DataWorks supports tenant-level permission control and allows you to manage permissions in a finer-grained manner. For example, you can control whether a user has the permissions to globally manage categories in Data Map. DataWorks provides built-in global roles and allows you to create custom global roles. This topic describes how to manage global roles and members.
After you go to a DataWorks module, if no DataWorks workspace name is not displayed in the top navigation bar, this module is a global module, such as Data Map. For all such modules, DataWorks provides you with identities such as global members and roles. You can assign the required global roles to different users based on your business requirements.
|Built-in global role||Permission||Description|
|Tenant administrator||Has permissions on all DataWorks modules, excluding the permissions to perform operations in the DataWorks console. For more information, see Permission control by fine-grained RAM policies.||This role has full permissions in DataWorks and can perform operations on all DataWorks modules.|
|Tenant member||Has permissions on all global modules.||After a RAM user is added to a workspace, the RAM user assumes the tenant member role by default and can access all global modules.|
|Security administrator||Has permissions on Security Center, Approval Center, and Data Security Guard.||
|Data Security Guard||
|Comprehensive Data Governance||
LimitsOnly workspaces of DataWorks Enterprise Edition support custom roles. For more information, see Differences among DataWorks editions. If your workspace is not of DataWorks Enterprise Edition, you can upgrade DataWorks to this edition. For more information, see DataWorks advanced editions.
Step 1: Go to the Global Member Management page
- Log on to the DataWorks console.
- In the left-side navigation pane, click Workspaces. On the Workspaces page, find the specified workspace and click Data Development in the Actions column.
- In the upper-left corner, click the icon and then click Global Member Management. The Global Member Management page appears.
Step 2: Create and manage custom global roles (Optional)
You cannot modify the permissions of DataWorks built-in global roles. If the built-in roles do not meet your permission control requirements, you can manage DataWorks custom global roles to specify whether a role has permissions on a global module on the Roles tab.
- Go to the Global Member Management page. For more information, see Step 1: Go to the Global Member Management page. Then, click the Roles tab.
- Click Create Custom Role in the upper-right corner of the Roles tab.
- In the Create Custom Role dialog box, enter a name for your custom role, such as test.
- Grant permissions on different global modules to the custom role.
- Click Configure. When the Created successfully message appears, the custom role is created. When you add a member later, you can assign this role to the member.
Step 3: Assign a global role to a user
- Go to the Global Member Management page. For more information, see Step 1: Go to the Global Member Management page. Then, go to the Manage Members tab. The Manage Members tab displays all RAM users within the current Alibaba Cloud account. These RAM users are global members.
- Assign or remove a global role from a member in the Role column. Note After a RAM user is added to a workspace, the RAM user assumes the tenant member role by default and can access all global modules.