, - Dataphin - Alibaba Cloud Documentation Center

Related concepts

Concept	Description
Permission	Permissions to access and operate Dataphin resources. This includes feature permissions and permissions to view and operate data.
User	A member added to the Dataphin member list.
Role	A collection of permissions. Roles can be granted directly to users for easy use and management.
Resource	An object in Dataphin. Resources include feature resources and data resources.
Personal account	A concept within a project. It usually refers to a user account that has been added to a project.
Tenant account	When you create a development environment project, a production environment project, or a Basic project, the system automatically creates a tenant account that corresponds to the project. The tenant account is used to operate one-time tasks, auto triggered tasks, real-time tasks, one-time instances, recurring instances, data backfill instances, or real-time instances in the production environment.

Permission system

The Dataphin permission system organizes permissions into scopes based on operation objects: global, domain, project, and owner permissions.

Permission type	Permissions
Global permission	Permissions to operate certain global features in Dataphin, such as computing settings and adding members. The specific permissions depend on the role. For more information about the roles included in global permissions (global roles), see Users and roles. For more information about how to obtain the corresponding roles, see Add Dataphin members.
Board Permissions	Permissions to configure domain information, including updating basic information, updating business information, and managing units. The specific permissions depend on the role. For more information about the roles included in domain permissions (domain roles), see Users and roles. For more information about how to obtain the corresponding roles, see Create a data domain.
Project permission	Permissions to manage resources and members within a project, such as creating code nodes and creating integration nodes. The specific permissions depend on the role. For more information about the roles included in project permissions (project roles), see Users and roles. For more information about how to obtain the corresponding roles, see Add project members.
Owner permissions	The owner of a resource has all operation permissions on that resource.

When you are assigned a role, you inherit the permissions of that role. To request permissions for a specific resource, see Request and approval.

Users and roles

User

Role description in Dataphin

Permission description

Super administrator account

The root Alibaba Cloud account. By default, this account is the super administrator in Dataphin and has all global role permissions.

You can remove some global roles as needed. For more information, see Add Dataphin members.

Typically, enterprise managers use an Alibaba Cloud account. Because it has a broad permission scope, this account is not recommended for employees in roles such as developer, O&M, or analyst.

Standard account

A RAM user is a sub-account under an Alibaba Cloud account. You can sync RAM users to Dataphin, add them as project members, and grant them different roles for fine-grained permission management.

You can grant the following roles to RAM users:

Global roles:
- Super administrator
- System administrator
- Data source administrator
- Security administrator
- Quality administrator
Domain roles:
- Domain architect
- Business owner
- Data owner
Project roles:
- Project administrator
- Moderator
- Developer
- O&M
- Analyst
- Visitor

For more information about the permissions for each role, see Users and roles

Logon information

If you use the Alibaba Cloud account system, log on to the Dataphin console with a RAM user. If you use your own enterprise account system, log on to the Dataphin console with an SSO account. If you do not have an account system, you can also log on to the Dataphin console with a built-in Dataphin account.

Role permission overview

Permission type	Role type	Permission overview
Global role	Super administrator	The root Alibaba Cloud account. By default, it becomes the super administrator in Dataphin and has the permissions of all global roles.
	System administrator	Has all the permissions of a super administrator and acts as a proxy for the super administrator.
	Data source administrator	Has permissions to create data sources and edit all data sources.
	Security administrator	Has the highest permissions on the Asset Security module, including permissions to create and modify security policies and to perform security audits. Note Due to the sensitivity of data security, super administrators and system administrators cannot modify security policies.
	Quality administrator	Has permissions to create quality rules for resources such as data tables and data sources, and to view generated data quality reports.
Section Roles	Domain Architect	Has permissions to configure business domain information, including updating basic information and business information.
	Business owner	Currently has no substantive operation permissions. This role is responsible for the stability of business data usage in the business domain.
	Data owner	Currently has no substantive operation permissions. This role is responsible for the data production quality in the domain.
Project role	Project administrator	Has permissions to manage projects and the resources and members within them, including creating compute engines and data sources. Does not have permission to create business domains.
	Developer	Has data development permissions within the project. This includes creating pipeline nodes, standard modeling, and creating code nodes.
	O&M	Has data administration and management permissions within the project. This includes node O&M, instance O&M, and monitoring and alerts.
	Analyst	Has operation permissions for ad hoc queries in the project.
	Visitor	Can view tasks in the project.

For more information about role permissions, see Built-in roles and permissions list.

Project permissions

In addition to the general role permissions, user operation permissions differ among Dev, Prod, and Basic projects.

Environment	Details
Dev	Authentication account The development environment authenticates the permissions of a personal account. It checks whether the personal account that submits a node (for example, Zhang) has the operation permission (for example, query) on the current resource (for example, a data table). Reason for authentication When an object in the development environment is submitted to the release center, Dataphin checks whether the personal account that submits the object has the operation permissions on the object to be submitted. If the authentication is successful, the object is added to the list of objects to be published to the production environment. If the authentication fails, Dataphin prompts you to request the operation permissions for the object. For more information about how to request permissions, see Request Permissions. When a node is executed in the development environment, Dataphin authenticates the resources involved in the node. When a data processing node or an ad hoc query is executed, Dataphin checks the permissions of the personal account that submitted the node on the data to be operated on. If the authentication is successful, the code can be executed, and the auto triggered task in the development environment is scheduled. If the authentication fails, Dataphin prompts you to request the operation permissions for the resource. For more information about how to request permissions, see Request Permissions.
Prod	Authentication account The production environment authenticates the tenant account of the production environment project. It checks whether the tenant account of the production environment project (for example, demo_online) has the operation permission (for example, query) on the current resource (for example, a data table). Reason for authentication When an object is published from the release center to the production environment, Dataphin checks whether the tenant account of the production environment has permissions on the data to be operated on. If the authentication is successful, the object is published to the production project and takes effect. If the authentication fails, the publish operation fails. Dataphin then prompts you to request permissions for the tenant account of the production project. For more information about how to request permissions, see Request Permissions. When a node is executed in the production environment, Dataphin authenticates the resources involved in the node.
Basic	Authentication account The production environment authenticates the tenant account of the Basic project. It checks whether the tenant account of the Basic project has the operation permission (for example, query) on the current resource (for example, a data table). Reason for authentication When a node is executed in the production environment, Dataphin authenticates the resources involved in the node.

Request and approval

gagaga

Operator	Permission flow	Description
Dataphin member	Request permission	To request operation permissions for a resource, such as the query permission for a data table, see Request Permissions.
Dataphin member	Return permission	If you no longer need a permission, you can return it to maintain least-privilege access. For more information, see Request Permissions.
Project administrator	Permission approval	When a user requests a permission, the administrator can view and process the request ticket by approving, rejecting, reassigning, or co-signing it. For more information, see Process pending tasks.
	Grant permission	To grant multiple permissions to a user or grant permissions to many users at once, use the grant permission feature. For more information, see Permission Management.
	Revoke permission	To revoke permissions from multiple users at once, use the revoke permission feature. For more information, see Permission Management.
Dataphin	Revocation on expiration	When the permissions of a user's personal account expire, Dataphin automatically revokes them. For more information, see Request Permissions.