All Products
Search
Document Center

DataWorks:Responsibilities of a workspace administrator

Last Updated:Feb 04, 2024

This topic describes the responsibilities and permissions of a workspace administrator. By default, the Alibaba Cloud account that is used to create a workspace is the workspace owner and has full permissions on the workspace.

After the workspace is created, the workspace owner can specify a RAM user of the Alibaba Cloud account as a workspace administrator.

Create a workspace

Regardless of whether you create a workspace by using an Alibaba Cloud account or as a RAM user of the Alibaba Cloud account, the Alibaba Cloud account is the workspace owner. For more information about how to create a workspace, see Create a workspace.

Note
  • You can create a workspace as a RAM user only if the AliyunDataWorksFullAccess policy is attached to the RAM user. For more information, see Grant the permissions to perform operations in DataWorks to a RAM user.

  • A workspace administrator must ensure the stability of the workspace in the production environment, grant permissions to workspace members based on the principle of least privilege, and manage operation permissions on tables in the workspace.

Add workspace members

A workspace administrator can add RAM users as members of the workspace and assign roles to the members. For more information about the permissions of each role, see Permissions of built-in workspace-level roles.

Note

We recommend that you do not assign the Development and O&M roles to the same member.

Manage permissions

DataWorks roles are divided into built-in roles and workspace-level custom roles. Each role has different permissions. You can assign a role to a RAM user when you add the RAM user to a workspace as a member. This way, the RAM user can obtain the permissions that are configured for the role. For more information, see Manage permissions on workspace-level services. Each role has different operation permissions in the DataWorks console. For more information, see Permissions of built-in workspace-level roles.

If you use a MaxCompute engine, mappings are established between the built-in roles of DataWorks and the MaxCompute roles for projects in development mode. This way, after a built-in role of DataWorks is assigned to a user, the user can manage the resources of the corresponding project in development mode in MaxCompute. For more information, see Overview of users, roles, and permissions.

To ensure the stability and security of the production environment, DataWorks does not allow RAM users to perform operations on tables in the production environment. For example, RAM users cannot modify or delete tables in the production environment. In addition, workspace members must be granted related permissions before they can commit tasks.

Permission requirements:

  • Data Integration: Only a workspace owner or a workspace administrator can perform operations such as adding data sources to a workspace and migrating tables to the cloud.

  • MaxCompute Management: A workspace administrator can associate a resource group with a workspace. This way, O&M engineers can view the system status, allocate resources in resource groups, and monitor tasks in MaxCompute Management.

  • Operation Center: Only a member that is assigned the O&M role or a workspace administrator can perform advanced operations in Operation Center.

  • DataStudio: Only a member that is assigned the Development role or a workspace administrator can perform development operations in DataStudio.

When you create a workspace, you must first specify whether to use your Alibaba Cloud account or a RAM user to run tasks in the workspace. An invalid setting will damage the permission system of DataWorks.

  • Alibaba Cloud account: The AccessKey ID and AccessKey secret of your Alibaba Cloud account are required to execute SQL statements. The SQL statements can be executed on tables in all workspaces in the specified region. Proceed with caution when you select this option.

  • RAM user: The AccessKey ID and AccessKey secret of a RAM user are required to execute SQL statements. The permissions of RAM users are strictly controlled. Only authorized RAM users can perform operations on tables in the production environment.

Note

To ensure data security, we recommend that you assign roles with the least permissions to RAM users.