All Products
Search
Document Center

DataWorks:Manage permissions on global-level services

Last Updated:Nov 17, 2023

DataWorks allows you to grant different permissions on global-level services to members in a tenant by assigning the members different tenant-level roles. DataWorks provides built-in tenant-level roles and allows you to create custom tenant-level roles. This topic describes the tenant-level roles that can be used to manage permissions on global-level services and the basic operations that can be performed to manage permissions of tenant members on global-level services.

Background information

If no workspace name is displayed in the top navigation bar of a page of a DataWorks service, the service is a global-level service, such as Data Map.

  • DataWorks provides identities such as tenant-level members and roles. If you want to access a global-level service as a RAM user, the RAM user must be assigned the required tenant-level role.

    DataWorks provides built-in tenant-level roles. For example, DataWorks provides a built-in tenant-level role for which permissions on category management in Data Map are defined, and you can assign the role to a member to control whether the member has the related permissions.

  • If the built-in tenant-level roles cannot meet your business requirements, you can create a custom tenant-level role and assign the role to a RAM user. This way, you can control the permissions of the RAM user on a specific global-level service.

    For example, you can create a custom tenant-level role to deny access to Data Map and assign the role to a RAM user. This way, the RAM user cannot access Data Map. For more information, see Tenant-level roles that can be used to manage permissions on global-level services.

Permission management on global-level services in DataWorks is performed based on the role-based access control (RBAC) model. After you assign a tenant-level role to a RAM user, the RAM user is granted the permissions of the role on the related DataWorks service. For more information, see Overview of the DataWorks permission management system.

Limits

  • Only workspaces of DataWorks Enterprise Edition support custom tenant-level roles. For more information, see Differences among DataWorks editions. If your workspace is not of DataWorks Enterprise Edition, you can upgrade DataWorks to this edition. For more information, see Billing of DataWorks advanced editions.

  • You can manage tenant-level roles by using an Alibaba Cloud account, the Tenant Administrator role, or a RAM user to which the AliyunDataWorksFullAccess or AdministratorAccess policy is attached.

Tenant-level roles that can be used to manage permissions on global-level services

DataWorks provides built-in tenant-level roles that are granted fixed permissions on global-level services. You can also create custom tenant-level roles and grant the roles read and write permissions on specific global-level services.

Built-in tenant-level roles

The following table describes the built-in tenant-level roles that are provided by DataWorks and the permissions of each role.

Role

Global-level service

Permission description

Tenant Administrator

All global-level services in DataWorks

This role has the highest permissions on DataWorks, and can be used to perform operations in all global-level services in DataWorks and assign the Tenant User role to a member.

Note

This role does not have permissions to perform control and management operations in the DataWorks console. For information about the permissions to perform control and management operations, see Manage permissions on the DataWorks services and the entities in the DataWorks console by using RAM policies.

Tenant User

All global-level services in DataWorks

After a RAM user is added to a workspace, the RAM user is automatically assigned the Tenant User role and can access all global-level services.

Note

By default, all RAM users within the Alibaba Cloud account that is used to log on to the DataWorks console are members within the current DataWorks tenant.

Security Administrator

Security Center, Approval Center, and Data Security Guard

  • All permissions on Security Center.

  • Permissions to customize approval policies in Approval Center.

  • All permissions on Data Security Guard.

Compliance Manager

Security Center

Permissions to detect cross-border data transmission risks and permissions to review self-evaluation requests for cross-border data transmission.

OpenPlatform Administrator

Open Platform

Read and write permissions on the developer backend.

Custom tenant-level roles

DataWorks allows you to create custom tenant-level roles and control whether the roles have permissions on specific global-level services. The following table describes the global-level services that allow you to use custom tenant-level roles to control permissions.

Global-level service

Permission setting

Data Security Guard

  • No Permissions: Deny access to Data Security Guard.

  • Available: all read-only permissions and all management permissions.

Data Map

  • No Permissions: Deny access to Data Map.

  • Available: regular permissions.

Note

For information about how to manage access permissions on metadata, such as prohibiting the display of metadata of a project and display of a table and prohibiting a workspace member from accessing tables in a project, see Appendix: Overview of permission management in Data Map.

Data Governance Center

  • No Permissions: Deny access to Data Governance Center.

  • Available: regular permissions and data governance permissions.

DataAnalysis

  • No Permissions: Deny access to DataAnalysis.

  • Available: regular permissions.

Approval Center

  • No Permissions: Deny access to Approval Center.

  • Available: regular permissions and permissions to manage approval processes.

Security Center

  • No Permissions: Deny access to Security Center.

  • Available: regular permissions.

Manage tenant-level roles

By default, all RAM users within the Alibaba Cloud account that is used to log on to the DataWorks console are members within the current tenant and have permissions to access all global-level services. You can assign tenant-level roles to RAM users to control whether the RAM users can access specific global-level services and to grant the RAM users the management permissions on global-level services.

Step 1: Go to the Tenant Members and Roles page

  1. Go to Management Center.

  2. In the left-side navigation pane of the Management Center page, click Tenant Members and Roles.

Step 2: (Optional) Create and manage custom tenant-level roles

You cannot change the permissions of the built-in tenant-level roles. If the built-in tenant-level roles do not meet your business requirements for permission management, you can create custom tenant-level roles and control the permissions of the roles on specific global-level services on the Tenant Roles tab of the Tenant Members and Roles page.

  1. Click Create Custom Role on the Tenant Roles tab of the Tenant Members and Roles page.

  2. In the Create Custom Role dialog box, specify a name for the role and configure permission settings on global-level services for the role.

  3. Click Create.

    If the Created message appears, the custom tenant-level role is created. You can assign the role to a member in subsequent operations.

Step 3: Assign tenant-level roles to a member or manage tenant-level roles assigned to a member

  1. Click the Tenant Members tab.

  2. In the Role column of a member, assign tenant-level roles to the member or remove the assigned tenant-level roles from the member.

    Note

    After a RAM user is added to a workspace, the RAM user is automatically assigned the Tenant User role and can access all global-level services.