Manage permissions on workspace-level services-DataWorks(DataWorks)-阿里云帮助中心

DataWorks allows you to grant different permissions on workspace-level services in a workspace to workspace members by assigning the members different roles. The roles that can be assigned to members include built-in workspace-level roles and custom workspace-level roles. The built-in workspace-level roles are granted fixed permissions on specific workspace-level services. The custom workspace-level roles can be used to control the read and write permissions of members on workspace-level services. This topic describes the workspace-level roles that can be used to manage permissions on workspace-level services and the basic operations that can be performed to manage permissions of workspace members on workspace-level services.

Background information

DataWorks does not limit the number of members. You can add team members by authorizing RAM users. After you authorize RAM users in a workspace, they can access DataWorks to collaborate on development.

No.	Description	References
1	A DataWorks workspace is a basic unit in which different roles can be used for collaborative data development. All data development operations are performed in a specific workspace. If you want to allow a RAM user to collaboratively perform data development operations, you must add the RAM user to a workspace as a member and assign roles to the member based on your business requirements. You can assign the built-in workspace-level roles provided by DataWorks to the member. For example, if you assign the Development role to the member, the member can perform data development operations in a workspace but cannot perform the deploy operation.	Appendix: List of Default Role Permissions (Workspace Level)
2	If the built-in workspace-level roles cannot meet your business requirements, you can create a custom workspace-level role and assign the role to a RAM user. This way, you can control the permissions of the RAM user on a specific workspace-level service. For example, you can create a custom workspace-level role and assign the role to a RAM user to deny the access permissions on DataService Studio for the RAM user.	Workspace-level roles
3	Permission management on workspace-level services in DataWorks is performed based on the role-based access control (RBAC) model. After you add a RAM user to a workspace as a member and assign a workspace-level role to the member, the member is granted the permissions of the role on the related workspace-level service.	Overview of the DataWorks permission management system

Limits

Only workspaces of DataWorks Enterprise Edition support custom roles. For information about DataWorks editions, see DataWorks: Features by edition. If your workspace is not of DataWorks Enterprise Edition, you can upgrade the DataWorks service that you use to this edition. For information about the billing of DataWorks advanced editions, see Editions and billing.

Note
When upgrading your DataWorks edition, if you need to adjust the subscription period, we recommend that you first unsubscribe from the current edition and then purchase the desired new edition. If you upgrade directly from a lower edition to a higher one, you must pay the price difference for the remaining time in the current billing cycle.
Only the Workspace Administrator and Workspace Owner can add members, modify member roles, and delete Member and Custom Role.
You can use only a RAM user that is assigned the Admin or Super_Administrator role of a MaxCompute project or an Alibaba Cloud account to configure the mapping between a DataWorks custom workspace-level role and a role of a MaxCompute project.
You cannot change the permissions of the built-in roles.

Workspace-level roles

A DataWorks workspace provides identities such as members and roles. You can grant roles to users based on their needs. DataWorks offers built-in workspace-level roles with fixed permissions. If these built-in roles do not meet your requirements, you can also define custom workspace-level roles on the Roles page.

Built-in workspace-level roles

By default, the built-in workspace-level roles provided by DataWorks have read permissions on all workspace-level services. The management and operation permissions of different built-in workspace-level roles on workspace-level services vary. The following table describes the built-in workspace-level roles and the permissions of each built-in workspace-level role on workspace-level services.

Note

The Workspace Owner is an Alibaba Cloud account. A RAM user can only create a workspace on behalf of an Alibaba Cloud account. You cannot assign the Project Owner role to another user. For details about the permissions of each built-in role on different DataWorks modules, see Appendix: List of built-in role permissions (workspace level).

Role	Description
Project Owner	The Workspace Owner has all permissions in the workspace and is typically an Alibaba Cloud account. For example, they can assign roles to RAM users as needed and remove members who are not the owner from the workspace.
Workspace Administrator	This role has permissions that are second only to the permissions of the Workspace Administrator role. The Workspace Administrator role can also be used to perform operations such as adding a user to a workspace as a member, removing a member from a workspace, or assigning a role to a member.
Data Analyst	This role has permissions only on DataAnalysis.
Development	This role has permissions to perform data development and maintenance operations on the DataStudio page of a workspace. Note If you want to perform data development operations as a RAM user, you must assign the Develop or Workspace Administrator role to the RAM user. If you want to perform the deploy operation as a RAM user, you must assign the O&M or Workspace Administrator role to the RAM user.
O&M	This role has permissions to deploy tasks to the production environment on the Create Deploy Task page and perform O&M operations on all tasks in a workspace in Operation Center.
Deployment	In a multi-workspace setup, this role reviews task code and decides whether to submit it for O&M.
Visitor	This role has read-only permissions on workflows and code on the DataStudio page of a workspace.
Security Administrator	This role has permissions only on Data Security Guard.
Model Designer	This role has permissions to view models in Data Modeling and modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. This role does not have permissions to publish models.
Data Governance Administrator	This role has permissions to view and manage data governance content of the workspace to which this role belongs in Data Governance Center. Note This role does not have permissions to view data governance situations of all workspaces in a region from the global perspective or manage global governance operations, such as enabling check items at the global level. If you want to allow a RAM user to perform global governance operations, assign the Data Governance Administrator role at the tenant level to the RAM user. For more information, see Data Governance Administrator role at the tenant level. For more information about the features that are supported by the Data Governance Administrator role at the workspace level, see Data Governance.

