How to manage permissions for data query and analysis-DataWorks(DataWorks)-阿里云帮助中心

DataWorks lets workspace roles or members access data sources by using specified identities. You can also manage permissions for operations on query results, such as displaying, copying, downloading, and sharing, to ensure data security.

Background

When users of Data Analysis in DataWorks run tasks using a specified identity, such as the username and password, a specified RAM user, or a RAM role that is configured as the default access identity of a data source, they must have permissions in Security Center to access the data source. If users access a data source by using their logon identity, no authorization from Security Center is required.

The data query and analysis control feature lets you manage permissions to query data sources and operations on query results, such as displaying, copying, downloading, and sharing.

Data source query permission management
This feature allows you to manage permissions to query a data source.

You can grant permissions to other users or roles by using the Manage data source query permissions feature. When granting permissions, note the following:
- After you grant a member or role permission to query a data source, they will use the RAM user or RAM role specified as the access identity for that data source. To ensure data security, especially for production data, we recommend that you plan permissions with caution before you grant them.
- In a standard mode workspace, you must manage data source query permissions separately for the development and production environments.
Note
- For more information, see Appendix: View the access identity of a data source, Differences between workspace modes, and Data source environments.
- This feature manages only query permissions on a data source. To manage read and write permissions on a data source, see Data Integration task approval process.

Permission management for operations on query results

Data Analysis in DataWorks lets you perform operations such as displaying, copying, downloading, and sharing query results. You must configure control policies to secure these operations.

Default permissions

Query result control

All users have permissions to display, copy, download, and share query results.

Use the Manage operations on Data Analysis query results feature to configure permission management policies:

Control whether users can copy, download, or share result data.
Limit the number of rows that can be displayed, copied, or downloaded.

Limitations

Data source query permission management

The following table describes the limitations of data source query permission management.

Restriction category	Description
Applicable module	Permission management applies only to the Data Analysis module.
Supported data source types	You can manage permissions only for the data source types supported by Data Analysis. Note For more information about the data source types that Data Analysis supports, see Data sources supported for SQL queries.
Role restrictions	Users with the Tenant Administrator or Tenant Security Administrator role can grant permissions on data sources in all workspaces within the current tenant. Users with the Workspace Administrator role can grant permissions only on data sources in the workspaces that they manage.

Permission management for operations on query results

The following table describes the limitations of managing permissions for operations on data source query results.

Restriction category	Description
Applicable module	Permission management applies only to the Data Analysis module.
Operation restrictions	You can manage permissions only for display, copy, download, and share operations. Number of rows to display: A maximum of 10,000 rows can be displayed. The default is 10,000. Number of rows to copy: A maximum of 10,000 rows can be copied. The default is 100. Number of rows to download: The maximum number of rows that you can download varies by DataWorks edition. For more information, see Appendix: Maximum number of rows that can be downloaded for each DataWorks edition.
Region and role restrictions	The query result control policy applies to all workspaces within the tenant in the current region. Only users with the Tenant Administrator or Tenant Security Administrator role can edit the control policy. Note For a single tenant, you must configure query result control policies separately for each region. To edit the control policies, you can assign the Tenant Administrator or Tenant Security Administrator role to a user.

Go to data query and analysis control

Go to Security Center.

Log on to the DataWorks console. In the target region, click Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Go to Security Center.
In the left-side navigation pane, click Security policy > Data query and analysis control.

On the Data Query and Analysis Control page, you can perform the following operations:
- Grant a member or role permission to query a specified data source in the Data Analysis module. For more information, see Manage data source query permissions.
- Define control policies for operations on query results, such as displaying, copying, downloading, and sharing. For more information, see Manage operations on Data Analysis query results.
- Define control policies for operations in the Data Studio individual development environment, such as file downloads, extension installations, and terminal usage. For more information, see Manage operations in the individual development environment.

Manage data source query permissions

Note

If you have not created a data source, go to the Data Source Management page to create one first.

To grant a member or role permission to query a data source in the Data Analysis module of a specified workspace, find the data source in the list, click Authorize in the Actions column, and then configure the parameters in the Authorize dialog box.

