Data service permission management - Dataphin - Alibaba Cloud Documentation Center

This topic explains how to grant and revoke permissions for applications, APIs, and service units.

Permission revocation description

The super administrator's permissions cannot be revoked.

Data service permission entry

From the Dataphin home page's top menu bar, select Management Hub > Permission Management.
In the navigation pane on the left, choose Permission Management > Data Service Permission.

Grant and revoke permissions

Note

In Dataphin V5.3 and later, applications no longer belong to service projects and can call APIs from any project. Therefore, this document is for reference only for users of earlier versions.

Application permissions

Application permission grant

On the application permissions page, click the Actions column of the target application and select Grant.

In the Application Grant dialog box, set the parameters.

Parameter	Description
Account Type	Only User Account is supported.
Permission Account	Select the permission account.
Validity Period	Select the validity period.
Permission Type	Only Usage Permission is supported.
Reason For Grant	Enter the reason for the grant. The maximum length is 128 characters.

Click Submit to finalize granting the application permission.

Application permission revocation

On the application permissions page, click the Actions column of the target application and select Revoke.
In the Application Grant Revocation dialog box, set the parameters.
Parameter
Description
Account Type
Only User Account is supported.
Permission Account
Select the permission account.
Reason For Revocation
Enter the reason for revocation. Not exceeding 128 characters.
Click Submit to finalize revoking the application permission.

API permissions

API permission grant

On the API permissions page, click the Actions column of the target API and select Grant.

On the API Grant page, set the parameters.

Parameter		Description
API Grant Information	Account Type	Only application authorization is supported.
	API Runtime Environment	Select the runtime environment of the API. Development Environment and Production Environment are supported. Multiple selections are allowed. Note The API runs according to the selected runtime environment. When the API runtime environment is set to the development environment, the API runs based on the configuration submitted to the development environment. When the API runtime environment is set to the production environment, the API runs based on the configuration published to the production environment.
	Application	Select the applications to which you want to grant permissions. You can select multiple applications.
Permission Field List		Optional fields will be selected based on the API runtime environment, either the production environment or the development environment. If the API is associated with row-level permissions, the system will identify it as Row-level Permission Active. You can click the View Row-level Permission button to view the row-level permission information for the corresponding environment in the View Row-level Permission panel. Note When the API selects the development environment and is in Basic mode, the data environment accessed is the production data environment. Please operate with caution. When the API runtime environment is the production environment, you can select the return parameters of the current API online version. When the API runtime environment is the development environment, you can select the return parameters of the latest version of the API in the development environment. When an application requests proxy mode permission to call an API, the system will return data based on the row-level permissions of the proxied user. If the application does not have proxy mode permissions, data will be returned based on the application's row-level permissions. If the API operation type is Create, Update, or Delete, data is accessed based on the API runtime environment, and you do not need to select fields.
Permission Configuration	Permission Type	The system defaults to Usage Permission and does not support modification. When the account type is set to application, Proxy Permission can be selected. Usage Permission: If the API operation type is Create, Update, or Delete, you can only request usage permission. Proxy Permission: This permission takes effect if an API has row-level permissions enabled and proxy mode is activated. To activate proxy mode, configure the row-level permission parameter values in the common parameter list on the call page of DataService Studio > Application Management > Authorized API Services. To call an API that is associated with row-level permissions, you must request proxy permissions.
	Validity Period	You can select 30 Days, 90 Days, 180 Days, or Long-term. You can also select Custom and specify an end date.
	Reason For Grant	Enter the reason for the grant for the approver to view the approval reason, not exceeding 128 characters.

Click OK to finalize granting the API permission.

API permission revocation

On the API permissions page, click the Actions column of the target API and select Revoke.

In the API Permission Revocation dialog box, set the parameters.

Parameter	Description
Account Type	Support revoking Application or User Account permissions.
Permission Account	Configuration is required when the account type is a personal account. Select the personal account whose permissions need to be revoked.
Runtime Environment	Configuration is required when the permission account is an application. Support selecting Production Environment or Development Environment.
Permission Type	Select the permission type to be revoked. When the account type is an application, both usage permission and proxy permission can be revoked. When usage permission is selected for revocation, proxy permission will also be revoked and cannot be modified. When the account type is a personal account, usage permission can be revoked.
Application	This parameter is required if you set Account Type to Application. Select the application whose permissions you want to revoke from the application group.
Reason For Revocation	Enter the reason for revocation. Not exceeding 128 characters.

Click Submit to finalize revoking the API permission.

Service unit

Service unit permission grant

On the service unit permissions page, click the Actions column of the target service unit and select Grant.

In the Service Unit Grant dialog box, set the parameters.

Parameter	Description
Account Type	Only User Account is supported.
Permission Account	Select the permission account.
Validity Period	Select the validity period.
Permission Type	Support selecting Usage Permission and Development Permission.
Reason For Grant	Enter the reason for the grant. Not exceeding 128 characters.

Click Submit to finalize granting the service unit permission.

Service unit permission revocation

On the service unit permissions page, click the Actions column of the target service unit and select Revoke.
In the Service Unit Permission Revocation dialog box, set the parameters.
Parameter
Description
Account Type
Only User Account is supported.
Permission Account
Select the permission account.
Reason For Revocation
Enter the reason for revocation. Not exceeding 128 characters.
Click Submit to finalize revoking the service unit permission.