DataWorks provides you with different built-in workspace-level roles. You can also create custom workspace-level roles and grant permissions to the roles based on your business requirements. This way, you can implement the principle of least privilege and manage permissions in a finer-grained manner. You can add an Alibaba Cloud account or a RAM user as a member of a workspace and assign a role to the member to grant the member the permissions of the role. This topic describes how to manage workspace-level roles and members.
Background information
DataWorks provides different identities, such as members and roles, at the workspace level. You can assign different roles to users based on the requirements of users for the workspace. DataWorks provides built-in workspace-level roles. For more information about the permissions of different roles on DataWorks modules, see Permissions of built-in workspace-level roles. For more information about the mappings between the built-in roles provided by DataWorks and the roles of a MaxCompute project in the development environment, see Permissions of workspace-level roles.

- You can determine whether a custom workspace-level role has permissions on a specific module in a workspace. If you create a custom role that has no permissions on the DataAnalysis module, users to which this role is assigned cannot access the DataAnalysis module.
- If you use the MaxCompute compute engine, you can configure the mapping between the custom role and a role of a MaxCompute project. This way, the custom role has permissions on the resources in the MaxCompute project.
Limits
- Only workspaces of DataWorks Enterprise Edition support custom roles. For more information, see Differences among DataWorks editions. If your workspace is not of DataWorks Enterprise Edition, you can upgrade DataWorks to this edition. For more information, see DataWorks advanced editions.
- You can use only the Workspace Manager and Project Owner roles to add users, change the roles that are assigned to members, remove members, and delete custom roles.
- You can use only a RAM user that is assigned the Admin or Super_Administrator role of a MaxCompute project or an Alibaba Cloud account to configure the mapping between a DataWorks custom workspace-level role and a role of a MaxCompute project.
Step 1: Go to the Manage Members tab
Step 2: Create and manage custom workspace-level roles (Optional)
You cannot modify the permissions of DataWorks built-in workspace-level roles. If the built-in roles do not meet your permission control requirements, you can manage DataWorks custom workspace-level roles to specify whether a role has permissions on a module in a workspace on the Roles tab.

Step 3: Add and manage workspace members
- View member information.
You can view the Alibaba Cloud accounts of members and the roles that are assigned to the members in the current workspace. You can also search for a specific member by the name of the member, the Alibaba Cloud account of the member, or the role that is assigned to the member. Then, you can view the member information and the number of members to which the role has been assigned. This allows you to manage members and roles assigned to the members in a centralized manner.
- Remove a member.
On the Manage Members tab, find a member that you want to remove from the workspace and click Remove in the Actions column. If you want to remove multiple members from the workspace at a time, you can select them and click Batch removal.
View the permissions of users
show grants -- Query your access permissions.
show grants for <username> -- Query the access permissions of a specified user. You can execute this statement only if you are assigned the Workspace Manager role.
For more information, see Check permissions.