DocsICP FilingConsole
官方文档
首页

Manage member permissions

更新时间:
复制 MD 格式
产品详情
我的收藏

DataWorks controls permissions at two levels: product-level (via RAM Policy) and module-level. Module-level permissions cover the DataWorks console (via RAM Policy) and functional modules (via RBAC roles).

Permission control system

The permission system is structured as follows:

Permission control system

Policy type

Authorization method

Scope in DataWorks

References

RAM Policy permission system

Attach a permission policy to a user (RAM user or RAM role) to grant permissions.

  • Users include RAM users and RAM roles.

  • Permission policies include system policies and custom policies.

  • Product-level: manage DataWorks, purchase resources, and activate DataWorks services, such as Standard, Professional, and Enterprise editions.

  • Module-level: DataWorks management console (manage workspaces, resource groups, and alert contacts).

RAM Policy permission system

RBAC permission model

Assign a role to a user (RAM user or RAM role) to grant permissions for the associated functional modules.

  • Users include RAM users and RAM roles.

  • Roles include workspace-level roles and global-level roles in DataWorks.

  • Permissions cover access and use of workspace-level modules, and access and management of global-level modules.

  • DataWorks global-level functional modules

  • DataWorks workspace-level functional modules
Note

To configure permissions for specific scenarios, follow Best practices: Grant permissions to a RAM user.

Usage notes

Alibaba Cloud accounts and RAM users with AdministratorAccess have full permissions by default.

Manage product-level permissions

DataWorks uses RAM Policy to manage product-level permissions. Grant RAM users system or custom policies to control DataWorks access.

Policy type

Operation type

Description

References

RAM Policy permission system

Allowed operations

Available system policies:

  • Manage DataWorks (AliyunDataWorksFullAccess): Grants full management of DataWorks features, excluding purchases.

  • Purchase resources and activate services (AliyunBSSOrderAccess): Allows purchasing and renewing resources in the console.

Manage broad product-level permissions: System policies and custom policies

Denied operations

To deny operations, attach a custom policy to a RAM user. Controllable scopes:

  • Block access to DataWorks operations.

  • Block API calls.

  • Block access to DataWorks module UIs.

Module-level: DataWorks console permissions

Console permissions are managed with RAM Policy, controlling all operations in the DataWorks management console.

Policy type

Controlled object

Related operations

References

RAM Policy permission system

Workspace

Operations on the Workspaces page, such as creating, disabling, and deleting workspaces.

Manage fine-grained console permissions: Custom policies

Exclusive resource group

Operations on the Resource Groups page, such as creating exclusive resource groups and configuring networks for exclusive resource groups.

Alert information

Operations on the Alerts page, such as configuring contacts.

Module-level: DataWorks functional module permissions

DataWorks functional modules are scoped at global and workspace levels, with corresponding roles to manage permissions (Appendix 1: Classification of global-level and workspace-level roles). This system uses the role-based access control (RBAC) model.

Policy type

Controlled object

Permission description

References

RBAC (role-based access control) model

Workspace-level modules

  • Allow operations on workspace-level modules: Assign a workspace-level role to a user (RAM user or RAM role) to grant permissions for the associated modules.

  • Deny access to a workspace-level module: For example, you can prohibit a user from accessing Data Development.

Note

DataWorks provides predefined workspace-level roles with fixed permission sets. You can also create custom workspace-level roles.

Manage permissions for workspace-level modules

Global-level modules

  • Allow operations on global-level modules: Assign a global-level role to a user (RAM user or RAM role) to grant permissions for the associated modules.

  • Deny access to a global-level module: For example, block a user from accessing Data Map or Data Security Guard.

Note

DataWorks provides predefined global-level roles. You can also create custom roles to control read/write access per module.

Control permissions for global-level modules

Appendix 1: Global-level and workspace-level roles

DataWorks provides predefined global and workspace-level roles. Assign these roles to users or create custom roles as needed.RBAC permission model

Note

  • Only the Tenant Administrator global-level role has access to all functional modules.

  • All RAM users under an Alibaba Cloud account are assigned the Tenant Member role by default.

  • If a Tenant Administrator creates a custom global-level role that denies access to certain global modules, it overrides the Tenant Member role's permissions.

Example: RAM User A under an Alibaba Cloud account is a Tenant Member by default and can access DataMap. If a tenant administrator creates a custom role that denies DataMap access and assigns it to RAM User A, that user loses access to Data Map.

Appendix 2: Differentiating workspace-level and global-level modules

A module with a workspace selection drop-down at the top is workspace-level. Examples: Data Integration and DataStudio.DataStudio

A module without a workspace selection drop-down is global-level. Examples: Data Security Guard and DataMap.Data Map

Previous:Custom imageNext:Product and console permission control