This topic describes how to add workspace members and grant roles to them. In addition, this topic describes the permissions of each role.
For more information about the permissions of Alibaba Cloud accounts and Resource Access Management (RAM) users in MaxCompute and DataWorks, see Users and Roles.
For more information about the permission relationships between MaxCompute and DataWorks, see Permission relationship between MaxCompute and DataWorks.
If you want to use DTplus together with others, create RAM users, create a workspace, and then follow instructions in this topic to add members to your workspace. For more information about how to create RAM users and workspaces, see Prepare a RAM user and Create Workspace.
You can log on to the DTplus console by using an Alibaba Cloud account or as a RAM user.
Billing rule for RAM users
An Alibaba Cloud account owns Alibaba Cloud resources. Resource usage is measured and billed to the Alibaba Cloud account. You can use the Alibaba Cloud account to create RAM users for your enterprise. You can also use the Alibaba Cloud account to manage and grant permissions to RAM users.
RAM users are created and managed by the Alibaba Cloud account in the RAM system. RAM users do not own resources, so the resource usage of a RAM user is not measured and billed to the RAM user. The Alibaba Cloud account centrally controls all RAM users, including the payment for resources used by RAM users.
- Log on to the DataWorks console. In the left-side navigation pane, click Workspaces.
- On the Workspaces page, find the target workspace and click Workspace Settings in the Actions column.
- In the Workspace Settings dialog box that appears, click More. The Settings page appears.
You can also click Data Analytics in the Actions column. On the DataStudio page that appears, click the Workspace Manage icon in the upper-right corner to go to the Settings page.
- Click User Management in the left-side navigation pane. On the Members page that appears, click Add Member in the upper-right corner.
- In the Add Member dialog box that appears, click Refresh to synchronize the RAM users under the current Alibaba Cloud account to the Available
Note If you want to create more RAM users, click RAM console in the Add Member dialog box to go to the RAM console and create RAM users as required. For more information about how to create a RAM user and allocate the RAM user to a person, see Prepare an Alibaba Cloud account.
- Select RAM users in the Available Accounts section and click > to move them to the Added Accounts section. Select the roles to be granted to the
RAM users and click OK. The members are added.
Note You must move RAM users from the Available Accounts section to the Added Accounts section before granting roles to them.
- Optional. Go to the Members page and view or modify roles of each added member, or
click Delete in the Actions column of a member to delete the member.
You can grant the following roles to workspace members: Owner, Space Administrator, Developer, Administration Expert, Deployment Expert, Visitor, and Security Expert. The creator of a workspace is granted the Space Administrator role by default.
Role Description Owner The owner of a workspace has full permissions on the workspace. Space Administrator A workspace administrator has all permissions of the Developer and Administration Expert roles. In addition, a workspace administrator can manage the workspace. For example, a workspace administrator can add and delete workspace members, and create custom resource groups. Developer A developer designs and maintains nodes on the DataStudio page. Administration Expert An administration expert manages the running of all nodes in a workspace in Operation Center. Deployment Expert In a workspace in standard mode, a deployment expert reviews the code of each node and determines whether to commit the nodes to Operation Center. Visitor A visitor can only view workflows and code on the DataStudio page. Security Expert A security expert can only perform operations in Data Security Guard. For more information, see Data Security Guard.Note After you add a RAM user as a workspace member, the RAM user can log on to the DataWorks console and access your workspace. The RAM user must update the AccessKey in the DTplus console after the logon. For more information, see Use a RAM user.The following table compares the permissions of roles in MaxCompute projects and DataWorks workspaces. MaxCompute role MaxCompute permission DataWorks role DataWorks permission Project owner This role has all permissions on a MaxCompute project. None None Super_Administrator This role has permissions on all types of resources in a project and management permissions. None None Admin
When you create a project, the system creates an Admin role for it and grants the following permissions to the role: access to all objects in the project, management of users or roles, and authorization of user or role permissions.
Unlike a project owner, an Admin role cannot grant the permissions of the Admin role to users, set security policies for workspaces, or change the authentication models of workspaces. The permissions of an Admin role cannot be changed.
The project owner can assign an Admin role to a user so that the user is authorized for security management.
None None Role_Project_Admin This role has all permissions on projects, tables, functions, resources, instances, jobs, and packages of a workspace. Project administrator The administrator of a project. It can manage the basic properties, data sources, computing engine configurations, and project members in the project. It can also assign administrator, developer, OAM, deployment, and visitor roles to other project members. Role_Project_Dev This role has all permissions on projects, functions, resources, instances, jobs, packages, and tables of a workspace. Developer This role has the permissions to create or delete tables, and create workflows, script files, resources, user-defined functions (UDFs), and publish packages. However, this role does not have the publish permissions. Role_Project_Pe This role has all permissions on projects, functions, resources, instances, and jobs of a workspace. It also has READ permissions on packages and both READ and DESCRIBE permissions on tables of a workspace. OAM This role has PUBLISH and ONLINE OAM permissions that are granted by the project administrator. However, this role does not have the permissions to develop data. Role_Project_Deploy By default, this role does not have any permissions. Deployment This role has the same permissions as the OAM role, except for the online OAM permissions. Role_Project_Guest By default, this role does not have any permissions. Visitor This role can only view data, but cannot edit workflows or code. Role_Project_Security By default, this role does not have any permissions. Security administrator This role is only used to configure sensitivity rules and audit data risks in Data Security Guard.