Cross-tenant publishing settings - Dataphin - Alibaba Cloud Documentation Center

Cross-tenant publishing settings allow you to configure the basic settings for cross-tenant deployment packages and the verification settings for the publishing flow. This topic describes how to configure these settings.

Prerequisites

Before you start cross-tenant publishing, a super administrator or system administrator must set the cross-tenant publishing user in the environment. For more information, see Add, configure, and manage Dataphin members.
Important
Grant both developer and O&M permissions to the cross-tenant publishing user.
In the source environment, use a system administrator account to start maintenance for cross-tenant publishing and enter maintenance mode. For more information, see Maintain/upgrade Dataphin.

Limits

Automatic permission granting supports only table-level permissions, not field-level permissions. If a published node lacks permissions for certain fields, the system grants table-level permissions to the tenant account during the publishing process.
Permissions that are granted automatically are not revoked if the publishing process for the node fails. To revoke these permissions, go to Management Center > Permission Management > Permission Management and manually revoke them.
When you publish label views and object tags across tenants, no permission verification prompt is displayed. This allows publishing to succeed even if the required permissions are missing. However, after publishing, instances of these views and tags will fail to run. You must manually request permissions for the required dependent objects.
When you publish label views and object tags across tenants, the permissions of the user performing the operation are not verified. Only the permissions of the cross-tenant publisher are required.

Permission description

Super administrators and system administrators can configure cross-tenant deployment package settings.

Notes

Cross-tenant publishing settings differ between the source and target environments. The source environment settings focus on the basic configuration of the deployment package, while the target environment settings focus on the verification settings for publishing.

In the source environment, you can set the retention period, publishing credentials, and external storage for deployment package files. These settings can be modified in the target environment. The publishing credentials must be the same in the source and target environments to export the deployment package files.
The configuration of feature permission verification, database permission verification, and flow settings in the target environment determines how the deployment package is verified.

Important

To improve publishing efficiency, you can ignore feature permission verification, personal permission verification, and automatic permission granting for the tenant account. To ensure security, be cautious when you grant the cross-tenant publishing user role.

Procedure

Log on to Dataphin as the cross-tenant publishing user.
On the Dataphin home page, in the top menu bar, choose Management Center > Migration.

On the Cross-tenant Publishing Settings page, configure the basic settings, feature permission verification, database permission verification, and flow settings for the deployment package.

Parameter	Description
Basic settings
Deployment Package Retention Period	To manage storage and computing costs, Dataphin lets you set a retention period for cross-tenant deployment packages. The default retention period is 180 days. After the retention period ends, the system automatically purges the deployment packages to release resources and improve resource utilization.
Cross-tenant Publishing Credentials	Cross-tenant publishing credentials are the security tokens for cross-tenant publishing. You can import deployment packages only when the credentials in the source and target environments are the same. After you generate the tenant publishing credentials, copy the credentials from the source environment to the target environment to ensure they are the same.
Allow Download Of Deployment Packages	Yes: Default. After you export a deployment package, you can download it to your local computer through a browser. No: After you export a deployment package, you cannot download it to your local computer through a browser. Note Disallowing downloads reduces the risk of file leaks.
External storage settings for deployment packages
OSS Storage	By default, OSS Storage is disabled. If you enable it, configure the external Object Storage Service (OSS) storage information for the deployment packages. Use OSS as an intermediary for deployment packages between the source and target environments to prevent path inconsistencies between download and upload. When you export a deployment package, it can be automatically exported to OSS. In the target environment, configure the same OSS storage address to import the deployment package from OSS.
Display Name	The default value is OSS. You can enter up to 128 characters. All character types are supported, including spaces and special characters.
Endpoint	The endpoint of the region where the OSS bucket is located. OSS endpoints are region-specific. You must specify different domain names to access different regions. For more information, see Endpoints.
Bucket	The information about the bucket in the region where OSS is located. A bucket is a container that stores objects. You can obtain the bucket information on the Bucket List page.
CNAME (Optional)	The custom domain name for OSS.
AccessKey ID, AccessKey Secret	The AccessKey ID and AccessKey secret of the OSS account. For more information about how to obtain them, see Create an AccessKey.
Path (Optional)	The storage path for the deployment packages in OSS. Note If you leave this empty, the root directory of the bucket is used. If the directory does not exist, it is automatically created when you import a file.
Feature permission verification
Publishing Verification	Verifies the operator's permissions, such as add, edit, and delete permissions, during cross-tenant publishing. You can select Verify Operator Permissions or Ignore Permission Verification. Verify Operator Permissions: During the import of a deployment object, the operator's permissions in the current environment are verified. If the permissions are insufficient, the publishing is blocked. Note The operator must have both cross-tenant publishing user permissions and the permissions required for publishing and operations within the tenant. Ignore Permission Verification: During the import of a deployment object, the operator's permissions are ignored. Note The operator needs only the cross-tenant publishing user permissions.
Database permission verification - Development
Dev-Prod Development Project	Verifies the personal permissions when a Dev-Prod development project is submitted for cross-tenant publishing. You can select Ignore Personal Permissions Upon Submission or Verify Personal Permissions. Ignore Personal Permissions Upon Submission: When a Dev-Prod node is submitted, the system does not verify whether the operator has permissions on the data tables of the development project in the current environment. Verify Personal Permissions: When a Dev-Prod node is submitted, the system verifies whether the operator has permissions on the data tables of the development project in the current environment.
Production Project Permissions	Verifies the publishing permissions for a production project during cross-tenant publishing. You can select Verify Tenant Account Permissions or Grant Permissions Automatically. Verify Tenant Account Permissions: When a production node is published, the system verifies whether the tenant account has permissions on the production project in the current environment. Grant Permissions Automatically: When a production node is published, if the tenant account does not have the required permissions on the production project, the system automatically grants the permissions to the tenant account.
Flow settings - Architecture
Business Object Publishing Approval	For the publishing approval of business objects during cross-tenant publishing, you can select Ignore Approval And Publish Directly.
Flow settings - Development
Publish Approval	For the publishing approval of compute nodes, integration nodes, and table-related nodes during cross-tenant publishing, you can select Ignore Approval And Publish Directly.
Code Review	For the review of script nodes during cross-tenant publishing, you can select Ignore Approval And Publish Directly.
Flow settings - Standard Important You must enable the Data Standard feature.
New Data Standard Set Approval	When a new data standard set is published to the current environment, if approval is enabled in the data standard set configuration, the system uses the standard review system template for approval. You can click the blue text View Approval Template Details to view the details. If the information of the data standard set changes, the approval is subject to the approval template settings of the current environment.
Data Standard Publishing Approval	The approval policy for submitting a data standard for publishing or unpublishing in the current environment during cross-tenant publishing. You can select Ignore Approval or Follow Data Standard Set Configuration. Ignore Approval: When you publish or unpublish in the current environment, the approval is ignored and the submission is processed directly. Follow Data Standard Set Configuration: When you submit for publishing or unpublishing in the current environment, the system uses the approval settings of the data standard set to which the data standard belongs in the current environment.

Click Save to complete the cross-tenant publishing settings.
Note
To reset the configuration page, click Cancel.