This topic describes the responsibilities and permissions of a workspace administrator. By default, the Alibaba Cloud account that creates a workspace is the owner and administrator of the workspace and has full permissions on the workspace.

The owner can also specify a RAM user as a workspace administrator.

Create a workspace

By default, you are the owner and administrator of the workspace that you create with your Alibaba Cloud account. You can also specify a RAM user as a workspace administrator. For more information about how to create a workspace, see Create a workspace.
Note A workspace administrator needs to maintain stable running of the workspace in the production environment, grant least permissions to workspace members, and control operation permissions on tables in the workspace.

Add workspace members

A workspace administrator can add RAM users as members of the workspace and assign roles to the members as required. For more information about the permissions of each role, see Permission list.
Note We recommend that you do not assign the Development and Operation & Maintenance (O & M) roles to the same member.

Manage permissions

To ensure stability and security of the production environment, DataWorks does not allow RAM users to perform operations on tables in the production environment by default. For example, RAM users cannot modify or delete tables in the production environment. In addition, workspace members must be authorized to commit nodes.

When you create a workspace, you must first specify whether to use your Alibaba Cloud account or a RAM user to run nodes in the workspace. An invalid setting will damage the permission system of DataWorks.
  • Alibaba Cloud account: The AccessKey ID and AccessKey secret of your Alibaba Cloud account are required to execute SQL statements. The SQL statements can be executed on tables in all workspaces in the specified region. Exercise caution when you select this option.
  • RAM user: The AccessKey ID and AccessKey secret of a RAM user are required to execute SQL statements. The permissions of RAM users are strictly controlled. Only authorized RAM users can perform operations on tables in the production environment.
Other permissions:
  • Data Integration: Only the administrator and owner of a workspace can perform operations such as adding connections and synchronizing tables in the workspace.
  • MaxCompute Management: A workspace administrator can bind a resource group to the workspace. Then, O&M experts can view the system status, allocate resources, and monitor nodes in MaxCompute Management.
  • Operation Center: Only workspace administrators and O&M experts can perform operations in Operation Center.
Note

We recommend that you assign the least roles to each RAM user to ensure data security.