If you use the security model of MaxCompute for access control, project members can perform authorized operations on any interfaces in DataWorks. However, if you use DataWorks to assign roles to users, the permissions of project members on MaxCompute resources may be limited. This topic describes permission relationship between MaxCompute and DataWorks.

Project permission relationship

If you log on to the DataWorks console from the official MaxCompute or DataWorks website, you can create a workspace (project) in either of the following modes:
  • Simple mode: In this mode, a DataWorks workspace is associated with a MaxCompute project. A number of roles are created in the MaxCompute project. For more information about the role permissions, see Role management.
  • Standard mode: In this mode, a DataWorks workspace is associated with a MaxCompute development project and a MaxCompute production project. A number of roles are created in each MaxCompute project. For more information about the role permissions, see Role management.

Account authentication

In a DataWorks project, an Alibaba Cloud account must be the owner of the project. In a MaxCompute project, an Alibaba Cloud account can either be the owner or a common user. If you add members by using the member management function of DataWorks, you can only add the RAM users under your Alibaba Cloud account. However, in MaxCompute, you can add other Alibaba Cloud accounts by running the add user xxx; command.Account authentication

Member roles and permissions

DataWorks project members must have permissions on MaxCompute resources during extract, transform, and load (ETL) operations. Therefore, DataWorks projects are also associated with roles for MaxCompute projects. DataWorks projects have fixed Manage workspace members, and required roles are also created for the corresponding MaxCompute projects. In addition to the project owner, the Super_Administrator and Admin roles are also provided for a MaxCompute project. The following table describes the MaxCompute and DataWorks roles and their permissions.
MaxCompute role MaxCompute permission DataWorks role DataWorks permission
Project owner This role has all permissions on a MaxCompute project. None None
Super_Administrator This role has permissions on all types of resources in a project and management permissions. None None
Admin

When you create a project, the system creates an Admin role for it and grants the following permissions to the role: access to all objects in the project, management of users or roles, and authorization of user or role permissions.

Unlike a project owner, an Admin role cannot grant the permissions of the Admin role to users, set security policies for workspaces, or change the authentication models of workspaces. The permissions of an Admin role cannot be changed.

The project owner can assign an Admin role to a user so that the user is authorized for security management.

None None
Role_Project_Admin This role has all permissions on projects, tables, functions, resources, instances, jobs, and packages of a workspace. Project administrator The administrator of a project. It can manage the basic properties, data sources, computing engine configurations, and project members in the project. It can also assign administrator, developer, OAM, deployment, and visitor roles to other project members.
Role_Project_Dev This role has all permissions on projects, functions, resources, instances, jobs, packages, and tables of a workspace. Developer This role has the permissions to create or delete tables, and create workflows, script files, resources, user-defined functions (UDFs), and publish packages. However, this role does not have the publish permissions.
Role_Project_Pe This role has all permissions on projects, functions, resources, instances, and jobs of a workspace. It also has READ permissions on packages and both READ and DESCRIBE permissions on tables of a workspace. OAM This role has PUBLISH and ONLINE OAM permissions that are granted by the project administrator. However, this role does not have the permissions to develop data.
Role_Project_Deploy By default, this role does not have any permissions. Deployment This role has the same permissions as the OAM role, except for the online OAM permissions.
Role_Project_Guest By default, this role does not have any permissions. Visitor This role can only view data, but cannot edit workflows or code.
Role_Project_Security By default, this role does not have any permissions. Security administrator This role is only used to configure sensitivity rules and audit data risks in Data Security Guard.
Note This table shows that the mapping between DataWorks roles and MaxCompute permissions is fixed. After a user is assigned a DataWorks role, obtains the permissions of the MaxCompute role associated with this DataWorks role, and then acquires other MaxCompute permissions by using the CLI, the permissions of the user in MaxCompute become inconsistent with those in DataWorks.

Users and permissions

In simple mode, a DataWorks workspace is associated with a MaxCompute project. You can specify whether other members of the DataWorks workspace have permissions on the MaxCompute project. Specifically, log on to the DataWorks console and choose Workspace Management > Compute Engines > MaxCompute visitor identity to set the permissions.

You can set MaxCompute visitor identity to Alibaba Cloud primary account or Task owner. The following figure shows the relationship between users and permissions.Relationship diagram
In standard mode, a DataWorks workspace is associated with a MaxCompute development project and a MaxCompute production project.
Note Members of a DataWorks workspace can be granted the roles assigned to this MaxCompute development project. However, they cannot be granted the roles assigned to this MaxCompute production project.
To run a MaxCompute job, you need to publish it in the production project, and then submit it to MaxCompute as the project owner.Standard mode