This topic describes how permissions can be authorized when MaxCompute interoperates with DataWorks and the limitations of using the permissions of only one service. When you use the security model of MaxCompute to control permissions, project members can perform authorized operations on any interfaces in DataWorks. However, when you use DataWorks to assign roles to users, the permissions of project members on MaxCompute resources are more limited.
- Projects in simple mode: In simple mode, a DataWorks workspace is associated with a MaxCompute project. A number of roles are created in the MaxCompute project. For details about the role permissions, see Member roles and permissions in this topic.
- Projects in standard mode: In standard mode, a DataWorks workspace is associated with a MaxCompute development project and a MaxCompute production project. A number of roles are created in each MaxCompute project. For details about the role permissions, see Member roles and permissions in this topic.
add user xxx;command on the command line interface (CLI).
Member roles and permissions
|MaxCompute role||MaxCompute permission||DataWorks role||DataWorks permission|
|project owner||This role has permissions to operate on all MaxCompute projects.||None||None|
When you create a project, the system creates an admin role for it and grant the following permissions to the role: accessing all objects in the project, managing users or roles, and granting permissions to users or roles.
Unlike a project owner, an admin role cannot grant admin role permissions to users, set security policies for workspaces, or change the authentication models of workspaces. The permissions of an admin role cannot be changed.
The project owner role can assign an admin role to a user so that the user is authorized with security management.
|role_project_admin||This role has all permissions on projects, tables, functions, resources, instances, jobs, and packages.||Administrator||This role is the administrator of a workspace. It can manage the basic properties, data sources, compute engine configurations, and project members in the workspace. It also can assign administrator, development, O&M, deploy, and visitor roles to project members.|
|role_project_dev||This role has permissions to operate on projects, functions, resources, instances, jobs, packages, and tables.||Development||A user with this role can create workflows, script files, resources, and user-defined functions (UDFs), create or delete tables, and create packages. However, this role does not have the permission to publish.|
|role_project_pe||This role has permissions to operate on projects, functions, resources, instances, and jobs. It also has read permissions for packages and also read and describe permissions for tables.||O&M||A user with this role has publish and online O&M permissions, which are granted by the project administrator. This role does not have the permission to develop data.|
|role_project_deploy||This role does not have any permissions by default.||Deploy||This role is similar to the O&M role, except that a user with the deploy role does not have the online O&M permission.|
|role_project_guest||This role does not have any permissions by default.||Visitor||A user with this role can only view data, but cannot edit workflows or code.|
|role_Project_security||This role does not have any permissions by default.||Security Administrator||This role is only used to configure sensitivity rules and audit data risks in Data Security Guard.|
Users and permissions
AccessKey ID has two values: Personal Account and Compute Engine Designated Account. The following figure shows the interoperation between users and permissions.
In standard mode, a DataWorks workspace is associated with a MaxCompute development project and a MaxCompute production project. Members of other DataWorks workspaces can be granted the permissions of the roles assigned to this MaxCompute development project. However, they cannot be granted the permissions of the roles assigned to this MaxCompute production project. To execute a MaxCompute task, you need to publish it to the production project, and then submit it to MaxCompute as the owner.