This topic describes the permissions of each of the preset workspace-level and global roles.

Workspace-level roles

DataWorks provides the following preset workspace-level roles: workspace owner, workspace administrator, developer, O&M engineer, deployment engineer, visitor, security administrator, and model designer. You cannot assign the workspace owner role to other workspace members. For more information about the permissions of the preset roles, see Permission list.

Global roles

DataWorks provides the following preset global roles: tenant administrator, tenant member, tenant security administrator, data directory administrator, metadata collection administrator, and data governance administrator. The following table describes the permissions of the roles.
Role Permission Authorized by Description
Tenant administrator The permissions on all the service modules of DataWorks, excluding the permissions that are required for performing operations in the DataWorks console Alibaba Cloud account, RAM users to which the AliyunDataWorksFullAccess policy is attached, and RAM users that are assigned the tenant administrator role by the RAM user who has been assigned the tenant administrator role This role has full permissions in DataWorks, and can perform operations on all the service modules in DataWorks.
Tenant member The same permissions as the development engineer role:
  • Read-only permissions on Data Security Guard
  • Common use permissions on Security Center, excluding all the audit permissions
  • Common use permissions on Data Map, excluding the permissions of the data directory administrator and metadata collection administrator roles
  • Common use permissions on Data Analysis
  • Common use permissions on Approval Center, excluding the approval policy management permission
No authorization is required. By default, all the RAM users that belong to the current Alibaba Cloud account are assigned the tenant member role. By default, all the RAM users and RAM roles that belong to the current Alibaba Cloud account have the permissions of the tenant member role.
Tenant security administrator All the permissions on Security Center, Approval Center, and Data Security Guard The tenant administrator can assign the security administrator role to a RAM user. This role is used to manage the security configurations in a workspace.
Data governance administrator All the permissions on Data Governance The tenant administrator can assign the data governance administrator role to a user. This role is used to manage the features in Data Governance.
Data directory administrator The permissions to manage data directories of Data Map The tenant administrator can assign the data directory administrator role to a user. This role is used to manage data directories of Data Map.
Metadata collection administrator The permissions on metadata collection in Data Map The tenant administrator can assign the metadata collection administrator role to a user. This role is used to manage metadata collection in Data Map.