DataWorks provides you with different built-in workspace-level roles. You can also create custom workspace-level roles and grant permissions to the roles based on your business requirements. This way, you can implement the principle of least privilege and manage permissions in a finer-grained manner. You can add an Alibaba Cloud account or a RAM user as a member of a workspace and assign a role to the member to grant the member the permissions of the role. This topic describes how to manage workspace-level roles and members.
DataWorks provides different identities, such as members and roles, at the workspace level. You can assign different roles to users based on the requirements of users for the workspace. DataWorks provides built-in workspace-level roles. For more information about the permissions of different roles on DataWorks modules, see Permissions of built-in workspace-level roles. For more information about the mappings between the built-in roles provided by DataWorks and the roles of a MaxCompute project in the development environment, see Permissions of workspace-level roles.
- You can determine whether a custom workspace-level role has permissions on a specific module in a workspace. If you create a custom role that has no permissions on the DataAnalysis module, users to which this role is assigned cannot access the DataAnalysis module.
- If you use the MaxCompute compute engine, you can configure the mapping between the custom role and a role of a MaxCompute project. This way, the custom role has permissions on the resources in the MaxCompute project.
- Only workspaces of DataWorks Enterprise Edition support custom roles. For more information, see Differences among DataWorks editions. If your workspace is not of DataWorks Enterprise Edition, you can upgrade DataWorks to this edition. For more information, see DataWorks advanced editions.
- You can use only the Workspace Manager and Project Owner roles to add users, change the roles that are assigned to members, remove members, and delete custom roles.
- You can use only a RAM user that is assigned the Admin or Super_Administrator role of a MaxCompute project or an Alibaba Cloud account to configure the mapping between a DataWorks custom workspace-level role and a role of a MaxCompute project.
Step 1: Go to the Manage Members tab
- Log on to the DataWorks console.
- In the left-side navigation pane, click Workspaces.
- Go to the Workspace Management page of a workspace. You can use one of the following methods to go to the Workspace Management page:
- On the Workspaces page, find the workspace that you want to configure and click Workspace Settings in the Actions column. In the Workspace Settings panel, click More. The Workspace Management page appears.
- On the Workspaces page, find the workspace that you want to configure and click Data Analytics in the Actions column. On the DataStudio page, click the Workspace Manage icon in the upper-right corner. The Workspace Management page appears.
- In the left-side navigation pane, click User Management. The Manage Members tab appears.
Step 2: Create and manage custom workspace-level roles (Optional)
You cannot modify the permissions of DataWorks built-in workspace-level roles. If the built-in roles do not meet your permission control requirements, you can manage DataWorks custom workspace-level roles to specify whether a role has permissions on a module in a workspace on the Roles tab.
- Go to the Manage Members tab. For more information, see Step 1: Go to the Manage Members tab. Then, click the Roles tab.
- Click Create Custom Role in the upper-right corner of the Roles tab.
- In the Create Custom Role dialog box, enter a name for your custom role, such as test.
- Grant the role the permissions on the required DataWorks modules in the workspace.
- Unauthorized: The role has no permissions on the related module.
- Read-only: The role can only view the data in the related module.
- Read and Write: The role can modify the data in the related module.
- In the Configure Account Mapping section, click Add to configure the mapping between the custom role and a role of a compute engine.
- You can configure the mapping only between a DataWorks role and a MaxCompute role.
- You can use only a RAM user that is assigned the Admin or Super_Administrator role of a MaxCompute project or an Alibaba Cloud account to configure the mapping between a custom role and a role of a MaxCompute project.
For example, you can configure the mapping between the custom role test and the Admin role of a MaxCompute project. This way, the custom role can assume the Admin role when the custom role is used to access the MaxCompute project. For more information about the mappings between the roles of various engines and DataWorks roles, see Appendix: Mappings between DataWorks built-in workspace-level roles and MaxCompute roles.
- Click Configure. When the Created successfully message appears, the custom role is created. When you add a member later, you can assign this role to the member.
Step 3: Add and manage workspace members
- Go to the Manage Members tab. For more information, see Step 1: Go to the Manage Members tab. Click Add Member in the upper-right corner of the Manage Members tab.
- In the Add Member dialog box, select one or more RAM users from the Available Accounts list.
- Click the > icon to move the selected RAM users to the Added Accounts list.
- In the Batch role setting section, select one or more roles that you want to assign to the selected RAM users. After the roles are assigned, the RAM users have the corresponding permissions.
- Click Confirm.
- View member information.
You can view the Alibaba Cloud accounts of members and the roles that are assigned to the members in the current workspace. You can also search for a specific member by the name of the member, the Alibaba Cloud account of the member, or the role that is assigned to the member. Then, you can view the member information and the number of members to which the role has been assigned. This allows you to manage members and roles assigned to the members in a centralized manner.
- Remove a member.
On the Manage Members tab, find a member that you want to remove from the workspace and click Remove in the Actions column. If you want to remove multiple members from the workspace at a time, you can select them and click Batch removal.
View the permissions of users
show grants -- Query your access permissions. show grants for <username> -- Query the access permissions of a specified user. You can execute this statement only if you are assigned the Workspace Manager role.
For more information, see Check permissions.