The permission management system of DataWorks consists of two parts: permissions controlled by using RAM (external permission management system) and permissions controlled by DataWorks (internal permission management system). This topic describes the permission management system in detail.

External permission management system

External permissions of DataWorks are the permissions that are required to perform operations in the DataWorks console. For example, you can be granted the permissions to create a workspace, disable a workspace, delete a workspace, create an exclusive resource group, configure a network for an exclusive resource group, and configure contacts. You can log on to the DataWorks console to view the operations that are supported by DataWorks.

The permissions that are required for performing operations in the DataWorks console are defined and managed by RAM policies. By default, your Alibaba Cloud account has permissions to perform all operations in the DataWorks console. You can use a RAM user or a RAM role that belongs to your Alibaba Cloud account to perform all the operations in the DataWorks console only after the AliyunDataWorksFullAccess policy is attached to the RAM user or RAM role. For more information, see Grant permissions to a RAM user.

Internal permission management system

After you enter a DataWorks workspace, you can move the pointer over the icon icon in the top navigation bar to view all the service modules of DataWorks, as shown in the following figure. The permissions on each service module are different. For more information, see Details about roles and permissions. Web UI of DataWorks
The permission management system of DataWorks is built based on the role-based access control (RBAC) model. After you assign a role to a RAM user or grant permissions to a RAM role, the RAM user or RAM role has the permissions on the related service modules. Details about the RBAC model:
  • Users: consist of RAM users and RAM roles.
  • Roles: consist of workspace-level roles and global (region-level) roles.
  • Permissions: consist of the permissions on workspace-level service modules and the permissions on global (region-level) service modules.
Workspace-level roles have the permissions to perform operations on workspace-level service modules. Global roles have the permissions to perform operations on global service modules. The permissions that you own vary based on the role that is assigned to you. The following figure shows the relationship among users, roles, and permissions. image
Note
  • Only the tenant administrator role has the permissions on all the service modules.
  • By default, all the RAM users that belong to the current Alibaba Cloud account are assigned the tenant member role.
  • If the tenant administrator creates a custom global role, and explicitly specifies the global service modules on which this role does not have permissions, such as the Data Map module, this custom role has a higher permission priority than a tenant member.

Distinguish between workspace-level service modules and global service modules

For a workspace-level service module, such as DataStudio, the corresponding workspace name is displayed in the top navigation bar. DataStudio
For a global service module, such as Data Map, the corresponding workspace name is not displayed in the top navigation bar. Data Map