Perform data development management - DataWorks - Alibaba Cloud Documentation Center

DataWorks allows the administrators of a workspace to manage the development behaviors of users and perform operations related to data development processes, data security, and auditing in DataStudio. This topic describes how administrators can perform management on data development processes, which can help you quickly have a command of the features of DataStudio.

Background information

The administrators of a workspace refer to the users that are assigned the Workspace Administrator or Workspace Owner role. The administrators have full permissions in the workspace and can perform operations on all DataWorks services. For more information about the permissions of roles, see Permissions of workspace-level roles.

Management items

DataStudio supports the following types of management items:

Process management and operation check
Data security management
Operation auditing

Note

Different DataWorks editions may support different management features. You can refer to the related topic for the management features if you want to use a specific DataWorks edition. For more information about DataWorks editions, see Differences among DataWorks editions.

Process management and operation check

The following table describes the features that you can use to check and manage a data development process.

Feature	Description	References
Management of permissions to develop and deploy nodes	You can use this feature to assign different roles to users. This way, you can control the permissions of users. If you want to prohibit a user from deploying nodes, you can assign only the Development role to the user. If you want to prohibit a user from using DataAnalysis, do not assign the Data Analyst role to the user. If you want to allow a user to create nodes, modify code, and create tables and functions, you can assign only the Development role to the user.	Manage permissions on workspace-level services
Forcible code review	You can use the forcible code review feature to ensure the code quality of your nodes. After the forcible code review feature is enabled, a node can be deployed only after the code of the node is approved by the specified reviewer. Note You can control the priorities of baselines on which the forcible code review feature takes effect. This helps control the code quality of nodes that are associated with baselines with high priorities. This way, these nodes can run as expected and do not block other nodes.	Code review
Forcible smoke testing	To ensure that the node that you created can be run as expected, you can perform smoke testing on the node before you deploy the node. If you configure scheduling parameters for a node, you can perform smoke testing on the node to check whether the scheduling parameters work as expected.	Smoke testing
Check process blocking based on checkpoints in extensions	You can verify related extensions or check items before you commit or deploy a node in a workspace. Extensions in DataWorks Open Platform If you want to use a custom verification logic to manage development processes, you can use this feature. Note RAM users to which the `AliyunDataWorksFullAccess` policy is attached can perform related management operations only after the RAM users register local services and publish the required extension in DataWorks Open Platform. Check items for data governance If you want to perform governance on code check results and manage check results, you can use this feature. Note This feature can be implemented by only Alibaba Cloud accounts or RAM users to which the `AliyunDataWorksFullAccess` policy is attached on the Check Item page in Data Governance Center. Data Modeling If you want to allow users to create tables in only Data Modeling or only allow or deny the creation of tables that meet a specific naming convention in DataStudio, you can use this feature.	Extensions in DataWorks Open Platform Overview Test and enable an extension Trigger event checking during data development Check items for data governance Data Governance Center overview Configure governance items Data Modeling: intelligent data modeling service

Note

By default, nodes in a workspace in standard mode can be deployed to only the same workspace. If you want to deploy nodes across workspaces or clouds, you can deploy the nodes on the Deploy page.

Data security management

You can use the features described in the following table to manage data security in a workspace.

Feature	Description	References
Data masking	You can specify whether to mask sensitive data. After you enable the data masking feature, if the results returned for a query in DataWorks hit a specified data masking rule, DataWorks masks sensitive information in the query results based on the rule. Note DataWorks provides built-in data masking rules. You can also create a custom data masking rule in Data Security Guard and use the rule to mask sensitive information in the query results. RAM users to which the Workspace Administrator or Security Manager role is assigned and RAM users to which the `AliyunDataWorksfullAccess` policy is attached can create a custom data masking rule in Data Security Guard.	Enable the data masking feature Overview of Data Security Guard
Data download	You can use this feature to specify whether to allow developers to download query results to an on-premises machine.	--
Control for read and write permissions on data sources	You can use this feature to specify whether to allow developers to modify the configurations of a data synchronization node.	Create a request processing policy for Data Integration nodes
Object permission approval	You can customize processing policies for permissions on MaxCompute tables, resources, and functions. Note You can specify the data range in which a processing policy can apply based on a MaxCompute project or data categorization and sensitivity level classification in Data Security Guard.	Request processing policies for compute engine data
Other features	You can manage other security operations that are related to a MaxCompute project. For example, you can perform ACL-based authorization, allow object creators to grant permissions on objects to other users, perform policy-based authorization, and perform column-level access control.	Advanced configurations that are related to MaxCompute

Operation auditing

You can view operation logs, restore data, and perform auditing operations by using DataStudio.

View operation logs.

Operation	Description	References
View operation records	You can view the records of various operations, such as batch operations, commit operations for a single node, workflow, or table, downloads for query results, and deletion of nodes. This way, you can quickly understand the changes in data.	Operation records
Query audit logs that are generated for user behavior events in ActionTrail	You can query audit logs generated in ActionTrail for operations that are performed in DataWorks. For example, you can query the audit logs of data downloads. Note DataWorks is integrated into ActionTrail. You can query the audit logs that are generated in ActionTrail for DataWorks behavior events of your Alibaba Cloud account over the last 90 days. You can use ActionTrail to deliver the events to a Logstore in Simple Log Service or a specific Object Storage Service (OSS) bucket for monitoring and alerting. This way, you can audit the events and trace and analyze issues at the earliest opportunity.	Use ActionTrail to query behavior events
Mask data and trace leaked data	To prevent the leakage of important files, you can configure data masking rules for important data in Data Security Guard and trace the leaked data based on the watermark information about the data in a leaked data file. Note RAM users to which the Workspace Administrator or Security Manager role is assigned and RAM users to which the `AliyunDataWorksfullAccess` policy is attached can create a custom data masking rule in Data Security Guard.	Create a data masking rule Trace leak sources
Audit permissions on a MaxCompute table	You can go to the Permission Audit tab of the Data Access Control page in Security Center and view the IDs of owners who are granted permissions on tables, the details of the permissions, and the validity period of the permissions. You can also revoke the permissions on tables based on your business requirements on the Permission Audit tab.	Manage permissions on MaxCompute

Restore data.

Operation	Description	References
Restore nodes	DataWorks allows you to restore nodes that are recently deleted from the recycle bin in DataStudio. Note After a deleted node is restored, the system generates a new ID for the node.	Recycle bin
Compare and roll back node versions	You can compare node or workflow versions or roll back the version of a node or workflow to the required version after you click Versions in the left-side navigation pane of a node configuration tab or workflow editing tab.	View the version information about a node