Manage permissions on DLF - DataWorks - Alibaba Cloud Documentation Center

DataWorks allows you to manage permissions on Data Lake Formation (DLF) in a visualized manner. For example, you can request permissions, process permission requests, and audit permissions. This helps you manage permissions on fully managed data lakes in a centralized manner. This topic describes how to manage permissions on DLF.

Background information

The first time you use DataWorks to manage permissions on DLF, DataWorks prompts you to authorize DataWorks to access DLF. During the authorization, the system creates a service-linked role named AliyunServiceRoleForDataWorksAccessDLF for DataWorks. For more information about the AliyunServiceRoleForDataWorksAccessDLF service-linked role, see Appendix: Service-linked role used by DataWorks to access DLF.

Process for managing permissions on DLF


Role	Description
Requester	A requester can request permissions on tables on the Request permissions tab. The requester can also view the permission request records of the current Alibaba Cloud account on the Permission Application Records tab.
Approver	An approver can view the table permission requests that are pending to be processed on the Process permission requests tab. The approver can also view the request processing records of the current Alibaba Cloud account on the Permission Application Processing Record tab.
Auditor	An auditor can go to the Permission Audit tab with an Alibaba Cloud account or as a RAM user who is assigned the Workspace Manager role and audit permissions of workspace members on tables. The auditor can also revoke permissions from a specific workspace member.

Go to the Data access control page

Log on to the DataWorks console.
In the left-side navigation pane, click Workspaces.
In the top navigation bar, select the region in which the workspace that you want to manage resides. Find the workspace and click Data Development in the Actions column.
In the upper-left corner of the page that appears, click the icon and choose All Products > Data governance > Security Center. The Data access control page appears.

Request permissions

Go to the Permission Application tab.
Select tables on which you want to request permissions.
1. In the Application Content section, set Engine Type to DLF. Configure the Catalog and Authorization Granularity parameters.
  The valid values of the Authorization Granularity parameter are Field-level permissions, Table-level permissions, and Metabase-level permissions.
  - If you select Field-level permissions or Table-level permissions, you can select the tables on which you want to request permissions in the Tables to Be Added section. After you select the tables, the information about the tables is displayed on the right side. You can click the icon on the left side of a table name to view all fields in the table. You can request permissions on specific or all fields.
  - If you select Metabase-level permissions, you can select the names of the metadatabases on which you want to request permissions in the Metabase Name column, and select the permissions that you want to request in the Metabase permissions column.

In the Application Information section, configure the parameters.


Parameter	Description
User	The account or user for which you want to request the permissions. Current login account: indicates that you want to request permissions for the Alibaba Cloud account that is used to access the current workspace. Apply on Behalf of others: indicates that you want to request permissions for an Alibaba Cloud account that is not used to access the current workspace. If you select this option, you must configure the Username parameter.
Workspace	The workspace in which you want to use the tables.
Application duration	The validity period of the requested permissions on tables. The permissions are automatically revoked after the validity period elapses.
Reason for application	The reason why you want to request the permissions.

Click Apply for permission to submit the request.
You can view the processing details and record of the current request on the Permission Application Records tab.

Process permission requests

View the information about pending permission requests.
On the Permission Application Processing tab, set Engine Type to DLF and configure the other parameters to search for the pending permission requests within the current Alibaba Cloud account.

Note If permissions on multiple tables that belong to different owners are requested, the system splits the request into multiple requests based on the table owners.
View the details about a permission request.
Find the permission request and click Approval in the Operation column. You can view the details and processing record of the permission request in the Approval details dialog box.
Process permission requests.
To process a single permission request, enter your comments and click Agree or Rejection based on your business requirements.

To process multiple permission requests at the same time, select the permission requests that you want to process on the Permission Application Processing tab, click Bulk consent or Batch rejection, and then enter your comments.

View historical permission requests and their processing records

View permission request records. You can specify filter conditions such as Approval status, Application time, and Workspace to view the permission request records of the current Alibaba Cloud account.
To view the details about a request, click View details in the Operation column of the request. You can continue to process requests whose approval state is In approval.
View request processing records. You can specify filter conditions such as Application account number, Approval Results, and Workspace to view the request processing records of the current Alibaba Cloud account.
To view the details about a request, click View details in the Operation column of the request.