Add and manage row-level permissions - Dataphin - Alibaba Cloud Documentation Center

Row-level permissions allow you to control the data access scope for different users on the same table by row. This ensures that different roles can only view the data they need without creating views or splitting into sub-tables, reducing maintenance costs while effectively ensuring data security. This topic describes how to add and manage row-level permissions.

Prerequisites

You have purchased the row-level permission value-added service and the current tenant has enabled the row-level permission feature.

Limits

Super administrators have permissions for all data table rows and columns and are not subject to row-level permission control.
If row-level permissions are enabled for a data table and the table owner is not in the authorization list of row-level permissions, the table owner will not have any row-level permissions for that data table.
Row-level permissions are effective for tables in the compute engine, not for tables in data sources.
In offline development and analysis, you can view and download all row data that you have permissions for (row-level permissions only apply to table data queries, not to table structure modifications, table data modifications, or table deletions).
In offline integration, when the data table source is set to project, you can synchronize row data that you have permissions for.
In folder-data preview, you can view row data that you have permissions for.
When creating behavior relationships and offline views, tenant accounts can read row data that they have permissions for.
When calling APIs, users are not subject to row-level permission control.

Permission description

System roles including super administrators and security administrators, along with custom global roles with Permission Management-Row-Level Permission Management can add and manage row-level permissions.

Add row-level permissions

On the Dataphin homepage, choose Management Hub > Permission Management from the top navigation bar.
Click Row-Level Permission in the left-side navigation pane. On the Row-Level Permission Management page, click the +Add Row-Level Permission button to go to the Add Row-Level Permission page.

On the Add Row-Level Permission page, configure the parameters.

Parameter	Description
Permission Name	The name of the row-level permission, which must be globally unique and cannot exceed 64 characters.
Description	The description of the row-level permission, which cannot exceed 128 characters.
Control Column	Enter the fields that need to be controlled. You can combine multiple fields from one table for control. The field name and field description cannot exceed 64 characters. The field type can be text type or numeric type. Click the Add Control Field button to add up to 10 control fields.
Control Rule	Add control rules for the permission. For configuration details, see Create a control rule. When adding a new rule, the system adds an all-rows-visible rule by default. You can authorize visible users or enable or disable this rule. Other rules: Support edit and delete operations. Edit: Modify the configuration information of the rule. Delete: After deletion, the permissions of users authorized under this rule will be revoked.
Associated Tables	Add tables to be controlled. You can perform go-to-asset and delete operations on added tables. For configuration details, see Add associated tables. Go to Asset: Navigate to the details page of the current table in the folder to view more information. Delete: The deletion of a data table cannot be undone.
View Affected Tenant Accounts	If the selected associated tables have downstream tables, enabling row-level permissions may affect the production tasks of downstream tables. It is recommended to add all rows visible permissions to the tenant accounts of the projects where the downstream tables are located. For details, see View affected tenant accounts.

Click OK to complete the row-level permission rule configuration.

Create a control rule

Click the +Create Control Rule button. In the Add Control Rule dialog box, configure the parameters and click OK.

Parameter	Description
Rule Name	The name of the permission rule, which must be unique within the permission and cannot exceed 64 characters. This rule name will be displayed when requesting permissions for related data tables.
Expression	Add expressions for the controlled fields. The system fills in the first control field by default. You can select all control fields. The supported operation conditions are as follows: When the operation condition is equals (=), not equals (≠), greater than (>), greater than or equals (≥), less than (<), less than or equals (≤), contains (like), or does not contain (not like), you can enter a single value. When the operation condition is in or not in, you can enter multiple values separated by commas (,). You can also click Batch Edit and in the Batch Edit Enumeration Options dialog box, enter enumeration values separated by commas (,) or line feeds, not exceeding 10,000 characters. You can add up to 20 rules, with each rule having up to 5 levels of relationships. The filter conditions between each rule or relationship are AND or OR. Expression Preview: The system generates SQL statements in real time based on the permission expression configuration.
Authorized Users	Click the Add Authorized Account button to authorize users. The supported account types are Individual Account, Tenant Account, User Group, and Data Service Application. Click the save icon to save and complete the account addition. Note Users who have already been authorized by the current rule cannot be authorized again. You can delete them first and then authorize them again.

Add associated tables

Click the +Add Associated Table button. In the Add Associated Table dialog box, configure the parameters and click OK.

Note

You can add up to 50 data tables.
Tables that have already been associated cannot be associated again. If a table's field has already been associated with one control field, it cannot be associated with another control field.
When the associated field of a data table is empty, it cannot be saved. You can use quick filtering to modify it and then save it.

You can search for the data tables that you want to associate. The system will match binding fields with the same name and data type as the control fields for you. You can modify these fields. If you need to add data tables in batches, you can click Batch Search And Add. In the Batch Search dialog box, enter the names of the tables that you want to add. The system will quickly search for related data tables. Multiple tables can be separated by line feeds, commas, or periods. You can enter up to 100 tables. Only exact searches are supported.

Associated table list

You can use fuzzy search to find associated tables by data table name, filter associated tables by control field, or quickly filter associated tables with Empty Associated Fields.

The system displays the filtered associated table information, including the associated table name, the board/project/data source to which it belongs, the associated field, and the control field. You can also perform the following operations on the filtered tables.

Operation	Description
Go To Asset	Click the Go To Asset icon to navigate to Administration > Asset Checklist to view more information on the details page of the table.
Edit	Click the Edit icon to modify the associated fields.
Delete	Click the Delete icon to delete all associated fields under the current table.

View affected tenant accounts

Click the View Affected Tenant Accounts button. In the Affected Tenant Accounts dialog box, configure the parameters and click OK.

Area	Description
① Search	You can search for currently affected tenant accounts.
②Affected tenant account list	The system displays information about the tenant account of the task's project, current permissions, and granted permissions. You can also view the affected downstream tables. Tenant account of the task's project: The tenant account to which the downstream tasks of the added associated tables belong. Current permissions: The row-level rules that the tenant account is authorized for in the current row-level permission. Granted permissions: You can select all row-level rules in the current row-level permission. View affected tasks: Click the View icon in the operation column to view the currently selected associated tables and downstream tables.
③Authorization	You can batch add all row-level rules in the current row-level permission for tenant accounts. The permissions configured here will overwrite the permissions configured in Granted Permissions.

Manage row-level permissions

You can view the configured row-level permission rules, related tables, and other information in the row-level permission management list.

Area	Description
①Filter and search	You can search by row-level permission name or filter by related table.
②Description	You can view the introduction to row-level permission principles, including the legend pattern and SQL code.
③Row-level permission list	The system displays information about the row-level permission name, control rules, associated tables, operator, and operation time. You can also view, edit, and delete permissions. View control rules: Click the number of control rules or the view icon to view the rule information under that permission. View associated tables: Click the number of associated tables or the view icon to view the associated table information under that permission. View row-level permissions: You can view the configured permission information. Edit: You cannot modify the field type. Control fields that have been referenced by rules or bound to associated tables cannot be deleted. Delete: After deletion, data tables that referenced this permission will no longer be controlled by row-level permissions.