This topic describes how to use DataWorks to manage role permissions on a project.

Roles and their permissions

The following table describes the permissions of default MaxCompute roles and their roles in DataWorks.

MaxCompute role MaxCompute permission DataWorks role DataWorks permission
Project Owner This role has all permissions on a project created in MaxCompute. N/A N/A
Super_Administrator This role has permissions on all types of resources in a project and management permissions on the project. N/A N/A

When you create a project, the system automatically creates an Admin role for this project and grants the following permissions to the role: access all objects in the project, manage users or roles, and authorize users or roles.

Unlike a project owner, an Admin role is not authorized to perform the following operations: assign the role permissions to users, set security policies for projects, modify the authentication model for projects, and modify the role permissions.

The project owner can assign an Admin role to a user and authorize this user for security management.

Role_Project_Admin This role has all permissions on projects, tables, functions, resources, instances, jobs, and packages of a workspace. Project administrator The administrator of a project. This role has permissions to manage the basic properties, data sources, computing engine configurations, and project members in the project. It can also assign administrator, developer, OAM, deployment, and visitor roles to other project members.
Role_Project_Dev This role has all permissions on projects, functions, resources, instances, jobs, packages, and tables of a workspace. Developer This role has the permissions to create or delete tables, create workflows, script files, resources, user-defined functions (UDFs), and publish packages. However, this role does not have permissions to publish jobs.
Role_Project_Pe This role has all permissions on projects, functions, resources, instances, and jobs of a workspace. It also has READ permissions on packages and both READ and DESCRIBE permissions on tables of a workspace. OAM role This role has the publish and online OAM permissions that are granted by the project administrator. However, this role does not have the permissions to develop data.
Role_Project_Deploy By default, this role does not have any permissions. Deployment role This role has the same permissions as the OAM role, except for the online OAM permissions.
Role_Project_Guest By default, this role does not have any permissions. Visitor This role can view data, but cannot edit workflows or code.
Role_Project_Security By default, this role does not have any permissions. Security administrator This role is only used to configure sensitivity rules and audit data risks in Data Security Guard.


  1. Log on to the MaxCompute console, and select the region where your MaxCompute project is located.
  2. On the Project management tab, find your project and click Project permission management in the Actions column.

    On the page that appears, you can click Custom user roles to manage role permissions.

Custom User Roles tab

On the Custom User Roles tab, you can assign member roles for the selected MaxCompute project.Custom User Roles
Item Description
Role Name The name of the role in the MaxCompute project.
  • View Details: Click it to view the list of members who are assigned the role and the permissions of the role on tables or the MaxCompute project.
  • Members: Click it to assign the role to or delete the role from members.
  • Authorizations: Click it to set and manage the permissions of the role on tables or the MaxCompute project. For more information, see Authorize users.
  • Delete: Click it to delete the role. You can delete only the roles created under the current account.
Create Role Click Create Role in the upper-right corner. In the Create Role dialog box, set Role Name. In the Available Accounts list, select one or more member accounts to add. Click > to move the selected accounts to the Added Accounts list. Then, click OK.
Note The permissions set for custom roles are integrated with the default permissions.