DataWorks allows the administrators of a workspace to manage the data development processes in DataStudio and the data security-related operations that are performed in DataStudio. This topic describes how administrators can manage data development operations.

Background information

The administrators of a workspace refer to the users who are assigned the Workspace Manager or Project Owner role. The administrators have full permissions in the workspace and can perform operations on all DataWorks service modules. For more information about the permissions of roles, see Permissions of workspace-level roles.

Management items

DataStudio supports the following types of management items:
Note Different DataWorks editions may support different management features. You can refer to the related topic for the management features if you want to use a specific DataWorks edition.

Process management and operation check

The following table describes the features that you can use to check and manage a data development process.
Feature Description References
Management of permissions to develop and deploy nodes You can use this feature to assign different roles to users. This way, you can control the permissions of users.
  • If you want to prohibit a user from deploying nodes, you can assign only the Development role to the user.
  • If you want to prohibit a user from using DataAnalysis, do not assign the Data Analyst role to the user.
  • If you want to allow a user to create nodes, modify code, and create tables and functions, you can assign only the Development role to the user.
Manage workspace-level roles and members
Forcible code review You can use the forcible code review feature to manage the code quality of your nodes. After the forcible code review feature is enabled, a node can be deployed only after the code of the node is approved by the specified reviewer.
Note You can manage the priorities of baselines on which the forcible code review feature takes effect. You can also manage the code quality of nodes that are associated with baselines that are assigned high priorities. This way, these nodes can run as expected and do not block other nodes.
Code review
Forcible smoke testing
  • To ensure that the node that you created can be run as expected, you can perform smoke testing on the node before you deploy the node.
  • If you configure scheduling parameters for a node, you can perform smoke testing on the node to check whether the scheduling parameters work as expected.
Smoke testing
Check process blocking based on checkpoints in extensions You can verify related extensions or check items before you commit or deploy a node in a workspace.
  • Extensions in DataWorks Open Platform
    If you want to use a custom verification logic to manage development processes, you can use this feature.
    Note RAM users to which the AliyunDataWorksFullAccess policy is attached can perform related management operations only after the RAM users register local services and publish the required extension in DataWorks Open Platform.
  • Check items for data governance
    If you want to perform governance on code check results and manage check results, you can use this feature.
    Note Only Alibaba Cloud accounts or RAM users to which the AliyunDataWorksFullAccess policy is attached can be used as governance administrators. To use a check item, go to the Data Governance Center page and choose Configuration > Governance item in the left-side navigation pane of the Configuration page.
  • Data Modeling

    If you want to allow users to create tables in only Data Modeling or only allow or deny the creation of tables that meet a specific naming convention in DataStudio, you can use this feature.

Check items for data governance

Data Modeling: intelligent data modeling service

Note By default, nodes in a workspace in standard mode can be deployed to only the same workspace. If you want to deploy nodes across workspaces or clouds, you can deploy the nodes on the Deploy page. You can manage node deployment operations based on your business scenario.

Data security management

You can use the features described in the following table to manage data security in a workspace.
Feature Description References
Data masking You can specify whether to mask sensitive data. After you enable the data masking feature, if the results returned for a query in DataWorks hit a specified data masking rule, DataWorks masks sensitive information in the query results based on the rule.
Note
  • DataWorks provides built-in data masking rules. You can also create a custom data masking rule in Data Security Guard and use the rule to mask sensitive information in the query results.
  • RAM users who are assigned the Workspace Manager role or Safety Manager role and RAM users to which the AliyunDataWorksfullAccess policy is attached can create a custom data masking rule in Data Security Guard.

Data download You can use this feature to specify whether to allow developers to download query results to an on-premises machine. --
Control for read and write permissions on data sources You can use this feature to specify whether to allow developers to modify the configurations of a data synchronization node. Create a request processing policy for Data Integration nodes
Object permission approval You can customize processing policies for permissions on MaxCompute tables, resources, and functions.
Note You can specify the data range in which a processing policy can apply based on a MaxCompute project or data classification in Data Security Guard.
Approval policies for MaxCompute data
Other features You can manage other security operations that are related to a MaxCompute project. For example, you can perform ACL-based authorization, allow object creators to grant permissions on objects to other users, perform policy-based authorization, and perform column-level access control. Advanced configurations that are related to MaxCompute

Operation auditing

You can view operation logs, restore data, and perform auditing operations by using DataStudio.
  • View operation logs
    Operation Description References
    View operation records You can view the records of various operations, such as batch operations, commit operations for a single node, workflow, or table, downloads for query results, and deletion of nodes. This way, you can quickly understand the changes in data. Operation records
    Query audit logs that are generated for user behavior events in ActionTrail You can query audit logs generated in ActionTrail for operations that are performed in DataWorks. For example, you can query the audit logs of data downloads.
    Note DataWorks is integrated into ActionTrail. You can query the audit logs that are generated in ActionTrail for DataWorks behavior events of your Alibaba Cloud account over the previous 90 days. You can use ActionTrail to deliver the events to a Logstore in Log Service or a specific Object Storage Service (OSS) bucket for monitoring and alerting. This way, you can audit the events and trace and analyze issues at the earliest opportunity.
    Use ActionTrail to query behavior events
    Mask data and trace leaked data To prevent the leakage of important files, you can configure data masking rules for important data in Data Security Guard and trace the leaked data based on the watermark information about the data in a leaked data file.
    Note

    RAM users who are assigned the Workspace Manager role or Safety Manager role and RAM users to which the AliyunDataWorksfullAccess policy is attached can create a custom data masking rule in Data Security Guard.

    Audit permissions on a MaxCompute table You can go to the Permission audit tab of the Data access control page in security center and view the IDs of owners who are granted permissions on tables, the details of the permissions, and the validity period of the permissions. You can also revoke the permissions on tables based on your business requirements on the Permission audit tab. Data access control
  • Restore data
    Operation Description References
    Restore nodes DataWorks provides a recycle bin to allow you to store all deleted nodes in the current workspace. You can restore or permanently delete the nodes.
    Note After a deleted node is restored, the system generates a new ID for the node.
    Recycle bin
    Compare and roll back node versions You can compare node versions or roll back the version of a node to the required version on the workflow editing tab. View the version information of a node