This topic describes how to add and manage members and roles in a DataWorks workspace. This topic also describes the differences in permissions of different roles.

Plan a role

DataWorks provides two types of roles: workspace-level roles and global (region-level) roles.
  • For workspace-level roles in DataWorks, you can grant workspace-level permissions to RAM users based on service scenarios. DataWorks provides preset roles. You can also configure custom roles. After you add a RAM user to a DataWorks workspace, you can assign a preset role or a custom role in this workspace to the RAM user. For more information, see Manage members and roles.
  • DataWorks provides two types of global roles: preset roles and custom roles. The administrator can configure a custom global role that has the permissions on specific global service modules.
    Note

    If the tenant administrator creates a custom global role, and explicitly specifies the global service modules on which this role does not have permissions, such as the Data Map module, this custom role has a higher permission priority than a tenant member.

Assign a workspace-level role to a user

After you add a RAM user or a RAM role to a specific workspace in DataWorks, the RAM user or RAM role is automatically assigned a workspace-level role.

Only the users that are assigned the workspace administrator role are allowed to assign other users the workspace-level roles. For more information, see Add workspace members.

Note The Alibaba Cloud account and the RAM users to which the AliyunDataWorksFullAccess policy is attached have the permissions of the workspace administrator role.

Assign a global role to a user

You can use the global role management feature to assign a global role to a RAM user or a RAM role.

Note
  • Only the tenant administrator role and the Alibaba Cloud account to which the AliyunDataWorksFullAccess policy is attached are allowed to assign a global role to other users.
  • The tenant administrator can assign the tenant administrator role to a user.