The data access control feature provides a visual interface that allows you to request permissions, process requests, view request processing progress, follow up request processing, and audit and manage permissions.

Scenarios

In a workspace in standard mode, DataWorks manages the access permissions of a RAM user on MaxCompute tables to keep data in the production environment secure. For more information, see Users, roles, and permissions and Basic mode and standard mode.

  • Scenario 1: You want to use a RAM user in the development environment of a workspace to access tables in the production environment of the workspace. Scenario 1

    If the RAM user that you use to access DataWorks is not specified as the access identity of a compute engine instance in the production environment, you cannot use the RAM user to perform operations on tables in the production environment on the DataStudio page by default. If you want to use the RAM user to perform operations on tables in the production environment on the DataStudio page, you must request the required permissions for the RAM user in Security Center. After the request is approved, you can use the RAM user to perform operations on tables in the production environment on the DataStudio page.

  • Scenario 2: You want to use a RAM user in the development or production environment of Workspace A to access tables in the development or production environment of Workspace B on the DataStudio page of Workspace A. Scenario 2

    By default, you cannot use a RAM user in Workspace A to access tables in the development or production environment of Workspace B on the DataStudio page of Workspace A. If you want to use the RAM user in Workspace A to access tables in the development or production environment of Workspace B, you must request the required permissions for the RAM user in Security Center. After the request is approved, you can use the RAM user to perform operations on the tables on the DataStudio page of Workspace A.

Data access control procedure

On the Data access control page, you can request permissions, process requests, audit permissions, and view permission request records and request processing records. If you cannot use a RAM user to access specific tables during data development, you can request permissions for the RAM user on the Permission application tab. After the related personnel approve the request on the Permission approval tab, you can use the RAM user to perform operations on the tables. Security Center
  • As a requester: You can request permissions on MaxCompute tables on the Permission application tab of the Data access control page. For more information, see Request permissions. You can view the permission request records of the current Alibaba Cloud account on the Permission application record tab.
  • As an approver: You can go to the Permission approval tab and view the requests that you need to process as a workspace administrator or table owner. You can also view the request processing records of the current Alibaba Cloud account on the Permission approval record tab.

In addition, you can go to the Permission audit tab by using an Alibaba Cloud account or as a workspace administrator and manage the permissions of your workspace members on tables. You can also revoke permissions from a specific member. For more information, see Audit permissions.

Note DataWorks Security Center provides you with a default request processing procedure. You can also customize a request processing procedure in Approval Center. When you request permissions on a field in a MaxCompute table, DataWorks determines the request processing procedure to be used based on the field.
  • If the field on which you request permissions is within the data range that is defined in a custom request processing procedure, the permission request is processed based on the custom request processing procedure in Approval Center. For more information, see Approval Center.
  • If the field on which you request permissions is out of the data range that is defined in the custom request processing procedure, the permission request is processed based on the default request processing procedure in Security Center. By default, the permission request is sent to the table owner and workspace administrator. The requester can perform operations on the field or table after either or both of the table owner and workspace administrator approve the request.

Limits

You can request permissions on MaxCompute tables only by using the data access control feature.

Precautions

The Data access control page displays the access control platform of the new version. If you want to use the access control platform of the old version, click Return to old version in the top navigation bar of the page. For more information about the access control platform of the old version, see Security Center.

Go to the Data access control page

  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Workspaces.
  3. In the top navigation bar, select the region in which the workspace that you want to manage resides. Find the workspace and click Data Development in the Actions column.
  4. In the upper-left corner of the page that appears, click the Icon icon and choose All Products > Data governance > Security Center. The Data access control page appears.

Request permissions

  1. Go to the Permission application tab.
  2. Select the tables on which you want to request permissions.
    1. In the Application Content section, configure the Workspace and Project parameters.

      You can request permissions on MaxCompute tables only by using the data access control feature.

      The default value of the Application Type parameter is Table and the default value of the Engine type parameter is MaxCompute.
    2. Select the tables on which you want to request permissions in the Table to be added section.
      After you select tables, the information about the tables is displayed on the right. You can click the Show icon on the left side of a table name to view all fields in the table. You can request the permissions on specific or all fields. By default, the permissions on all fields are requested. Request permissions on tables
      Note
      • If you enable policy-based authorization for a MaxCompute project, you can define tables in the project and request permissions on specific fields of the tables in Security Center. For more information, see Configure MaxCompute. For more information about the security levels of fields in a MaxCompute table, see Column-level access control.
      • You can request the following permissions on tables: SELECT, DESCRIBE, DROP, ALTER, UPDATE, and DOWNLOAD. You can also request permissions on a specific field.
  3. In the Application information section, configure the parameters.
    Application Information
    Parameter Description
    User
    • Current login account: indicates that you want to request permissions on the tables for the account that is used to log on to the current workspace.
    • Dispatch access account: indicates that you want to request permissions on the tables for the account that has a scheduling access identity. If you select this option, you must configure the Workspace parameter.
    • Apply on Behalf of others: indicates that you want to request permissions on the tables for an account that is not used to log on to the current workspace. If you select this option, you must configure the Username parameter.
    Workspace The account that has a scheduling access identity.
    Username The username of the account that is not used to log on to the current workspace.
    Application duration The validity period of the requested permissions on tables. The permissions are automatically revoked after the validity period expires.
    Note You can configure this parameter only after you enable policy-based authorization for the MaxCompute project that contains the tables on which you request the permissions. For more information about how to enable policy-based authorization, see Configure MaxCompute. For more information about the policy-based access control of MaxCompute, see Policy-based access control and download control.
    Reason for application The reason why you want to request the permissions.
  4. Click Apply for permission to submit the request.
    You can view the processing details and record of the current request on the Permission application record tab.

Process requests

  1. View the information about pending requests.
    Go to the Permission approval tab. You can use the following parameters to find the pending requests within the current Alibaba Cloud account: Application account number, Application time, Workspace, Project name, and Object name. Pending requests
    Note If a request contains permission requests for tables that belong to different owners, the system splits the request into multiple requests based on the table owner.
  2. View the details about a request.
    Find the request and click Approval in the Operation column. You can view the details and processing record of the request in the Approval details dialog box. Request details
  3. Process requests.
    To process a single request, enter your comments and click Agree or Rejection based on your business requirements.
    To process multiple requests at the same time, select all requests that you want to process on the Permission approval tab, click Bulk consent or Batch rejection, and then enter your comments.

View historical permission requests and their processing records

  • Go to the Permission application record tab. You can use the following parameters to find historical permission requests within the current Alibaba Cloud account: Approval status, Application time, Workspace, Project name, and Table name.

    To view the details about a request, you can click View details in the Operation column of the request. You can continue to process requests whose approval state is In approval.

  • Go to the Permission approval record tab. Then, you can use the following parameters to find the request processing records within the current Alibaba Cloud account: Application account number, Approval Results, Workspace, Project name, Object name, and Application time.

    To view the details about a request, you can click View details in the Operation column of the request.

Audit permissions

Go to the Permission audit tab. Then, you can use the following parameters to find the permission requests that are processed for a specific workspace, project, or object in Security Center: Workspace, Project name, and Object name.