Roles and permissions - Dataphin - Alibaba Cloud Documentation Center

Dataphin, a core service for data mid-end construction and digital transformation, features a comprehensive permission management system to ensure data security. This topic outlines the Dataphin permission system, including its users, roles, and permissions.

Concepts

Concept	Description
Permission	The right to access or manage Dataphin resources, including the use of specific features and the ability to view or modify data.
User	An individual added and managed within Dataphin.
Role	A set of permissions that can be assigned to a user, streamlining the process of granting and managing permissions.
Resource	A data object managed within Dataphin, encompassing both feature-related and data resources.
Personal account	An account associated with a Dataphin project.
Production account	A system-generated account corresponding to each project created, such as development, production, or Basic projects. It enables the creation and management of various tasks and instances within the production environment.

Permission system

Dataphin's permission system allows for the management of permissions based on the data object being accessed or operated upon. Permissions are categorized as global, business unit, project, and resource owner permissions. For details, refer to the table below.

Permission Type	Permission Description
Global Permissions	Permissions related to Dataphin's global features, including the ability to configure computing resources and manage team members. The specific permissions depend on the role. For more information about the roles that have global permissions (global roles), see Users and roles. For information about how to obtain the corresponding roles, see Add Dataphin members.
Business Unit Permissions	Permissions required to manage business unit information, encompassing updates to basic details, business data, and unit administration. The specific permissions depend on the role. For more information about the roles that have business unit permissions (business unit roles), see Users and roles. For information about how to obtain the corresponding roles, see Create data business unit.
Project Permissions	Permissions for managing resources and members within a project, including the creation of code and synchronization tasks. The specific permissions depend on the role. For more information about the roles that have project permissions (project roles), see Users and roles. For information about how to obtain the corresponding roles, see Add project members.
Owner Permissions	Permissions associated with resources you own.

Once a RAM user is assigned a specific role, they acquire the role's associated permissions. For applying permissions to a particular resource, see Permission application and approval.

Users and roles

User

Role Assignment in Dataphin

Role Permissions

Super administrator account

By default, the Alibaba Cloud account acts as the super administrator within Dataphin, encompassing all global role permissions.

Depending on your business needs, you may remove certain global roles. For additional details, see Add Dataphin members.

Typically, the Alibaba Cloud account with full Dataphin permissions is used by enterprise managers. It is recommended that developers, O&M engineers, and analysts access Dataphin as RAM users rather than using the Alibaba Cloud account.

Standard account

A RAM user is a sub-account under an Alibaba Cloud account. Synchronize RAM users to Dataphin, add them as project members, and assign roles based on business needs for fine-grained permission management. RAM users can be assigned various roles for different levels of access control:

In Dataphin, RAM users can be assigned various RAM roles to implement differentiated access control.

The table below details the parameters:

Roles with global permissions include Super Administrator, System Administrator, Data Source Administrator, Security Administrator, and Asset Quality Owner.
- Super Administrator
- System Administrator
- Data Source Administrator
- Security Administrator
- Data Quality Owner
Roles with business unit permissions include Business Unit Architect, Business Owner, and Data Owner.
- Business Unit Architect
- Business Owner
- Data Owner
Roles with project permissions include Project Administrator, Business Unit Administrator, Developer, O&M, Analyst, and Visitor.
- Project Administrator
- Business Unit Administrator
- Developer
- Operations & Maintenance Personnel
- Analyst
- Visitor

For more information about role permissions, see Users and roles.

Account login instructions

To access the Dataphin system page, log in with a RAM account if utilizing the Alibaba Cloud account system. For those using an enterprise account system, sign in with an SSO account. Alternatively, a built-in Dataphin account is available for users without an account system.

