All Products
Search

This Product

    Dataphin:Security Settings

    Document Center

    Dataphin:Security Settings

    Last Updated:Mar 31, 2026

    Security settings protect data from unauthorized access, damage, or disclosure. Use fine-grained controls over data security and access to safeguard your data.

    Prerequisites

    You must purchase the Intelligent R&D Edition or Basic R&D Edition to use the Security Settings feature.

    Permissions

    Super administrators, system administrators, and custom global roles with the Security Settings-Manage permission can configure security settings.

    Strict Permission Mode

    Background information

    The Dataphin Management Hub supports project-level security mode configuration. Without this setting, the following security issues may occur:

    • Users can perform cross-project DDL operations without the knowledge of project administrators.

      Note

      For details about DDL statements, see DDL statements.

    • Within the same project, users can directly modify production (Prod) environment data from the development (Dev) environment, risking data leakage or unintended changes.

      The following table uses the developer role as an example to show how enabling or disabling security modes affects project permissions.

      Operation

      Default (no security modes enabled)

      Cross-Project Security Mode (enabled)

      Production Data Security Mode (enabled)

      All table operations in the current project’s Dev environment

      Supported

      -

      -

      All table operations in the current project’s Prod environment

      Supported

      -

      Not supported

      Cross-project queries

      Supported

      -

      -

      Cross-project DDL

      Supported

      Not supported

      -

      Important

      • Enabling security modes increases data protection but may reduce system performance. Set these modes based on your business needs.

      • The current operation is not governed by the cross-project safe mode or production data safe mode feature.

    Default configuration for strict permission mode

    1. In the top menu bar on the Dataphin homepage, choose Management Hub > Specification Settings.

    2. In the navigation pane on the left, choose Data Access > Security Settings to open the Security Settings page.

    3. On the Security Settings page, click the Strict Permission Mode tab. In the Default Configuration area, enable or disable Cross-Project Security Mode and Production Data Security Mode.

      Strict Permission Mode

      Description

      Cross-Project Security Mode

      • Disabled: Allows cross-project DDL tasks if you have permission to operate on the target object.

      • Enabled: Blocks cross-project execution and submission of DDL tasks (such as creating, dropping, or altering tables).

      Production Data Security Mode

      • Disabled: Allows modifying Prod environment data from the Dev environment.

      • Enabled: Prevents modifications to Prod environment data (including table creation, deletion, and updates) from the Dev environment.

        Note

        After enabling this mode, you must use the publishing process to modify Prod environment data. For more information, see Publishing Center.

    Project-level configuration for strict permission mode

    Note

    • Projects without individual configuration follow the default configuration.

    • Each project can be configured for security mode only once.

    1. On the Strict Permission Mode tab, click the Add Security Mode Configuration button.

    2. In the Add Security Mode Configuration dialog box, select the projects to which you want to apply strict permission mode.

      Parameter

      Description

      Project

      Select one or more projects to configure security mode for.

      Cross-Project Security Mode

      • Enabled: Blocks DDL operations (create, drop, alter) on the selected project from any other project.

      • Disabled: Allows accounts with proper permissions to perform cross-project DDL operations.

      Production Data Security Mode

      • Enabled: Blocks DDL operations (create, drop, alter) on the Prod environment of the selected project from any other project.

      • Shutdown: Allows authorized accounts to perform DDL operations on data in the project’s production environment.

      Note

      After enabling this mode, you must use the publishing process to modify Prod environment data. For more information, see Publishing Center.

    3. Click OK to complete the project-level strict permission mode configuration.

    Project configuration list

    1. View each project’s name and the status of Cross-Project Security Mode and Production Data Security Mode in the project configuration list.

    2. (Optional) Search for a specific project by name.

    3. Perform the following actions on a target project.

      Action

      Description

      View security mode details

      Click the image.png icon next to Cross-Project Security Mode or Production Data Security Mode, then click View Diagram to learn how these modes control access.

