This topic describes how to add and manage members and roles in a DataWorks workspace. This topic also describes the differences in permissions of different roles.
Plan a role
- For workspace-level roles in DataWorks, you can grant workspace-level permissions to RAM users based on service scenarios. DataWorks provides preset roles. You can also configure custom roles. After you add a RAM user to a DataWorks workspace, you can assign a preset role or a custom role in this workspace to the RAM user. For more information, see Manage members and roles.
- DataWorks provides two types of global roles: preset roles and custom roles. The administrator can configure a custom global role that has the permissions on
specific global service modules.
If the tenant administrator creates a custom global role, and explicitly specifies the global service modules on which this role does not have permissions, such as the Data Map module, this custom role has a higher permission priority than a tenant member.
Assign a workspace-level role to a user
After you add a RAM user or a RAM role to a specific workspace in DataWorks, the RAM user or RAM role is automatically assigned a workspace-level role.
Only the users that are assigned the workspace administrator role are allowed to assign other users the workspace-level roles. For more information, see Add workspace members.
AliyunDataWorksFullAccesspolicy is attached have the permissions of the workspace administrator role.
Assign a global role to a user
You can use the global role management feature to assign a global role to a RAM user or a RAM role.
- Only the tenant administrator role and the Alibaba Cloud account to which the AliyunDataWorksFullAccess policy is attached are allowed to assign a global role to other users.
- The tenant administrator can assign the tenant administrator role to a user.