DataWorks provides workspaces in basic mode and standard mode for you to develop data based on different security control requirements. This topic describes the differences between the two types of workspaces and the types of accounts or roles that can be used to access each type of workspace.
Workspaces in basic mode
A DataWorks workspace in basic mode can be associated with only one project, instance, or database of each compute engine type. A workspace in basic mode does not isolate the development environment from the production environment. In such a workspace, you can perform only basic data development but cannot control the data development process and table permissions.
- Benefits: This mode is easy to use. After you commit a node, the scheduling system immediately runs the node on a regular basis to produce data. In this case, you do not need to deploy the node.
- Risks: Developers can modify or commit a node to the scheduling system without the need to obtain approval. This makes the production environment unstable. In addition, if this workspace is associated with a MaxCompute project, developers have the read and write permissions on all the tables of the MaxCompute project by default. Developers can create, delete, or modify tables. This puts data at risk.

Workspaces in standard mode
- You can modify code only in the development environment.
- After you commit a node, the scheduling system runs the node in the development environment
only for smoke testing. The scheduling system does not automatically run this node
in the development environment in the future. If you want the scheduling system to
automatically run this node in the future, you must deploy it to the production environment.
You can deploy a node only after you obtain approval from a workspace administrator or O&M expert.

Types of accounts or roles used to access workspaces in basic mode and standard mode
Workspace mode | Compute engine type | Environment | Access account or role |
---|---|---|---|
Standard mode | MaxCompute | Development environment | By default, only the current logon user can perform operations. |
Production environment | The following types of accounts or roles can be specified to perform operations:
|
||
E-MapReduce (EMR) | Development environment |
|
|
Production environment |
|
||
Hologres | Development environment | By default, only the current logon user can perform operations. | |
Production environment | The following types of accounts can be specified to perform operations:
|
||
Basic mode | MaxCompute | Development environment, which is also the production environment | By default, only the current logon user can perform operations.
The following types of accounts or roles can be specified to perform operations:
|
EMR | Development environment, which is also the production environment |
|
|
Hologres | Development environment, which is also the production environment | By default, only the current logon user can perform operations.
The following types of accounts can be specified to perform operations:
|
After you associate an AnalyticDB for MySQL or AnalyticDB for PostgreSQL compute engine instance with a DataWorks workspace in the development environment or the production environment, only the specified database account can perform operations in the specific environment. The permissions of this account in the DataWorks workspace are the same as those in the AnalyticDB for MySQL or AnalyticDB for PostgreSQL database.
Permissions for workspaces in basic mode and standard mode
DataWorks allows you to manage the permissions to use GUI elements in the console and the permissions to call API operations by using role-based access control (RBAC). In addition, the RBAC roles in DataWorks are automatically mapped to the RBAC roles in MaxCompute. For more information, see Manage workspace-level roles and members. The features, benefits, and disadvantages vary with workspaces in different modes. The following table compares the permissions of workspaces in basic mode and standard mode.
Item | Basic mode | Standard mode |
---|---|---|
Permission overview | In a DataWorks workspace in basic mode, the developer role of the DataWorks workspace is mapped to the Role_Project_Dev role of the associated MaxCompute project. Therefore, the developers of the DataWorks workspace can read all data in the MaxCompute project. | In a DataWorks workspace in standard mode, the developer role of the DataWorks workspace
is mapped to the Role_Project_Dev role of the associated MaxCompute project in the
development environment. Therefore:
|
Benefits |
Simple and easy to use. You need to only assign the developer role to development engineers to complete all data warehouse development. |
Secure and standardized.
|
Disadvantages |
The risks of instability and low data security arise in the production environment.
|
The data development and production process is more complex. In most cases, the process requires the involvement of more than one developer. |
Accounts or roles used to access MaxCompute projects associated with workspaces in basic mode and standard mode
Item | Workspace mode | DataStudio | Operation Center |
---|---|---|---|
The accounts or roles that can be used to perform operations | Standard mode | The current logon user | The accounts or roles that are specified to perform operations for the scheduling engine |
Basic mode | The accounts or roles that are specified to perform operations for the scheduling
engine
Note In a workspace in basic mode, if an Alibaba Cloud account is specified to perform
operations for the scheduling engine, the Alibaba Cloud account is used to run nodes,
regardless of whether it is the current logon user that performs operations.
|
||
Resource table | Standard mode | projectname_dev.tablename/function/resource | projectname.tablename/function/resource |
Basic mode | projectname.tablename/function/resource | ||
Access to resources | Standard mode | Scenario 1: select col1 from tablename
select col1 from projectname.tablename
Note By default, RAM users that are not specified to perform operations for the scheduling
engine do not have permissions to access the data in the production environment. If
you want to use a RAM user, you must apply for permissions to access tables in the
production environment in Security Center.
|
select col1 from tablename
|
Basic mode | select col1 from tablename.
Note In a workspace in basic mode, if an Alibaba Cloud account is specified to perform
operations for the scheduling engine, the Alibaba Cloud account is used to access
resources, regardless of whether it is the current logon user that performs operations.
|
||
Permissions to access resources | Standard mode | The permissions granted to personal accounts | The permissions granted to the accounts or roles that are specified to perform operations for the scheduling engine |
Basic mode | The permissions granted to the accounts or roles that are specified to perform operations
for the scheduling engine
Note An Alibaba Cloud account has full permissions on its resources. For security concerns,
we recommend that you do not specify an Alibaba Cloud account to perform operations
for the scheduling engine in a workspace in basic mode.
|
Naming formats of tables in MaxCompute projects associated with workspaces in basic mode and standard mode
In a workspace in basic mode, the development environment is not isolated from the production environment. This indicates that the MaxCompute project that is associated with the workspace is used for both the development and production environments. In a workspace in standard mode, the development environment is isolated from the production environment. In this case, the naming formats of tables in the MaxCompute projects that are associated with the workspace differ in the two environments. If you want to access tables for the production environment from the development environment, you must identify tables for the production environment to prevent inappropriate operations. The following table describes the naming formats of tables for the two environments.
Environment | Naming format | Example |
---|---|---|
Development environment | Project name_dev.Table name | If you want to create a table named user_info in the projectA project, the table name is shown as projectA_dev.user_info. |
Production environment | Project name.Table name | If you want to create a table named user_info in the projectA project, the table name is shown as projectA.user_info. |