      Edit

      Add or remove projects, or change the status of Cross-Project Security Mode and Production Data Security Mode.

      Delete

      Deleting a project’s security mode configuration cannot be undone. Proceed with caution.

    SPARK Batch tasks (Spark Jar, PySpark)

    Limits

    • When using Spark on MaxCompute tasks, authenticate access to logical tables for read, write, and other permissions.

    • Different compute engines support different versions of Spark on MaxCompute tasks. Spark on MaxCompute tasks in the MaxCompute engine use Spark V2.4.5. The version for Spark on MaxCompute tasks in the Hadoop engine is TBD.

    • You can enable authentication mode for Spark on MaxCompute tasks under the MaxCompute engine. You cannot enable authentication mode for Spark on MaxCompute tasks under the Hadoop engine, except for Inceptor.

    • This task type is supported when the compute engine is MaxCompute, EMR 3.x, EMR 5.x, CDH 5.x, CDH 6.x, FusionInsight 8.x, Cloudera Data Platform 7.x, Asiainfo DP 5.3, or Amazon EMR.

    Procedure

    1. In the top menu bar on the Dataphin homepage, choose Management Hub > Specification Settings.

    2. In the navigation pane on the left, choose Data Access > Security Settings to open the Security Settings page.

    3. On the Security Settings page, click the SPARK Batch tasks (Spark Jar, PySpark) tab to enable or disable SPARK Batch tasks (Spark Jar, PySpark) and authentication mode.

      SPARK Batch tasks (Spark Jar, PySpark)

      Description

      SPARK Batch tasks (Spark Jar, PySpark)

      • Disabled: You can still edit, delete, execute, submit, and publish existing SPARK Batch tasks (Spark Jar, PySpark).

      • Enabled: You can create new SPARK Batch tasks (Spark Jar, PySpark).

      Authentication mode

      • Disabled: Requires the OpenAPI feature module to be enabled first.

      • Enabled: After enabling authentication, SPARK Batch tasks (Spark Jar, PySpark) undergo permission verification for data access. Tasks without proper permissions will fail.

        Note

        When enabled, you can access logical tables using logical projects and business units.

    4. Click OK to complete the configuration.

    Function authentication configuration

    Note

    By default, offline functions in all projects can be called using the format project_name.function_name. For projects with function authentication enabled, you must request permission to use their functions.

    Background information

    Functions created in a project can be called across projects, posing a significant data security risk. Control cross-project function calls to improve data security.

    1. In the top menu bar on the Dataphin homepage, choose Management Hub > Specification Settings.

    2. In the navigation pane on the left, choose Data Access > Security Settings to open the Security Settings page.

    3. On the Security Settings page, click the Function Authentication Settings tab, then click the Add Project button.

    4. In the Add Project dialog box, configure the parameters.

      Project: Add the project that owns the functions.

      Important

      If production tasks call functions from the selected project, this action may cause those tasks to fail. Proceed with caution.

    5. Click OK to complete the addition.

    Project settings list

    1. View the name, environment, and description of added projects.

    2. Search by project name keyword.

    3. Perform the following action on a target project.

      Delete: Click the Delete icon in the Actions column for the target project. After deletion, cross-project calls to functions in this project will no longer undergo authentication.

    Permission settings

    Control whether project administrators and business unit architects can create new data sources to strengthen centralized permission management.

    1. In the top menu bar on the Dataphin homepage, choose Management Hub > Specification Settings.

    2. In the navigation pane on the left, choose Data Access > Security Settings to open the Security Settings page.

    3. On the Security Settings page, click the Permission Settings tab. Choose whether to allow project administrators or business unit architects to create new data sources.

      Allow project administrators/business unit architects to create data sources: Select Yes to let project administrators and business unit architects in Basic and Prod modes create data sources. Select No to block this capability and affect permission prompts during data source creation.

    4. Click OK to complete the configuration.