All Products
Search
Document Center

DataWorks:Manage permissions on MaxCompute

Last Updated:Feb 27, 2024

The data access control feature of DataWorks allows you to manage permissions on the MaxCompute compute engine that you associate with your workspace. You can use this feature to request permissions on MaxCompute tables, process permission requests, audit permissions, and view permission request records and request processing records. This topic describes how to manage permissions on MaxCompute.

Prerequisites

Background information

After you assign a built-in or custom workspace-level role to a RAM user in your workspace and associate a MaxCompute project with the workspace in the development environment, the RAM user is automatically granted the permissions of the mapped role of the MaxCompute project. The RAM user does not have the permissions of the MaxCompute project that you associate with your workspace in the production environment. You can manage permissions on MaxCompute in the Security Center module of DataWorks.

Scenarios

Scenario

You want to use a RAM user in the development environment of a workspace to access tables in the production environment of the workspace.

场景1

If the RAM user that you use to access DataWorks is not specified as the access identity of the compute engine instance in the production environment, you cannot use the RAM user to perform operations on tables in the production environment on the DataStudio page by default. If you want to use the RAM user to perform operations on tables in the production environment on the DataStudio page, you must request the required permissions for the RAM user in Security Center. After the request is approved, you can use the RAM user to perform operations on tables in the production environment on the DataStudio page.

You want to use a RAM user in the development or production environment of Workspace A to access tables in the development or production environment of Workspace B on the DataStudio page of Workspace A.

场景2

By default, you cannot use a RAM user in Workspace A to access tables in the development or production environment of Workspace B on the DataStudio page of Workspace A. If you want to use the RAM user in Workspace A to access tables in the development or production environment of Workspace B, you must request the required permissions for the RAM user in Security Center. After the request is approved, you can use the RAM user to perform operations on the tables on the DataStudio page of Workspace A.

Process of managing permissions on MaxCompute

On the Data Access Control page, you can request permissions, process permission requests, audit permissions, and view permission request records and request processing records. If you cannot use a RAM user to access specific tables during data development, you can request permissions for the RAM user on the Permission Application tab. After an approver, such as a workspace administrator or a table owner, approves the request on the Permission Application Processing tab, you can use the RAM user to access the specific tables.

Note

DataWorks Security Center provides a default request processing procedure. You can also specify a custom request processing procedure in Approval Center. When you request permissions on a field in a MaxCompute table, DataWorks determines the request processing procedure that needs to be used based on the field.

安全中心

Limits

You can request table-level permissions or column-level permissions for a MaxCompute project.

Precautions

To request permissions on fields in a table of a MaxCompute project that is associated with a workspace in the development environment and on fields in a table of a MaxCompute project that is associated with the workspace in the production environment in Security Center, you must enable column-level access control in the MaxCompute console. For more information, see Label-based access control.

Feature description

Role

Description

Requester

Request permissions on MaxCompute tables on the Permission Application tab. You can view the permission request records of the current Alibaba Cloud account on the Permission Application Records tab.

Approver

Go to the Permission Application Processing tab and view the requests that you need to process as a workspace administrator or a table owner. You can also view the request processing records of the current Alibaba Cloud account on the Permission Application Processing Record tab.

Auditor

Go to the Permission Audit tab by using an Alibaba Cloud account or as a workspace administrator and manage the permissions of your workspace members on tables. You can also revoke permissions from a specific member.

Go to the Data access control page

Log on to the DataWorks console. In the left-side navigation pane, choose Data Governance > Security Center. On the page that appears, click Go to Security Center.

Request permissions

  1. Go to the Permission Application tab.

  2. Select tables on which you want to request permissions.

    1. In the Application Content section, set Engine Type to MaxCompute, and select a workspace and a project.

    2. Select the tables on which you want to request permissions in the Tables to Be Added section.

      After you select tables, the information about the tables is displayed on the right side. You can click the 展开 icon on the left side of a table name to view all fields in the table. You can request the permissions on specific or all fields. By default, the permissions on all fields are requested.申请表权限

      Note
      • To request permissions on fields in a table of a MaxCompute project that is associated with a workspace in the development environment and on fields in a table of a MaxCompute project that is associated with the workspace in the production environment in Security Center, you must enable column-level access control in the MaxCompute console. For more information, see Label-based access control.

      • You can request the following column-level permissions: SELECT, UPDATE, and DOWNLOAD. You can request the following table-level permissions: DESCRIBE, DROP, and ALTER. You can also request permissions on a specific field.

  3. In the Application Information section, configure the parameters.

    Parameter

    Description

    User

    The account or user for which you request permissions on MaxCompute tables.

    • Current login account: indicates that you want to request permissions on the tables for the account that is used to access the current workspace.

    • Account Used for Scheduling: indicates that you want to request permissions on the tables for the RAM user that is specified as a scheduling access identity.

    • Apply on Behalf of Others: indicates that you want to request permissions on the tables for an account that is not used to access the current workspace. If you select this option, you must configure the Username parameter.

    Workspace

    The workspace in which you want to use the tables if you set User to Account Used for Scheduling.

    Application Duration

    The validity period of the requested permissions on tables. The permissions are automatically revoked after the validity period expires.

    Note

    You can configure this parameter only after you enable policy-based authorization for the MaxCompute project that contains the tables on which you request the permissions. For more information about how to enable policy-based authorization, see Manage permissions on data in a MaxCompute compute engine instance. For more information about the policy-based access control of MaxCompute, see Policy-based access control.

    Reason for application

    The reason why you want to request the permissions.

  4. Click Apply for permission to submit the request.

    You can view the processing details and record of the current request on the Permission Application Records tab.

Process requests

  1. View the information about pending requests.

    Go to the Permission Application Processing tab. You can use the following parameters to find the pending requests within the current Alibaba Cloud account: Application account number, Application time, Workspace, Project name, and Object name.审批申请

    Note

    If permissions on multiple tables that belong to different owners are requested, the system splits the request into multiple requests based on the table owners.

  2. View the details about a permission request.

    Find the permission request and click Approval in the Operation column. You can view the details and processing record of the permission request in the Approval details dialog box.

  3. Process permission requests.

    To process a single permission request, enter your comments and click Agree or Rejection based on your business requirements.

    To process multiple requests at the same time, select all requests that you want to process on the Permission Application Processing tab, click Batch Consent or Batch rejection, and then enter your comments.

View historical permission requests and their processing records

  • View permission request records. You can specify filter conditions such as Approval status, Application time, and Workspace to view the permission request records of the current Alibaba Cloud account.

    To view the details about a permission request, click View details in the Operation column of the request. You can continue to process requests whose approval state is In approval.

  • View request processing records. You can specify filter conditions such as Application account number, Approval Results, and Workspace to view the request processing records of the current Alibaba Cloud account.

    To view the details about a permission request, click View details in the Operation column of the request.