This topic uses two basic business projects as examples to describe how to create and manage projects.

Create a basic ETL project

Scenario

The customer has the following requirements: collaborative development, clear division of responsibilities, standard development, debugging, and publishing processes, and strict access control on production data.

Requirement analysis
  • DataWorks supports collaborative development.
  • DataWorks provides a series of basic roles, such as Workspace Manager, Development, O&M, Deploy, and Visitor. These roles can be assigned to members of projects to meet the requirements of the division of responsibilities.
  • DataWorks allows you to create a workspace in standard mode. In this mode, both the development environment and production environment are used. This achieves standard development, debugging, and publishing processes, and strict access control on production data.
Procedure
  1. Create a project.

    For more information about how to create a project, see Create a MaxCompute project.

  2. Add members to the project.
    Add RAM users as project members and select roles for the members based on your business requirements in the DataWorks console. Then, the MaxCompute roles that match the selected member roles are automatically assigned to the RAM users in the development environment. The following member roles are available in the DataWorks console:
    • Workspace Manager: has all permissions of the Development and O&M roles. In addition, Workspace Manager can add and remove project members, and grant other roles project-level permissions, such as the permissions to create custom resource groups. This role matches the Role_Project_Admin role of MaxCompute in the development environment.
    • Development: designs and maintains workflows in Data Analytics. This role matches the Role_Project_Dev role of MaxCompute in the development environment.
    • O&M: manages the running of all tasks in a workspace in Operation Center. This role matches the Role_Project_Pe role of MaxCompute in the development environment.
    • Deploy: reviews task code and determines whether to submit the code to O&M users. This role is used only if the project is created in standard mode. This role matches the Role_Project_Deploy role of MaxCompute in the development environment.
    • Visitor: has only the permissions to view workflows and code in Data Analytics. This role matches the Role_Project_Guest role of MaxCompute in the development environment.
    • Safety Manager: has only the permissions to perform operations on the Data Security Guard module. This role matches the Role_Project_Security role of MaxCompute in the development environment.
  3. Develop and debug a task.

    Log on to the DataWorks console as the member that is assigned the Development role, and navigate to Data Analytics for the created MaxCompute project. Then, develop and debug a task. During this process, if you need to view tables generated in the production environment, you must apply for the required permissions.

  4. Publish the task to the production environment.

    Package the task as the member that is assigned the Development role. Send a review notification to the member that is assigned the O&M role. Then, review the code and execute the package to publish the task to the production environment as the member that is assigned the O&M role. Tasks cannot be published to the production environment if they are not reviewed by code reviewers.

  5. Test the task.

    After the task is published, we recommend that you perform a test on the task in Operation Center as the member that is assigned the Development role. This way, you can check whether the task runs as expected. If the task succeeds, you must check the log to determine whether the running process is normal and check whether a normal result table is generated. By default, you do not have the permissions to query tables generated in the production environment. You must apply for the required permissions.

Note
  • Data Analytics of DataWorks supports collaborative development. All project members can view the task code, and all members who have edit permissions can edit the task code. As a result, sensitive code cannot be securely protected. To resolve this issue, you can create separate projects and grant fixed members the permissions to develop tasks and data that require high confidentiality.
  • In the production environment, only the member that is assigned the Project Owner role can access MaxCompute. This member is the owner of all tables, functions, and resources. As a result, other members may find that they are not the owner of the tables that they create, or that they do not have the permissions to view the tables that they create.
  • The same account is used as the project owner in both the development and production environments. The following operations must be forbidden after a task is published to the production environment: Read and write the tables generated in the production environment to the development environment, and obtain production data in the development environment.

Create a project in basic mode and allow members to access only the tables that they create

Scenario

Business is limited and does not need to be extended. Project members require only a few roles. Project members do not develop code. They only query and download business data. For example, the operations role may need to obtain some data for analysis.

Requirement analysis
  • For a project that does not involve code development, the data used for analysis can be obtained only from other projects where the data is developed. Resources of different Alibaba Cloud accounts are isolated. Therefore, you must make sure that the owner of the current project uses the same account as the owner of the project where the data is developed.
  • Each member requires the permissions to query and download data. Therefore, you must set Access Identity for this project to Node Owner.
  • After Access Identity is set to Node Owner, each member is granted the permissions of a default MaxCompute role. To meet the requirement that each member can perform operations only on tables they create, you must process the default permissions based on your business requirements.
Procedure
  1. Create a project.

    For more information about how to create a project, see Create a MaxCompute project.

  2. Create and authorize a custom MaxCompute role.
    Run the following commands on the MaxCompute client as an Alibaba Cloud account:
    -- Create a custom role.
    create role custom_dev;
    -- Authorize the custom role.
    grant List, CreateInstance,CreateTable,CreateFunction,CreateResource on project prj_name to role custom_dev;
  3. Set ObjectCreatorHasAccessPermission for the project. This way, members can access the tables they create.
    Run the following command on the MaxCompute client as an Alibaba Cloud account:
    set ObjectCreatorHasAccessPermission=true;
    -- The default value of this parameter is true. You can run the following command to view the setting of this parameter:
    show SecurityConfiguration;
  4. Add members to the project.
    Add RAM users as project members in the DataWorks console. When you add a member, you must select a role for the member. For example, if you select the Development role, the member is automatically assigned the Role_Project_Dev role in the MaxCompute project after the member is added. You can run the show grants for ram$Alibaba Cloud account:RAM user; command on the MaxCompute client as the Alibaba Cloud account to view information about the added member.
  5. Modify the MaxCompute permissions of the added members.
    Run the following command on the MaxCompute client as the Alibaba Cloud account to modify the permissions of members:
    -- Revoke the default role from a member.
    revoke role_project_dev from ram$Alibaba Cloud account:RAM user;
    -- Assign the custom role created in Step 2 to the member.
    grant custom_dev to ram$Alibaba Cloud account:RAM user;
Note
  • If you add the Development role to the member again, the member is reassigned the Role_Project_Dev role.
  • Task-level access control is not supported. After the preceding configurations are complete, the members cannot view the tables (objects) created by others, but they can view the tasks created by others.
  • The members must go to Workspace Management of DataWorks and apply for the permissions to query tables from other projects. Alternatively, you can package the tables of other projects in the production environment, install the package in the current project, and then grant the permissions to query this package to the members. For more information, see Management of users and permissions.