This topic describes how to use the Security Center service as users who assume different roles.

Prerequisites

Note the following items before you use the Security Center service:
  • Field-level authorization and LabelSecurity

    You can request permissions on fields only in a MaxCompute project with LabelSecurity enabled. If LabelSecurity is disabled for a MaxCompute project, you can request permissions only on tables in this MaxCompute project and cannot specify the validity period of permissions. For more information about LabelSecurity, see Label-based access control.

  • Validity period

    If you want to make sure that field permissions are valid in the specified validity period, specify the security level of each field higher than the security level of your account.

    After permissions on a table are granted to you, you automatically obtain permissions on the fields whose security level is not specified or not higher than the security level of your account. The permissions on these fields are permanently valid and cannot be separately revoked.

  • Permissions displayed in Security Center

    Security Center displays only the permissions that are granted by using access control list (ACLs) rather than the permissions that are granted by using other methods such as roles. For example, a workspace developer has the permission to access all tables in the workspace but Security Center does not display these permissions. If you can access a table but Security Center does not display the permissions on the table, contact the system administrator to check whether the permissions are granted by using other methods such as roles.

Background information

If you use different accounts that assume different roles, you can perform different operations.
  • RAM users that assume the common user role
    • On the My Permissions page, you can view permissions, request permissions, and revoke table and field permissions.
    • On the My Requests tab of the Approval Center page, you can view the requests that you submitted and their approval status.
  • RAM users that assume the table owner role
    • On the My Permissions page, you can view permissions, and request and revoke permissions on a table or specific fields of the table that is not owned by you.
    • On the My Requests tab of the Approval Center page, you can view the requests that you submitted and their approval status.
    • On the Pending My Approval tab of the Approval Center page, you can view and handle the requests that are pending your approval.
    • On the Handled by Me tab of the Approval Center page, you can view the requests that you have handled.
  • RAM users that assume the workspace administrator role
    • On the Authorizations page, you can view the workspace members who have permissions on tables and revoke permissions.
    • On the My Requests tab of the Approval Center page, you can view the requests that you submitted and their approval status.
    • On the Pending My Approval tab of the Approval Center page, you can view and handle the requests that are pending your approval.
    • On the Handled by Me tab of the Approval Center page, you can view the requests that you have handled.
  • Alibaba Cloud accounts
    • On the Authorizations page, you can view the workspace members who have permissions on tables and revoke permissions.
    • On the My Requests tab of the Approval Center page, you can view the requests that you submitted and their approval status.
    • On the Pending My Approval tab of the Approval Center page, you can view and handle the requests that are pending your approval.
    • On the Handled by Me tab of the Approval Center page, you can view the requests that you have handled.

In this example, the common user, table owner, and workspace administrator roles are used.

In this example, the following operations are performed:
  • Log on as RAM user A that assumes the common user role to view the permissions of RAM user A.
  • Log on as RAM user A to request permissions on Table A and Table B on which RAM user A does not have permissions.
  • Log on as RAM user B that is the owner of Table A to handle a request for permissions on Table A.
  • Log on with an Alibaba Cloud account that assumes the workspace administrator role to handle a request for permissions on Table B.
  • Log on as RAM user A to revoke permissions on specific fields in Table A.
  • Log on as RAM user A to revoke permissions on Table A.
  • Log on with the Alibaba Cloud account to revoke permissions on Table B that are granted to RAM user A.

Go to the Security Center page

  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Workspaces.
  3. In the top navigation bar, select the region where your workspace resides. On the Workspaces page, find your workspace and click DataStudio in the Actions column.
  4. On the DataStudio page, click the DataWorks icon icon in the upper-left corner and choose All Products > Security Center.

Manage permissions as a common user

  • To view the permissions in a workspace, perform the following steps:
    1. Log on to the DataWorks console as RAM user A. Go to the Security Center page. By default, the My Permissions page appears.
    2. On the My Permissions page, select a workspace and an environment to view the tables of the workspace in the environment and the tables on which you have permissions.
  • To request permissions on Table A and Table B, perform the following steps:
    1. Log on to the DataWorks console as RAM user A. Go to the Security Center page. By default, the My Permissions page appears.
    2. On the My Permissions page, select the fields in Table A and Table B on which you want to request permissions and click Request Permission.
    3. On the Table Permission Request page, set the parameters as required.
    4. Click Submit.
  • To view the approval status of a request, perform the following steps:
    1. Log on to the DataWorks console as RAM user A. Go to the Security Center page.
    2. In the left-side navigation pane, click Approval Center.
    3. On the My Requests tab, view the status of a request in the Status column.

      If your request is in the Approved state, you are granted the requested table permissions.

  • To revoke permissions on specific fields in Table A, perform the following steps:
    1. Log on to the DataWorks console as RAM user A. Go to the Security Center page. By default, the My Permissions page appears.
    2. On the Table tab, find Table A and choose More > Revoke Field Permission in the Actions column.
    3. In the Revoke Field Permission dialog box, select the fields on which you want to revoke permissions.
    4. Click OK.
  • To revoke permissions on Table A, perform the following steps:
    1. Log on to the DataWorks console as RAM user A. Go to the Security Center page. By default, the My Permissions page appears.
    2. On the Table tab, find Table A and choose More > Revoke Permission in the Actions column.
    3. In the Revoke Permission dialog box, select the permissions that you want to revoke.
    4. Click OK.

Manage permissions as a table owner

As the owner of Table A, RAM user B can handle a request for permissions on Table A.

A table owner is also a common user. In addition to the operations that can be performed by a common user, the owner of a table can also handle the requests for permissions on the table.

  1. Log on to the DataWorks console as RAM user B. Go to the Security Center page.
  2. In the left-side navigation pane, click Approval Center.
  3. On the Approval Center page, click the Pending My Approval tab.
  4. On the Pending My Approval tab, find the request that is submitted by RAM user A and click Handle in the Actions column. On the Request Details page, view the progress and objects on which permissions are requested.
  5. Enter your comments and click Approve or Reject as required.

Manage permissions as a workspace administrator

  • To handle a request for permissions on Table B, perform the following steps:
    1. Log on to the DataWorks console by using the Alibaba Cloud account. Go to the Security Center page.
    2. In the left-side navigation pane, click Approval Center.
    3. On the Approval Center page, click the Pending My Approval tab.
    4. On the Pending My Approval tab, find the request that is submitted by RAM user A and click Handle in the Actions column. On the Request Details page, view the progress and objects on which permissions are requested.
    5. Enter your comments and click Approve or Reject as required.
  • To revoke permissions on Table B that are granted to RAM user A, perform the following steps:
    1. Log on to the DataWorks console by using the Alibaba Cloud account. Go to the Security Center page.
    2. In the left-side navigation pane, click Authorizations.
    3. On the Table tab, find Table B and click the Show icon icon before the table name to show the accounts that have permissions on the table.
    4. Find RAM user A and click Revoke Permission in the Actions column.
    5. In the Revoke Permission dialog box, select the permissions that you want to revoke.
    6. Click OK.