Parameter	Description
Workspace	You can select only workspaces in which the current account has the Workspace Administrator role. After you select a workspace, all data sources within that workspace are displayed, and you can grant permissions on them. Note To assign the Workspace Administrator role to a user, see Manage workspace-level module permissions.
Authorized object	The target data source that you want to query. For more information about supported data source types, see Supported data source types.
Authorized space role	Select the workspace roles that can query the target data source.
Member of authorized space	Select the workspace members who can query the target data source. Note You can select only members of the chosen workspace. To add a user as a workspace member, see Manage workspace-level module permissions.
Query module	Specifies the module where this authorization takes effect. Currently, you can grant a member or role only the permissions to query a specified data source in the Data Analysis module.

Manage query result operations

You can configure query result control policies for the Data Analysis module to ensure data security and reliability. On the Data query and analysis control > Query result control tab, click Edit to customize the control policies for operations on Data Analysis query results, such as displaying, copying, downloading, and sharing.

Control whether users can copy, download, or share result data.
Limit the number of rows that can be displayed, copied, or downloaded.

Note

For a single tenant, you must configure query result control policies separately for each region.
Number of rows to display: A maximum of 10,000 rows can be displayed. The default is 10,000.
Number of rows to copy: A maximum of 10,000 rows can be copied. The default is 100.
Number of rows to download: The maximum number of rows that you can download varies by DataWorks edition. For more information, see Appendix: Maximum number of rows that can be downloaded for each DataWorks edition.

After you edit the control policy, click Operation in the View column to view its basic information.

Manage individual environment operations

The Data Studio individual development environment supports features such as file downloads, extension installations, and terminal usage. A Tenant Administrator or Tenant Security Administrator can manage these operations on the Data query and analysis control > Individual Development Environment tab.

The individual development environment supports the following controls:

Control item	Control level	Description
Download File	Per operation	If this feature is enabled, users can download files from the personal directory > individual development environment instance mount directory. If this feature is disabled, the download button is unavailable and users cannot download files. If this feature is enabled and a download approval rule is configured in risk identification rules, each download requires approval. Users can download the file from Upload and Download only after the request is approved.
Extension - Install	User-level	If this feature is enabled, users can search for, view details of, and install extensions. If this feature is disabled, the install button is unavailable and users cannot install extensions. If approval is required, a user needs to go through the approval process only once. Subsequent operations do not require another approval.
Terminal	User-level	If this feature is enabled, users can use the terminal in the individual development environment. If this feature is disabled, the terminal button is unavailable and users cannot use the terminal. If approval is required, a user needs to go through the approval process only once. Subsequent operations do not require another approval.

Note

Only users with the Tenant Administrator or Tenant Security Administrator role can configure control policies for the individual development environment.

Appendix: View data source access identity

Log on to the DataWorks console. In the target region, click More > Management Center in the left-side navigation pane. Select a workspace from the drop-down list and click Go to Management Center.
The steps to view the access identity vary by data source type.
- If the data source is an EMR or CDH/CDP cluster: In the left-side navigation pane, click Cluster Management and view the Default Access Identity of the corresponding cluster.
- For other data sources: In the left-side navigation pane, click Data source > Data Sources. Find the target data source, click Edit in the Actions column, and view the Default Access Identity or Username.

Appendix: Download row limits by edition

Important

This is the maximum number of rows that DataWorks supports for download, not your actual download limit. The actual limit depends on both the DataWorks edition and internal limits of the data source.

Currently, only data from MaxCompute and EMR engines can be downloaded to local files.
For example, if you are using DataWorks Standard Edition (limit: 200,000 rows), but 180,000 rows reach the data size limit of 1 GB, you can download only 1 GB of data. For more information, see SQL Query (legacy).

DataWorks edition	Maximum download rows	Maximum download size
Basic Edition	0	N/A
Standard Edition	`20`0,000	`1` GB Important If the data size exceeds `1 GB`, the system automatically truncates the data.
Professional Edition	`2,000`,000
Enterprise Edition	`5,000`,000

When you downgrade your DataWorks edition, the maximum number of rows that you can download changes as follows:

If the download limit of your previous edition is higher than the limit of the new edition, the limit is reduced to the maximum allowed by the new edition.
If the download limit of your previous edition is not higher than the limit of the new edition, the limit remains unchanged.