DataWorks provides automatic transfer and manual transfer mechanisms that you can use to transfer the entities of modules in your workspace to a specific entity receiver. The entities include resources and functions. The two mechanisms are implemented based on the default transfer rule that is provided by DataWorks or a custom workspace-level transfer rule that you configure. This topic describes how to configure an entity transfer rule, use the rule to transfer entities, and view transfer logs.

Background information

  • The most common scenario where entity transfer needs to be performed is employee resignation. Entity transfer guarantees security and stability of DataWorks services when employees resign and prevents impacts of employee resignation on your business.
  • After an employee resigns, the Alibaba Cloud account used by the employee may or may not be deleted. For entity transfer in the two scenarios, DataWorks provides the automatic and manual transfer mechanisms. DataWorks provides a default transfer rule. DataWorks also allows you to customize a workspace-level transfer rule on the Transfer configuration tab of the Entity transfer page and specify an entity receiver for entities in different modules in the rule.

Limits

You can use only the tenant security administrator role or tenant administrator role to configure entity transfer settings on the Entity transfer page. For more information about permission management for tenants, see Manage global roles and members.

Entity transfer logic

If you configure a custom transfer rule and enable the rule, the entities that you want to transfer are preferentially transferred to the entity receiver that you specify in the rule. If the entity receiver that you specify in the rule does not exist or is removed from the workspace, the system performs the transfer based on the default transfer rule.

Entity transfer logic
  • Trigger condition for automatic transfer: If a RAM user is removed from a workspace or is deleted, the automatic transfer mechanism is triggered. If no entity receiver is specified for the workspace, the transfer is performed based on the default transfer rule after the RAM user is removed or deleted. By default, the entities that belong to the RAM user are transferred to another RAM user to which the workspace administrator role is assigned in the workspace. If no RAM users in the workspace are assigned the workspace administrator role, the entities are transferred to the Alibaba Cloud account to which the RAM user belongs. If you configure a custom transfer rule for the workspace and specify an entity receiver that is a member of the workspace in the rule, the transfer is performed based on the rule that you configure.
  • Trigger condition for manual transfer: If a RAM user is not deleted and remains a member of the workspace, you can go to the Entity transfer page to perform a manual transfer. If no custom transfer rule is configured for the workspace, the transfer is performed based on the default transfer rule after the RAM user is removed from the workspace or is deleted. If you configure a custom transfer rule for the workspace and specify an entity receiver that is a member of the workspace in the rule, the transfer is performed based on the rule that you configure. For more information about custom workspace-level transfer rules, see Configure an entity transfer rule.
Note
  • If the entity receiver that you specify in a custom transfer rule is the access identity of a MaxCompute compute engine instance, the access identity of the MaxCompute compute engine instance is changed to the entity receiver after the transfer is performed based on the rule. For more information about the access identity of a MaxCompute compute engine instance, see Associate a MaxCompute compute engine instance with a workspace.
  • DataWorks allows you to configure a custom workspace-level transfer rule.

Go to the Entity transfer page

  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Workspaces.
  3. In the top navigation bar, select the region in which the workspace that you want to manage resides. Find the workspace and click Data Development in the Actions column.
  4. On the DataStudio page, click the Icon icon in the upper-left corner and choose All Products > Data governance > Security Center. The Data access control page appears.
  5. In the top navigation bar of the Data access control page, click Security policy. The Entity transfer page appears.

View the entities that can be transferred

In the Instructions for use section, view the entities that can be transferred, and the trigger condition and precautions for automatic transfer. Instructions for use
Note More entities that can be transferred will be available in the future. The entities that can be transferred in the DataWorks console prevail.

Configure an entity transfer rule

  1. In the Transfer rule configuration section, search for the desired workspace.
    Search
  2. Configure an entity receiver.
    1. In the Transfer rule configuration section, customize a transfer rule. Transfer rules are classified into the default transfer rule and custom transfer rules. Click Revised in the Transfer entity receiver column that corresponds to the desired workspace. In the Select Transfer Entity Recipient dialog box, select an entity receiver from the Please select a space member drop-down list and click OK. When the transfer condition is triggered, the system performs the transfer based on the custom transfer rule that you configure. If the rule is disabled for the workspace, or the entity receiver that you specify does not exist or is removed from the workspace, the system performs the transfer based on the default transfer rule.
      Configure an entity transfer rule
      • Default transfer rule: The default transfer rule is enabled by default and cannot be disabled. The default transfer rule takes effect if no entity receiver is specified for the workspace whose entities you want to transfer or the entity receiver specified for the workspace is invalid.
        Note If the entity receiver is removed from the workspace before the transfer, the entity receiver is considered invalid.
      • Custom workspace-level transfer rule: Custom workspace-level transfer rules are disabled by default. If you need to specify an entity receiver, you can select a member in a workspace as the entity receiver. You can also enable or disable a custom transfer rule based on your business requirements. If you enable a custom transfer rule, the rule takes effect when entities are transferred.
        Note If you enable a custom transfer rule, the entities that you want to transfer are preferentially transferred to the entity receiver that you specify in the rule. If the entity receiver that you specify in the rule does not exist or is removed from the workspace, the system performs the transfer based on the default transfer rule.
    2. Turn on or off the switch in the Operation column that corresponds to the workspace to enable or disable the custom transfer rule.
      • If you turn on the switch, the entities that you want to transfer are transferred to the entity receiver that you specify.
        Note If the entity receiver that you specify does not exist or is removed from the workspace, the entities are transferred to the entity receiver specified in the default transfer rule.
      • If you turn off the switch, the entities that you want to transfer are transferred to the entity receiver specified in the default transfer rule.

Perform a transfer

  1. If a RAM user is not deleted and remains a member of the workspace, go to the Transfer configuration tab of the Entity transfer page and click Immediate execution of referral to transfer the entities that belong to the RAM user.
    Immediate execution of referral
  2. In the Immediate execution of referral dialog box, select the original owner of the entities from the drop-down list and click Confirm referral. If the entity receiver that you specify is a member of the workspace, the entities are transferred to the entity receiver. Otherwise, the entities are transferred to the entity receiver specified in the default transfer rule.
    Perform a transfer

View transfer logs

On the Entity transfer page, click the Transfer log tab. On the Transfer log tab, view transfer records, transfer status, the transfer operator, and the original owner of the entities. View transfer logs