DataWorks provides roles that have different permissions for you to implement finer-grained permission management. You can add the required users to your workspace and assign the required roles to the members. You can also create custom roles and grant permissions to the roles based on your business requirements.

Background information

Multiple users can be added to the same DataWorks workspace. In this case, if the users have excessive permissions on the workspace, the data security of the workspace may be affected by inappropriate permission use. However, if the users have insufficient permissions on the workspace, they may be unable to use the required features. To resolve this issue, DataWorks workspaces provide identities such as members and roles. You can assign different roles to users based on the requirements of users for the workspace.

If the default roles provided by DataWorks cannot meet your requirements, you can create custom roles and grant the required permissions to the roles.

DataWorks workspaces provide the following identities:
  • Member: the Alibaba Cloud accounts or RAM users added to a DataWorks workspace.
  • Cloud account: Alibaba Cloud accounts or RAM users.
  • Role: the carriers that have permissions in a workspace and can be assumed by the members of the workspace. DataWorks workspaces provide the following roles:
    • Workspace Manager: the workspace administrator that has all the permissions on the features in a workspace. For example, the workspace administrator role can be used to assign the required role to a RAM user and remove a member that is not the workspace owner from a workspace.
    • Deploy: the deployment engineer that has the permissions to deploy nodes.
    • Development: the developer that has the permissions to develop and commit nodes.
    • Model Developer: the model designer that has the permissions to use the data modeling feature.
    • Visitor: the visitor that has the read-only permissions on a DataWorks workspace.
    • Project Owner: the workspace owner that has the highest level of permissions on a workspace.
    • O&M: the operations and maintenance (O&M) engineer that has the permissions to allocate resources and deploy nodes.
    • Safety Manager: the safety manager that has the permissions to use Data Security Guard.
    For more information about the permissions of different roles, see Permission list.

Limits

  • Only workspaces of the DataWorks Enterprise Edition support custom roles. For more information, see Differences among DataWorks editions. If your workspace is not of the Enterprise Edition, you can upgrade the workspace to this edition. For more information, see DataWorks advanced editions.
  • Only the workspace administrator role can be used to delete members and create custom roles.
  • Only the Alibaba Cloud accounts and the RAM users that are assigned the Admin or Super_Administrator role of a MaxCompute project can be used to configure the permission mappings between a custom DataWorks role and the MaxCompute compute engine.

Go to the User Management page

  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Workspaces.
  3. Go to the Workspace Management page of a workspace.
    You can use one of the following methods to go to the Workspace Management page:
    • On the Workspaces page, find the workspace that you want to configure and click Workspace Settings in the Actions column. In the Workspace Settings panel, click More. The Workspace Management page appears.More
    • On the Workspaces page, find the workspace that you want to configure and click Data Analytics in the Actions column. On the DataStudio page, click the Workspace Management icon in the upper-right corner. The Workspace Management page appears.Workspace Management page
  4. In the left-side navigation pane, click User Management. The Member management tab appears.

Manage workspace members

On the Member management tab, you can perform the following operations:
  • View member information.
    You can view the cloud accounts of members and roles that are assigned to the members in the current workspace. You can also specify the member name, cloud account, or role category to search for a specific member. Then, you can view the member information and the number of members to which the role has been assigned. This allows you to manage members and roles assigned to the members in a centralized manner. View member information
  • Add a user.
    1. Click Add Member in the upper-right corner of the Member management tab to add a user to the current workspace.
    2. In the Add Member dialog box, select one or more RAM users from the Account to be added list. Add a user
      • Workspace Manager: the workspace administrator that has all the permissions on the features in a workspace. For example, the workspace administrator role can be used to assign the required role to a RAM user and remove a member that is not the workspace owner from a workspace.
      • Deploy: the deployment engineer that has the permissions to deploy nodes.
      • Development: the developer that has the permissions to develop and commit nodes.
      • Model Developer: the model designer that has the permissions to use the data modeling feature.
      • Visitor: the visitor that has the read-only permissions on a DataWorks workspace.
      • Project Owner: the workspace owner that has the highest level of permissions on a workspace.
      • O&M: the operations and maintenance (O&M) engineer that has the permissions to allocate resources and deploy nodes.
      • Safety Manager: the safety manager that has the permissions to use Data Security Guard.
    3. Click the > icon to move the selected RAM users to the Added account list.
    4. Select one or more roles that you want to assign to the members.
    5. Click Confirm.
  • Remove a member.
    On the Member management tab, find a member that you want to remove from the workspace and click Remove in the Operation column to remove this member from the workspace. If you want to remove multiple members from the workspace, you can select them and click Batch removal to remove them at a time. Remove a member

Manage roles

On the Role management tab, you can perform the following operations:
  • Create a custom role.
    1. Click Add custom role to create a custom role.
    2. In the Add custom role dialog box, enter a name for your custom role, such as test.
    3. Grant permissions on the required modules of DataWorks to the role.
      • No permission: indicates that the role has no permissions on the related module.
      • Read only: indicates that the role can only view the data in the related module.
      • Read and write: indicates that the role can modify the data in the related module.
      Permissions on DataWorks
    4. Configure permission mappings between the role and a compute engine.
      You can configure permission mappings between the custom role and a compute engine. For example, you can grant the custom role test the permissions to use the Admin role of a MaxCompute project to access the MaxCompute project. For more information about the permission mappings between MaxCompute and DataWorks, see Permission relationships between MaxCompute and DataWorks. Permission relationships between MaxCompute and DataWorks
      Note

      Only the Alibaba Cloud accounts and the RAM users that are assigned the Admin or Super_Administrator role of a MaxCompute project can be used to configure the permission mappings between a custom DataWorks role and the MaxCompute compute engine.

      Configure permission mappings between the role and a compute engine
    5. Click Start configuration.
  • View or edit roles.
    You can view the default roles and custom roles that have been configured for the workspace on the Role management tab. You can also edit or delete custom roles. For more information about the permissions of custom roles, see Permission list. View roles

View the permissions of users

You can execute the following statements in a MaxCompute_SQL node to query the permissions of different users:
show grants -- Query your access permissions. 
show grants for <username> -- Query the access permissions of a specified user. Only the workspace administrator has permissions to execute this statement. 

For more information, see Check permissions.