Custom workspace-level roles

Custom workspace-level roles in DataWorks allow you to control whether a role has permission to use a specific workspace-level module. DataWorks supports read and write permission control for workspace-level modules. If you use the MaxCompute compute engine, you can also use the Configure Account Mapping section to grant the role operational permissions on engine resources. For instructions on how to create a custom role, see Create a custom workspace-level role. In the Add Custom Role dialog box, you enter a role name and set module permissions in the DataWorks Permissions section. You can also map the role to a compute engine in the Configure Mappings... section. Click Create to save the role.

No permission: The role has no permission to view the corresponding module.
Read-only: The role can only view information in the corresponding module and cannot modify its data.
Read and Write: The role can modify the data in the corresponding module.

Add a RAM user to a workspace as a member and assign roles to the member

After you add a RAM user to a workspace as a member, you can assign a built-in workspace-level role to the member based on your business requirements. By default, after a RAM user is added to a workspace as a member, the member can access all workspace-level services. If you want to prohibit the member from accessing a specific workspace-level service, you can create a custom workspace-level role for which access permissions on the service are denied and assign the role to the member. This way, the member cannot access the workspace-level service.

Step 1: Go to the Workspace Members tab

Go to Management Center.
On the Work space page, click Workspace Members.

Step 2: Add a RAM user to a workspace as a member and manage members in the workspace

On the Workspace Members tab, click Add Member in the upper-right corner.

In the Add Member dialog box, select the member accounts you want to add from the Available Accounts section.

Operation	Description
Select the RAM users that you want to add to the workspace as members	The Available Accounts list displays all RAM users under the current Alibaba Cloud account. You can click the > icon to move the RAM users you want to add to the current workspace, making them members for collaborative development. Note If the target RAM user is not in the list, click the Refresh button at the top of the interface.
Assign multiple roles to a RAM user at a time	You can select the roles that you want to assign to the selected RAM user and click Confirmation. This way, the selected roles are assigned to the RAM user at the same time, and the RAM user is granted the permissions of the roles. You can assign built-in workspace-level roles or custom workspace-level roles to the RAM user. Before you assign a custom workspace-level role to the RAM user, you must refer to the operations described in the following subsection to create a custom workspace-level role.

Note

If you are using the MaxCompute compute engine, it provides some built-in roles that are mapped to DataWorks built-in workspace-level roles. DataWorks uses these mappings to grant a RAM user with a DataWorks role the permissions of the corresponding development engine role. However, production environment permissions are not granted by default.
- For information about how to grant permissions on a MaxCompute compute engine instance to a member in a workspace, see Manage permissions on data in a MaxCompute compute engine.
- For information about mappings between the built-in workspace-level roles of DataWorks and the built-in roles of a MaxCompute compute engine, see Role mappings: DataWorks vs MaxCompute.
If you want to use another type of compute engine in a workspace as a workspace member, you cannot grant permissions on the compute engine to the member by assigning a workspace-level role to the member.

Click Determine to finish adding the workspace members.

You can then view the accounts, roles, and other information for all members in the current DataWorks workspace on the Workspace Members tab. You can use filter conditions to locate a specific member and, in the Role column, grant or revoke a built-in or custom workspace-level role for that member. You can also click Remove in the Operation column to remove a user from the current workspace.

(Optional) Create a custom workspace-level role

The permissions of built-in workspace roles cannot be modified. If the built-in roles do not meet your permission control requirements, you can create custom roles on the Workspace Roles page.

On the Workspace Roles tab, click Create Custom Role.
In the Create Custom Role dialog box, specify a name for the role and configure permission settings on each workspace-level service for the role.
- No permission: The role has no permission to view the corresponding module.
- Read-only: The role can only view information in the corresponding module and cannot modify its data.
- Read and Write: The role can modify the data in the corresponding module.
In the Configure Account Mapping section, click Add to configure mappings between the new custom DataWorks role and the permissions of other engines. This grants the role the corresponding engine permissions.

If you want to use a MaxCompute compute engine in the workspace, you can specify a built-in role of the MaxCompute compute engine and configure a mapping between the custom workspace-level role and the role of the MaxCompute compute engine when you create the custom workspace-level role. This way, after the custom workspace-level role is assigned to a member in the workspace, the member is automatically granted the permissions of the built-in role of the MaxCompute compute engine. For information about the mappings between the roles of different types of compute engines and the roles of DataWorks, see Appendix: Mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute.
Click Create.

The custom role is created, and a success message is displayed. You can then associate this role with members when you add them. You can also edit or delete Custom Role on the Roles tab.