DataWorks provides workspaces in basic mode and standard mode for you to develop data based on different security control requirements. This topic describes the differences between the two types of workspaces and the types of accounts or roles that can be used to access each type of workspace.

Workspaces in basic mode

A DataWorks workspace in basic mode can be associated with only one project, instance, or database of each compute engine type. A workspace in basic mode does not isolate the development environment from the production environment. In such a workspace, you can perform only basic data development but cannot control the data development process and table permissions.

A workspace in basic mode has the following benefits and risks:
  • Benefits: This mode is easy to use. After you commit a node, the scheduling system immediately runs the node on a regular basis to produce data. In this case, you do not need to deploy the node.
  • Risks: Developers can modify or commit a node to the scheduling system without the need to obtain approval. This makes the production environment unstable. In addition, if this workspace is associated with a MaxCompute project, developers have the read and write permissions on all the tables of the MaxCompute project by default. Developers can create, delete, or modify tables. This puts data at risk.
The following figure shows the data production process of a DataWorks workspace in basic mode. This workspace is associated with one MaxCompute compute engine instance. Basic mode

Workspaces in standard mode

A DataWorks workspace in standard mode can be associated with two projects, instances, or databases of each compute engine type. A workspace in standard mode differs from a workspace in basic mode in the following aspects:
  • You can modify code only in the development environment.
  • After you commit a node, the scheduling system runs the node in the development environment only for smoke testing. The scheduling system does not automatically run this node in the development environment in the future. If you want the scheduling system to automatically run this node in the future, you must deploy it to the production environment.

    You can deploy a node only after you obtain approval from a workspace administrator or O&M expert.

The following figure shows the data production process of a DataWorks workspace in standard mode. This workspace is associated with two MaxCompute compute engine instances. Standard mode

Types of accounts or roles used to access workspaces in basic mode and standard mode

You can specify the accounts or roles for workspaces in the Compute Engine Information section of the Workspace Management page. For more information, see Configure a workspace.
Workspace mode Compute engine type Environment Access account or role
Standard mode MaxCompute Development environment By default, only the current logon user can perform operations.
Production environment The following types of accounts or roles can be specified to perform operations:
  • Alibaba Cloud account
  • RAM user
  • RAM role
E-MapReduce (EMR) Development environment
  • Shortcut mode: Only the Hadoop users of the associated EMR cluster can perform operations.
  • Security mode: Only the current logon user can perform operations.
Production environment
  • Shortcut mode: Only the Hadoop users of the associated EMR cluster can perform operations.
  • Security mode: The following types of accounts or roles can be specified to perform operations:
    • Node owner
    • Alibaba Cloud account
    • RAM user
Hologres Development environment By default, only the current logon user can perform operations.
Production environment The following types of accounts can be specified to perform operations:
  • Alibaba Cloud account
  • RAM user
Basic mode MaxCompute Development environment, which is also the production environment By default, only the current logon user can perform operations.
The following types of accounts or roles can be specified to perform operations:
  • Alibaba Cloud account
  • RAM role
  • Node owner
EMR Development environment, which is also the production environment
  • Shortcut mode: Only the Hadoop users of the associated EMR cluster can perform operations.
  • Security mode: The following types of accounts or roles can be specified to perform operations:
    • Node owner
    • Alibaba Cloud account
    • RAM user
Hologres Development environment, which is also the production environment By default, only the current logon user can perform operations.
The following types of accounts can be specified to perform operations:
  • Alibaba Cloud account
  • RAM user

After you associate an AnalyticDB for MySQL or AnalyticDB for PostgreSQL compute engine instance with a DataWorks workspace in the development environment or the production environment, only the specified database account can perform operations in the specific environment. The permissions of this account in the DataWorks workspace are the same as those in the AnalyticDB for MySQL or AnalyticDB for PostgreSQL database.

Permissions for workspaces in basic mode and standard mode

DataWorks allows you to manage the permissions to use GUI elements in the console and the permissions to call API operations by using role-based access control (RBAC). In addition, the RBAC roles in DataWorks are automatically mapped to the RBAC roles in MaxCompute. For more information, see Manage members and roles and Member roles and permissions. The features, benefits, and risks vary with workspaces in different modes. The following table compares the permissions of workspaces in basic mode and standard mode.

