Permission relationships between MaxCompute and DataWorks - Security Management| Alibaba Cloud Documentation Center

If you use the security model of MaxCompute to control permissions, project members can perform authorized operations on interfaces of DataWorks. However, if you use DataWorks to assign roles to users, project members may have limited permissions on MaxCompute resources. This topic describes permission relationships between MaxCompute and DataWorks.

Project permission relationships

If you log on to the DataWorks console from the official MaxCompute or DataWorks website, you can create a workspace (project) in one of the following modes:

Simple mode: In this mode, a DataWorks workspace is associated with a MaxCompute project. A number of roles are created in the MaxCompute project. For more information about the role permissions, see Role management.
Standard mode: In this mode, a DataWorks workspace is associated with a MaxCompute development project and a MaxCompute production project. A number of roles are created in each MaxCompute project. For more information about the role permissions, see Role management.

Account authentication

In a DataWorks project, an Alibaba Cloud account must be the project owner. In a MaxCompute project, an Alibaba Cloud account can be the project owner or a common user. If you add members by using the member management function of DataWorks, you can add only the RAM users under your Alibaba Cloud account. In MaxCompute, you can add other Alibaba Cloud accounts by running the add user xxx; command. Account authentication

Member roles and permissions

DataWorks project members must have permissions on MaxCompute resources during extract, transform, and load (ETL) operations. Therefore, DataWorks projects are also associated with roles for MaxCompute projects. DataWorks projects have fixed member roles, and the roles that correspond to these member roles are also created for the associated MaxCompute projects. In addition to the project owner, the Super_Administrator and Admin roles are also authorized to manage a MaxCompute project. The following table describes the MaxCompute and DataWorks roles and their permissions.


MaxCompute role	MaxCompute permission	DataWorks role	DataWorks permission
Project Owner	This role has all permissions on a project created in MaxCompute.	N/A	N/A
Super_Administrator	This role has permissions on all types of resources in a project and management permissions on the project.	N/A	N/A
Admin	When you create a project, the system automatically creates an Admin role for this project and grants the following permissions to the role: access all objects in the project, manage users or roles, and authorize users or roles. Unlike a project owner, an Admin role is not authorized to perform the following operations: assign the role permissions to users, set security policies for projects, modify the authentication model for projects, and modify the role permissions. The project owner can assign an Admin role to a user and authorize this user for security management.	N/A	N/A
Role_Project_Admin	This role has all permissions on projects, tables, functions, resources, instances, jobs, and packages of a workspace.	Project administrator	The administrator of a project. This role has permissions to manage the basic properties, data sources, computing engine configurations, and project members in the project. It can also assign administrator, developer, OAM, deployment, and visitor roles to other project members.
Role_Project_Dev	This role has all permissions on projects, functions, resources, instances, jobs, packages, and tables of a workspace.	Developer	This role has the permissions to create or delete tables, create workflows, script files, resources, user-defined functions (UDFs), and publish packages. However, this role does not have permissions to publish jobs.
Role_Project_Pe	This role has all permissions on projects, functions, resources, instances, and jobs of a workspace. It also has READ permissions on packages and both READ and DESCRIBE permissions on tables of a workspace.	OAM role	This role has the publish and online OAM permissions that are granted by the project administrator. However, this role does not have the permissions to develop data.
Role_Project_Deploy	By default, this role does not have any permissions.	Deployment role	This role has the same permissions as the OAM role, except for the online OAM permissions.
Role_Project_Guest	By default, this role does not have any permissions.	Visitor	This role can view data, but cannot edit workflows or code.
Role_Project_Security	By default, this role does not have any permissions.	Security administrator	This role is only used to configure sensitivity rules and audit data risks in Data Security Guard.

Note This table shows that the relationships between DataWorks roles and MaxCompute permissions are fixed. After a user is assigned a DataWorks role, obtains the permissions of the MaxCompute role that is associated with this DataWorks role, and then acquires other MaxCompute permissions by using the CLI, the permissions of the user in MaxCompute become inconsistent with those in DataWorks.

Users and permissions

The following figure shows the relationships between users and permissions. Relationship diagram

In standard mode, a DataWorks workspace is associated with a MaxCompute development project and a MaxCompute production project. Members of a DataWorks workspace can be granted the roles assigned to this MaxCompute development project. However, they cannot be granted the roles assigned to this MaxCompute production project.

To run a MaxCompute job, you need to publish this job in the production project, and then submit this job to MaxCompute as the project owner. Standard mode