The permission management system of DataWorks consists of two parts: permissions controlled by using RAM (external permission management system) and permissions controlled by DataWorks (internal permission management system). This topic describes the permission management system in detail.
External permission management system
External permissions of DataWorks are the permissions that are required to perform operations in the DataWorks console. For example, you can be granted the permissions to create a workspace, disable a workspace, delete a workspace, create an exclusive resource group, configure a network for an exclusive resource group, and configure contacts. You can log on to the DataWorks console to view the operations that are supported by DataWorks.
The permissions that are required for performing operations in the DataWorks console are defined and managed by RAM policies. By default, your Alibaba Cloud account has permissions to perform all operations in the DataWorks console. You can use a RAM user or a RAM role that belongs to your Alibaba Cloud account to perform all the operations in the DataWorks console only after the AliyunDataWorksFullAccess policy is attached to the RAM user or RAM role. For more information, see Grant permissions to a RAM user.
Internal permission management system
- Users: consist of RAM users and RAM roles.
- Roles: consist of workspace-level roles and global (region-level) roles.
- Permissions: consist of the permissions on workspace-level service modules and the permissions on global (region-level) service modules.
- Only the tenant administrator role has the permissions on all the service modules.
- By default, all the RAM users that belong to the current Alibaba Cloud account are assigned the tenant member role.
If the tenant administrator creates a custom global role, and explicitly specifies the global service modules on which this role does not have permissions, such as the Data Map module, this custom role has a higher permission priority than a tenant member.