Item Basic mode Standard mode
Permission overview In a DataWorks workspace in basic mode, the developer role of the DataWorks workspace is mapped to the Role_Project_Dev role of the associated MaxCompute project. Therefore, the developers of the DataWorks workspace can read all data in the MaxCompute project. In a DataWorks workspace in standard mode, the developer role of the DataWorks workspace is mapped to the Role_Project_Dev role of the associated MaxCompute project in the development environment. Therefore:
  • The developers of the DataWorks workspace can read all data in the MaxCompute project in the development environment.
  • The developer role of the DataWorks workspace is not mapped to a role of the associated MaxCompute project in the production environment. By default, the developers of the DataWorks workspace cannot access the data in the MaxCompute project in the production environment.
Benefits

Simple and easy to use.

You need only to assign the developer role to development engineers to complete all data warehouse development.

Secure and standardized.
  • A secure and standardized process is provided for you to deploy and manage nodes, including features such as code review and code check by using the diff command. This ensures the stability of the production environment and prevents unexpected outcomes such as dirty data spreading and node errors caused by illogical code.
  • Data activities are effectively managed, and data security is ensured.
Risks
The risks of instability and low data security arise in the production environment.
  • Developers can modify or commit a node to the scheduling system without the need to obtain approval. This makes the production environment unstable.
  • If a workspace is associated with a MaxCompute project, developers have the read and write permissions on all tables of the MaxCompute project by default. Developers can create, delete, or modify tables. This puts data at risk.
The data development and production process is more complex. In most cases, the process requires the involvement of more than one developer.

Accounts or roles used to access MaxCompute projects associated with workspaces in basic mode and standard mode

Workspace mode Item DataStudio Operation Center
Standard mode The accounts or roles that can be used to perform operations The current logon user The accounts or roles that are specified to perform operations for the scheduling engine
Basic mode The accounts or roles that are specified to perform operations for the scheduling engine
Note In a workspace in basic mode, if an Alibaba Cloud account is specified to perform operations for the scheduling engine, the Alibaba Cloud account is used to run nodes, regardless of whether it is the current logon user that performs operations.
Standard mode Resource table projectname_dev.tablename/function/resource projectname.tablename/function/resource
Basic mode projectname.tablename
Note A workspace in basic mode has only the production environment. Development and production environments cannot be isolated.
Standard mode Access to resources Scenario 1: select col1 from tablename
  • Use your personal account to access the projectname_dev.tablename table in the development environment.
Scenario 2: select col1 from projectname.tablename
  • Use your personal account to access the projectname.tablename table in the production environment.
Note By default, RAM users that are not specified to perform operations for the scheduling engine do not have permissions to access the data in the production environment. If you want to use a RAM user, you must apply for permissions to access tables in the production environment in Security Center.
select col1 from tablename
  • Use an account or role specified to perform operations for the scheduling engine to access the projectname.tablename table in the production environment.
Basic mode select col1 from tablename
  • Use an account or role specified to perform operations for the scheduling engine to access the projectname.tablename table in the production environment.
Note In a workspace in basic mode, if an Alibaba Cloud account is specified to perform operations for the scheduling engine, the Alibaba Cloud account is used to access resources, regardless of whether it is the current logon user that performs operations.
Standard mode Permissions to access resources The permissions granted to personal accounts The permissions granted to the accounts or roles that are specified to perform operations for the scheduling engine
Basic mode The permissions granted to the accounts or roles that are specified to perform operations for the scheduling engine
Note An Alibaba Cloud account has full permissions on its resources. For security concerns, we recommend that you do not specify an Alibaba Cloud account to perform operations for the scheduling engine in a workspace in basic mode.

Naming formats of tables in MaxCompute projects associated with workspaces in basic mode and standard mode

In a workspace in basic mode, the development environment is not isolated from the production environment. This indicates that the MaxCompute project that is associated with the workspace is used for both the development and production environments. In a workspace in standard mode, the development environment is isolated from the production environment. In this case, the naming formats of tables in the MaxCompute projects that are associated with the workspace differ in the two environments. If you want to access tables for the production environment from the development environment, you must identify tables for the production environment to prevent inappropriate operations. The following table describes the naming formats of tables for the two environments.

Environment Naming format Example
Development environment Project name_dev.Table name If you want to create a table named user_info in the projectA project, the table name is shown as projectA_dev.user_info.
Production environment Project name.Table name If you want to create a table named user_info in the projectA project, the table name is shown as projectA.user_info.