All Products
Search
Document Center

DataWorks:ApplyResourceAccessPermission

Last Updated:Jun 24, 2026

Submits an application for access permissions on a specific resource.

Operation description

Request Description

  • Reason: The reason for the application. This parameter is required.

  • ApplyContents: Contains multiple resource permission application contents, each including the resource description (Resource), grantee description (Grantee), permission types (AccessTypes), and permission expiration time (ExpirationTime). The maximum limit per request is 400 entries.

  • Resource: The resource description. You need to specify the ResourceSchema.name and version that the resource parsing depends on, as well as the resource metadata MetaData.

  • Grantee: The grantee description. You need to specify the grantee type (PrincipalType) and the principal ID (PrincipalId).

  • AccessTypes: The list of permission types. Multiple permission combinations are supported.

  • ExpirationTime: The permission expiration time, provided as a milliseconds timestamp.

  • AuthMethod: An optional parameter that specifies the authorization method. The system uses the built-in default authorization method if not specified.

  • ClientToken: The client token used to prevent duplicate requests. This parameter is optional.

Ensure all required fields are filled in correctly and comply with the corresponding constraints. For example, DefVersion and MetaData in Resource should match the selected DefSchema.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter

Type

Required

Description

Example

Reason

string

Yes

The reason for the application.

业务发展需要

ApplyContents

array<object>

Yes

The list of resource permission application contents.

array<object>

No

Resource

object

No

The resource description.

DefSchema

string

Yes

The resource type.

Note: The resource types supported for application are constrained by ResourceSchema.name.

Appendix: ResourceSchema documentation for international site

Valid values:

  • MaxCompute :

    MaxCompute

  • LINDORM :

    LINDORM

  • EMR_ON_ECS_HIVE :

    EMR_ON_ECS_HIVE

  • DLF_V1 :

    DLF_V1

  • HOLOGRES :

    HOLOGRES

  • SEVERLESS_STARROCKS :

    SEVERLESS_STARROCKS

  • DATAWORKS_ENTITY :

    DATAWORKS_ENTITY

  • DLF_NEXT :

    DLF_NEXT

MaxCompute

DefVersion

string

No

The resource parsing version, which is constrained by ResourceSchema.version.

ResourceSchema documentation for international site

v1.0.0

MetaData

object

No

The resource metadata declaration.

Note: The metadata is constrained by ResourceSchema.resources. A valid resource declaration must include full-path metadata declarations from level 0 to validLeaf.

Appendix: ResourceSchema documentation for international site

any

No

Declares a specific resource in Map<String,Object> format. The declaration must comply with the resource constraints for the specific resource type in ResourceSchema.

Note:

  1. When applying for column-level permissions in MaxCompute, you must also declare columnSensibleLevel for label-based authorization to take effect.

  2. For MaxCompute permission applications with Schema enabled, pass the threeTierModel parameter and set it to true.

{ "workspace": "449656", "project": "sync_destination", "table": "order_table", "threeTierModel": false }

Grantee

object

Yes

The grantee description.

Note: The supported grantee types are constrained by ResourceSchema.authPrincipal.

Appendix: ResourceSchema documentation for international site

PrincipalType

string

Yes

The grantee type. Valid values:

  • RamRole

  • RamUser

  • DlfRole

Valid values:

  • DlfRole :

    DlfRole

  • RamUser :

    RamUser

  • RamRole :

    RamRole

RamRole

PrincipalId

string

Yes

The grantee ID. The ID has different semantics depending on the grantee type:

  • RamUser: Dataworks UserId

  • RamRole: Dataworks UserId prefixed with "ROLE_"

  • DlfRole: DlfNext role name

ROLE_32237475848545

AccessTypes

array

Yes

The list of permissions to apply for.

Note: Different resource levels support different permission types. They are uniformly constrained by ResourceSchema.isValidLeaf, accessTypeRestrictions, and authMethodAccessTypes.

Appendix: ResourceSchema documentation for international site

string

No

The resource permission.

select

ExpirationTime

integer

No

The permission expiration time, in milliseconds timestamp.

1785835708000

AuthMethod

string

No

The authorization method. Currently, only SEVERLESS_STARROCKS supports specifying the authorization method: ranger or starrocksManager.

Note: Different resources support different authorization methods, which are uniformly constrained by ResourceSchema.authMethods.

Appendix: ResourceSchema documentation for international site

Valid values:

  • starrocksManager :

    Starrocks Manager

  • ranger :

    Ranger

ranger

ClientToken

string

No

The idempotency parameter. Used to prevent duplicate operations caused by multiple calls.

ABFUOEUOTRTRJKE

Response elements

Element

Type

Description

Example

object

The response result.

RequestId

string

The request ID. Used for locating logs and troubleshooting issues.

0bc5df3a17***903790e8e8a

Data

array

The list of application IDs.

string

The application/approval process ID.

332066440109224007

Examples

Success response

JSON format

{
  "RequestId": "0bc5df3a17***903790e8e8a",
  "Data": [
    "332066440109224007"
  ]
}

Error codes

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.