Permissions of each role

Permission Type	Role Type	Permission Overview
Global Role	Super Administrator	The Alibaba Cloud account by default has super administrator privileges in Dataphin, encompassing all global role permissions.
	System Administrator	Possesses the same permissions as the super administrator and acts as a substitute for the super administrator.
	Data Source Administrator	Authorized to add and modify all data sources within Dataphin.
	Security Administrator	Holds comprehensive permissions for the Security module of Data Assets, including creating and modifying security policies and conducting security audits. Note: Super administrators and system administrators are restricted from modifying security policies for security reasons. Note For security reasons, the super administrator and system administrators are not permitted to modify security policies.
	Asset Quality Owner	Granted permissions to establish quality rules for resources such as tables and data sources, and to view data quality reports.
Business Unit Role	Business Unit Architect	Empowered to manage settings for a business unit, including updating basic and business information.
	Business Owner	Does not hold substantial operational permissions but is responsible for the stability of business data usage within the business unit.
	Data Owner	Lacks substantial operational permissions but is accountable for the quality of data production in the business unit.
Project Role	Project Administrator	Authorized to oversee a project's resources and members, including adding computing engines and data sources. However, this role does not include permissions to create business units.
	Developer	Permitted to develop data within a project, such as creating pipeline tasks, standardizing data, and generating code tasks.
	O&M	Holds permissions related to data operations and management within a project, including task management, instance handling, and monitoring alerts.
	Analyst	Granted permissions to execute ad hoc query tasks within a project.
	Visitor	Allowed to view project tasks.

For more information about role permissions, see Built-in roles and permissions list.

Project permissions

Beyond the general role permissions, users have distinct operational permissions in Dev, Prod, and Basic projects.

Environment	Details
Dev	Account for permission verification Dataphin checks your personal account's permissions to carry out specific operations within the development environment. For instance, when Zhang submits a task to query a table using a personal account, Dataphin verifies if the account is authorized to query that table. Reason for permission verification Upon submitting a data object to the Publish module in the development environment, Dataphin confirms whether your personal account has the necessary permissions for the data object in question. If permissions are verified successfully, the data object is listed on the Objects to Publish page within the Publish module, awaiting deployment to the production environment. Should the verification fail, a prompt will appear advising you to request the necessary permissions for the data object. For guidance on permission requests, see and Permission application. Dataphin also conducts permission checks on resources involved in tasks executed within the development environment. For example, when running data processing or ad hoc query tasks, it verifies if your personal account is permitted to use the associated resources. Successful permission verification allows the code to run and schedules recurring tasks in development according to the scheduling policy. In case of verification failure, you will be prompted to apply for the necessary resource permissions. For details on how to apply, refer to and Permission application.
Prod	Account for Permission Verification In the production environment, Dataphin verifies the permissions of the system account within a project. For instance, when the system account executes query operations on a specific table, Dataphin ensures it has the necessary permissions. Reason for Permission Verification Upon submitting a data object in the Publish module for production, Dataphin checks if the system account possesses the requisite permissions for the data object. Successful permission verification allows the data object to be published to the production environment. A failed verification prevents the data object's publication and prompts a message to apply for the necessary system account permissions. For details on permission application, see and Permission application. Dataphin also conducts permission verification for resources involved in tasks run within the production environment.
Basic	Permission Verification Account In Basic mode, Dataphin checks the permissions of a system account within a project. For instance, when the system account executes query operations on a table, Dataphin verifies that it has the necessary permissions. Purpose of Permission Verification Dataphin conducts permission checks on the resources used during task execution in the production environment.

Permission application and approval

gagaga

Operator	Permission Process	Description
Dataphin Member	Permission Application	To obtain the necessary permissions for specific resource operations, such as querying a table, you can submit a permission request. For details on how to apply, refer to and Permission application.
Dataphin Member	Permission Release	To adhere to the principle of least privilege, you can revoke permissions that are no longer necessary. For guidance on revoking permissions, see or Permission application.
Project Administrator	Permission Approval	Upon receiving a permission application ticket, the project administrator has the ability to review and decide on the request. The administrator's options include approving, rejecting, or transferring the ticket, as well as adding another approver. For guidance on processing approval requests, see Process pending tasks or .
	Grant Permissions	As a project administrator, you can assign multiple permissions to a single user or to numerous users, depending on your business needs. For details on how to grant permissions to users, refer to and Permission Management.
	Revoke Permissions	As a project administrator, you have the ability to revoke permissions from multiple users to align with your business needs. For detailed instructions on permission revocation, see and Permission Management.
Dataphin	Permission Revocation upon Expiration	Should your personal account permissions expire, Dataphin will automatically revoke them. To learn about the remaining validity period of your permissions and the revocation process, see and Permission application.