This topic describes how to add workspace members and assign roles to them. This topic also describes the permissions of each role.

Prerequisites

If you need to use DataWorks together with other users, create Resource Access Management (RAM) users, create a workspace, and then follow the instructions in this topic to add members to your workspace. For more information about how to create RAM users and workspaces, see Prepare a RAM user and Create a workspace.

Background information

Note If you plan to perform all operations in your workspace by using only the Alibaba Cloud account, you can skip this topic and directly create tables and import data. For more information, see Create tables and import data.

You can log on to the DataWorks console by using your Alibaba Cloud account or as a RAM user.

Alibaba Cloud adopts the following billing rules for RAM users:
  • An Alibaba Cloud account owns Alibaba Cloud resources. Resource usage is measured and billed to the Alibaba Cloud account. You can use the Alibaba Cloud account to create RAM users for your enterprise. You can also use the Alibaba Cloud account to manage and grant permissions to RAM users.
  • RAM users are created and managed by the Alibaba Cloud account in the RAM console. RAM users do not own resources, and therefore the resource usage of a RAM user is not measured or billed to the RAM user. The Alibaba Cloud account centrally manages all RAM users and pays for the resources used by RAM users.

Procedure

  1. Go to the Workspace Management page of the workspace to which you want to add members.
    1. Log on to the DataWorks console.
    2. In the left-side navigation pane, click Workspaces.
    3. On the Workspaces page, find the workspace to which you want to add members, move the pointer over the more icon in the Actions column, and then select Workspace Settings.
    4. In the Workspace Settings panel, click More. The Workspace Management page appears.
      You can also click DataStudio in the Actions column of the workspace to which you want to add members. On the DataStudio page, click the Workspace Manage icon in the upper-right corner to go to the Workspace Management page.
  2. In the left-side navigation pane, click User Management.
  3. On the User Management page, click Add Member in the upper-right corner.
  4. In the Add Member dialog box, click Refresh. All the RAM users created by your Alibaba Cloud account appear in the Available Accounts section.
    Refresh
    Note If you need to create more RAM users, click RAMConsole in the Add Member dialog box to go to the RAM console and create RAM users as required. For more information about how to create a RAM user and allocate the RAM user to a person, see Prepare a RAM user .
  5. Select RAM users in the Available Accounts section and click the > icon to move them to the Added Accounts section.
  6. Select the roles that you want to assign to the RAM users and click Confirm.
    Add
    Notice You must move RAM users from the Available Accounts section to the Added Accounts section before you assign roles to them.
  7. Go to the User Management page and view or modify the roles of each added member. You can click Remove in the Actions column of a member to remove the member.
    You can assign the following roles to a workspace member: Project Owner, Workspace Manager, Data Analyst, Development, O&M, Deploy, Visitor, and Safety Manager. By default, the creator of a workspace is assigned the Workspace Manager role.
    Role Description
    Project Owner This role has full permissions on a workspace.
    Workspace Manager This role has all permissions of the Development and O&M roles. This role can also perform the following operations. For example, add a user to a workspace as a member, remove a member from a workspace, or create a custom resource group.
    Data Analyst By default, this role has permissions only on DataAnalysis.
    Development This role has permissions to perform design and maintenance operations on the DataStudio page of a workspace.
    O&M This role has permissions to manage the execution of and perform the required operations on all nodes in a workspace in Operation Center.
    Deploy This role has permissions to review the code of a node and determine whether to commit the node to Operation Center in a workspace in standard mode.
    Visitor This role has read-only permissions on workflows and code on the DataStudio page of a workspace.
    Safety Manager This role has permissions only on Data Security Guard. For more information about Data Security Guard, see Overview.
    The DataWorks built-in roles and the roles in a MaxCompute project have a permission mapping. By default, a role in a MaxCompute project in the development environment has specific permissions on the project. However, the role does not have permissions on a MaxCompute project in the production environment. If the role wants to perform operations on data in a project in the production environment, the role can apply for the required permissions in Security Center.
    MaxCompute role Permission on data in a MaxCompute project in the development environment DataWorks built-in role Permission on a DataWorks workspace
    Project Owner This role has all permissions on the project. N/A N/A
    Super_Administrator This role has management permissions on the project and all permissions on all types of resources in the project. N/A N/A
    Admin

    When you create a project, the system automatically creates an Admin role for this project and grants the following permissions to the role: The Admin role has the permissions to access all objects in the project, manage users or roles, and grant permissions to users or roles.

    Unlike the Project Owner role, the Admin role does not have permissions to perform the following operations: assign the Admin role to users, configure security policies for the project, modify the authentication model for the project, and modify the permissions of the Admin role.

    The Project Owner role can assign the Admin role to a user and authorize the user to manage security configurations.

    N/A N/A
    Role_Project_Data_Analyst By default, this role does not have permissions to perform operations on data in a MaxCompute project in the development or production environment. If the role wants to perform operations on data in a project in the development or production environment, the role can apply for the required permissions in Security Center. Data Analyst This role has permissions only on DataAnalysis by default.
    Role_Project_Admin This role has all permissions on tables, functions, resources, instances, jobs, and packages of a project. Workspace Manager The administrator of the workspace. This role has permissions to manage the basic properties, data sources, compute engine configurations, and members of the workspace and assign the Workspace Manager, Development, O&M, Deploy, or Visitor role to workspace members.
    Role_Project_Dev This role has all permissions on tables, functions, resources, instances, jobs, and packages of a project. Development This role has permissions to create workflows, script files, resources, user-defined functions (UDFs), tables, and deployment tasks, and delete tables, but no permissions to perform deployment operations.
    Role_Project_Pe This role has all permissions on functions, resources, instances, and jobs of a project. It also has read permissions on packages and both read and describe permissions on tables of the project. O&M This role has deployment and online O&M permissions that are granted by the Workspace Manager role but no permissions to develop data.
    Role_Project_Deploy No permissions by default. Deploy This role has the same permissions as the O&M role, except for online O&M permissions.
    Role_Project_Guest No permissions by default. Visitor This role has permissions to view data but no permissions to edit workflows or code.
    Role_Project_Security No permissions by default. Safety Manager This role has permissions to configure sensitivity rules and audit data risks in Data Security Guard.
    For more information about, see Overview of users, roles, and permissions.