the left-side navigation pane. On the page that appears, click Go to Security Center.
-
In the left-side navigation pane of Security Center, go to .
-
On the Data Access Control page, click the permission request tab to request permissions on MaxCompute tables, resources, or functions.
Table permission request
When you request table permissions, after adding the target tables, you can request Table-level permissions or Selected Columns permissions as needed.
Configuration item
Description
Application Content
Data Source Type
Select the MaxCompute type.
Application Type
TableWorkspace
Select the workspace where the target
Tableresides.MaxCompute Project
The MaxCompute project associated with the workspace where the
Tableresides.Schema
The schema where the table resides.
Tables to Be Added
Request table-level permissions
You can request table-level
Select,Update,Download,Describe,Alter, andDroppermissions.Request column-level permissions
You can request column-level
Select,Update, andDownloadpermissions.Note-
If
labelsecurityis not enabled for the MaxCompute project, and you successfully request table-levelSelectandUpdatepermissions, newly added columns in the table automatically inherit theSelectandUpdatepermissions. -
If
labelsecurityis enabled for the MaxCompute project, request column-level permissions instead. After table-level permissions are granted, newly added columns do not automatically inherit the table-level permissions.
Resource permission request
Configuration item
Description
Application Content
Data Source Type
Select the MaxCompute type.
Application Type
ResourceWorkspace
Select the workspace where the target resource resides.
Project
The MaxCompute project associated with the workspace where the resource resides.
Resource Name
The resource for which you want to request permissions.
Function permission request
Configuration item
Description
Application Content
Data Source Type
Select the MaxCompute type.
Application Type
FunctionWorkspace
Select the workspace where the target function resides.
Project
The MaxCompute project associated with the workspace where the function resides.
Function Name
The name of the function for which you want to request permissions.
-
-
Configure Application information.
Configuration item
Description
Application information
User
Select the account for which you want to request permissions on the target resource.
-
Current login account: Request the target table permissions for the Alibaba Cloud account that is currently logged on to the DataWorks workspace.
-
Account Used for Scheduling: Request the target table permissions for the RAM user that is configured as the scheduling access identity.
-
Apply on Behalf of Others: Request the target table permissions for another Alibaba Cloud account using the account that is currently logged on to the DataWorks workspace. If you select this option, you must configure the Username parameter.
Application duration
You can specify a custom validity period for the permissions. The permissions are automatically revoked after they expire.
NoteBefore you use this feature, make sure that Policy-based authorization is enabled for the MaxCompute project where the table resides. For more information, see Details of data access control for MaxCompute. For more information about MaxCompute Policy, see MaxCompute Policy overview.
Reason for Application
Briefly describe the reason for requesting permissions so that the approver can understand your needs.
-
-
Click Apply for Permissions to submit the request.
You can view the approval details and approval records for the current request on the Permission Application Records tab.
Permission approval
After the permission requester submits a permission request, the permission approver can process the request on the My Approval Tasks page.
-
In the left-side navigation pane, choose Application & Approval > My Approval Tasks, and then click the Data Access Control tab. In the Pending Approval list, you can filter by Application account number, Application Time, Workspace, Project name, Object name, and other conditions to view pending requests under the current Alibaba Cloud account.
NoteIf a single request contains permission requests for multiple tables, the request is automatically split into multiple requests based on the table owners.
-
Click Approval in the Operation column of the target request. In the Approval details dialog, you can view the Application Details, Approval record, and other details. You can perform the following operations in the dialog:
-
Based on the request details and your requirements, decide whether to approve the request. Enter Approval Comments, and then click Agree or Reject to process the request.
-
Modify the Application Content and Expiration Time of the request.
Note-
Pending steps: Displays all approvers who have the approval permissions.
-
Processed steps: Displays only the approver who processed the request.
In addition to approving individual requests in the approval details dialog, you can also select all requests on the My Approval Tasks page and click Batch Agree or Batch Reject. Enter Approval Comments to process the target requests in a batch.
-
View permission request records
In the left-side navigation pane, choose Application & Approval > My Applications, and then click the Data Access Control tab. You can filter by Approval status, Application Time, Workspace, and other conditions to view the request records under the current Alibaba Cloud account.
You can also click View details in the Operation column of the target request to view the detailed information. For requests with the Approval status of Approving, you can proceed with subsequent approval operations.
View permission approval records
The Permission Approval Records tab on the Data Access Control page has been deprecated. The list has been migrated to the Application & Approval > My Approval Tasks page. The original tab no longer displays the approval record list and only shows a migration notice. Follow the steps below to view permission approval records.
In the left-side navigation pane, choose Application & Approval > My Approval Tasks, and then click the Data Access Control tab. Set the task status to All. You can filter by Application account number, Approval Results, Workspace, and other conditions to view the approval records under the current Alibaba Cloud account.
You can also click View details in the Operation column of the target request to view the detailed information.
Permission Audit
After completing the permission approval, you can go to the Permission Audit tab, use the filter conditions to find and audit the target resources, view the Authorization Information, and click Reclaim permission or View permissions in the Operation column.
The Permission Audit tab currently supports only the MaxCompute engine. Other engines such as Hologres, DLF, Hive, Lindorm, and StarRocks are not supported for permission audit on this tab.
Filter settings
The permission audit list loads data only after you complete the following filter settings:
Application type: Currently fixed to Table.
Data source type: Currently fixed to MaxCompute.
Workspace: Select the target workspace.
Project: Select the target MaxCompute project.
Schema: Displayed only when the selected project has the three-layer model enabled. Multiple selections are supported.
A fixed notice is displayed at the top of the page: Permission audit does not support filtering deleted workspaces, deleted projects, or deleted objects. Deleted objects are filtered out from the audit list.
List description
After you complete the filter settings, the list displays all auditable table resources that match the current conditions. Click the expand icon at the beginning of a row to view the authorization details for the table. The expanded section contains the following columns:
Column |
Description |
Account |
The account that has permissions on the table. |
Authorization method |
The source of the permission (obtained through a permission request / granted proactively / other). |
Permissions |
The granted permissions (Select / Update / Download / Describe / Alter / Drop, etc.). |
Expiration time |
The expiration time of the permission. Permanent permissions are displayed as permanent. |
Reclaim and view column-level permissions
The Operation column in the expanded row provides the following two buttons:
-
Reclaim permission: Select the permissions to reclaim and confirm. The corresponding table-level permissions are immediately revoked from the account.
-
View permissions: A details dialog appears, listing all column-level permissions that the account has on the table. You can select multiple columns in the dialog and click Reclaim Column Permissions to revoke them.
If the current account does not have the permission audit capability enabled, the expanded row area displays a "No Permission" placeholder page. Contact your tenant administrator to enable the permission audit capability for the account.