This topic describes how to add workspace members and assign roles to them. This topic also describes the permissions of each role.
For more information about the permissions of Alibaba Cloud accounts and RAM users in MaxCompute and DataWorks, see Users and roles.
For more information about the permission relationships between MaxCompute and DataWorks, see Permission relationships between MaxCompute and DataWorks.
You can log on to the DTplus console by using an Alibaba Cloud account or as a RAM user.
- An Alibaba Cloud account owns Alibaba Cloud resources. Resource usage is measured and billed to the Alibaba Cloud account. You can use the Alibaba Cloud account to create RAM users for your enterprise. You can also use the Alibaba Cloud account to manage and grant permissions to RAM users.
- RAM users are created and managed by the Alibaba Cloud account in the RAM system. RAM users do not own resources, so the resource usage of a RAM user is not measured and billed to the RAM user. The Alibaba Cloud account controls all RAM users in a unified manner, including the payment for resources used by RAM users.
- Go to the Workspace Management page of the workspace to which you want to add members.
- Log on to the DataWorks console.
- In the left-side navigation pane, click Workspaces.
- On the Workspaces page, find the workspace to which you want to add members and click Workspace Settings in the Actions column.
- In the Workspace Settings pane, click More. The Workspace Management page appears.
You can also click Data Analytics in the Actions column of the workspace on the Workspaces page. On the DataStudio page, click the icon in the upper-right corner to go to the Workspace Management page.
- In the left-side navigation pane, click User Management.
- On the User Management page, click Add Member in the upper-right corner.
- In the Add Member dialog box, click Refresh. All the created RAM users under your Alibaba Cloud account appear in the Account to be added section.
Note If you need to create more RAM users, click RAM Console in the Add Member dialog box to go to the RAM console and create RAM users as required. For more information about how to create a RAM user and allocate the RAM user to a person, see Prepare an Alibaba Cloud account.
- Select RAM users in the Account to be added section and click the > icon to move them to the Added account section.
- Select the roles to be assigned to the RAM users and click Confirm.
Notice You must move RAM users from the Account to be added section to the Added account section before you assign roles to them.
- Go to the User Management page and view or modify the roles of each added member. You can click Remove in the Operation column of a member to delete the member.
You can assign the following roles to workspace members: Owner, Space Administrator, Development, Operation & Maintenance (O & M), Deployment, Visitors, and Security Administrator. The creator of a workspace is assigned the Space Administrator role by default.
Role Description Owner The member with this role has full permissions on the workspace. Space Administrator This role has all permissions of the Development and Operation & Maintenance (O & M) roles. A member with this role can also manage the workspace. For example, the member can add and delete workspace members and create custom resource groups. Development A member with this role can design and maintain nodes on the DataStudio page in the workspace. Operation & Maintenance (O & M) A member with this role can manage the running of all nodes in the workspace in Operation Center. Deployment In a workspace in standard mode, a member with this role can review the code of each node and determine whether to commit the nodes to Operation Center. Visitors A member with this role can only view workflows and code on the DataStudio page in the workspace. Security Administrator A member with this role can perform operations only in Data Security Guard. For more information, see Data Security Guard.Note After you add a RAM user as a workspace member, the RAM user can log on to the DataWorks console and access the workspace. The RAM user must update the AccessKey pair in the DTplus console after the logon. For more information, see Use a RAM user.The following table compares the permissions of roles in MaxCompute projects and DataWorks workspaces. MaxCompute role MaxCompute permission DataWorks role DataWorks permission Project Owner This role has all permissions on a project created in MaxCompute. N/A N/A Super_Administrator This role has permissions on all types of resources in a project and management permissions on the project. N/A N/A Admin
When you create a project, the system automatically creates an Admin role for this project and grants the following permissions to the role: access all objects in the project, manage users or roles, and authorize users or roles.
Unlike a project owner, an Admin role is not authorized to perform the following operations: assign the role permissions to users, set security policies for projects, modify the authentication model for projects, and modify the role permissions.
The project owner can assign an Admin role to a user and authorize this user for security management.
N/A N/A Role_Project_Admin This role has all permissions on projects, tables, functions, resources, instances, jobs, and packages of a workspace. Project administrator The administrator of a project. This role has permissions to manage the basic properties, data sources, computing engine configurations, and project members in the project. It can also assign administrator, developer, OAM, deployment, and visitor roles to other project members. Role_Project_Dev This role has all permissions on projects, functions, resources, instances, jobs, packages, and tables of a workspace. Developer This role has the permissions to create or delete tables, create workflows, script files, resources, user-defined functions (UDFs), and publish packages. However, this role does not have permissions to publish jobs. Role_Project_Pe This role has all permissions on projects, functions, resources, instances, and jobs of a workspace. It also has READ permissions on packages and both READ and DESCRIBE permissions on tables of a workspace. OAM role This role has the publish and online OAM permissions that are granted by the project administrator. However, this role does not have the permissions to develop data. Role_Project_Deploy By default, this role does not have any permissions. Deployment role This role has the same permissions as the OAM role, except for the online OAM permissions. Role_Project_Guest By default, this role does not have any permissions. Visitor This role can view data, but cannot edit workflows or code. Role_Project_Security By default, this role does not have any permissions. Security administrator This role is only used to configure sensitivity rules and audit data risks in Data Security Guard.