DataWorks supports tenant-level permission control and allows you to manage permissions in a finer-grained manner. For example, you can control whether a user has the permissions to globally manage categories in Data Map. DataWorks provides built-in global roles and allows you to create custom global roles. This topic describes how to manage global roles and members.

Background information

After you go to a DataWorks module, if no DataWorks workspace name is not displayed in the top navigation bar, this module is a global module, such as Data Map. For all such modules, DataWorks provides you with identities such as global members and roles. You can assign the required global roles to different users based on your business requirements.

DataWorks provides built-in global roles and allows you to create custom global roles. The following table describes the permissions of the built-in global roles.
Built-in global role Permission Description
Tenant administrator Has permissions on all DataWorks modules, excluding the permissions to perform operations in the DataWorks console. For more information, see Permission control by fine-grained RAM policies. This role has full permissions in DataWorks and can perform operations on all DataWorks modules.
Tenant member Has permissions on all global modules. After a RAM user is added to a workspace, the RAM user assumes the tenant member role by default and can access all global modules.
Security administrator Has permissions on Security Center, Approval Center, and Data Security Guard.
  • All permissions on Security Center
  • Permissions on custom approval policies in Approval Center
  • All permissions on Data Security Guard
If the built-in roles provided by DataWorks cannot meet your requirements, you can create custom global roles and determine whether a global role has the permissions on a global module. The following table describes the global modules on which you can use custom global roles to manage permissions.
Global module Permission
Data Security Guard
  • No permissions
  • Available: all read-only permissions and all management permissions
Data Map
  • No permissions
  • Available: regular permissions
Comprehensive Data Governance
  • No permissions
  • Available: regular permissions and data governance permissions
DataAnalysis
  • No permissions
  • Available: regular permissions
Approval Center
  • No permissions
  • Available: regular permissions and permissions to manage approval processes
Security Center
  • No permissions
  • Available: regular permissions

Limits

Only workspaces of DataWorks Enterprise Edition support custom roles. For more information, see Differences among DataWorks editions. If your workspace is not of DataWorks Enterprise Edition, you can upgrade DataWorks to this edition. For more information, see DataWorks advanced editions.

Step 1: Go to the Global Member Management page

  1. Log on to the DataWorks console.
  2. In the left-side navigation pane, click Workspaces. On the Workspaces page, find the specified workspace and click Data Development in the Actions column.
  3. In the upper-left corner, click the Icon icon and then click Global Member Management. The Global Member Management page appears.

Step 2: Create and manage custom global roles (Optional)

You cannot modify the permissions of DataWorks built-in global roles. If the built-in roles do not meet your permission control requirements, you can manage DataWorks custom global roles to specify whether a role has permissions on a global module on the Roles tab.

  1. Go to the Global Member Management page. For more information, see Step 1: Go to the Global Member Management page. Then, click the Roles tab.
  2. Click Create Custom Role in the upper-right corner of the Roles tab.
  3. In the Create Custom Role dialog box, enter a name for your custom role, such as test.
  4. Grant permissions on different global modules to the custom role.
    Global role
  5. Click Configure.
    When the Created successfully message appears, the custom role is created. When you add a member later, you can assign this role to the member.

Step 3: Assign a global role to a user

  1. Go to the Global Member Management page. For more information, see Step 1: Go to the Global Member Management page. Then, go to the Manage Members tab.
    The Manage Members tab displays all RAM users within the current Alibaba Cloud account. These RAM users are global members.
  2. Assign or remove a global role from a member in the Role column.
    Note After a RAM user is added to a workspace, the RAM user assumes the tenant member role by default and can access all global modules.