DataWorks allows you to grant different permissions on workspace-level services in a workspace to workspace members by assigning the members different roles. The roles that can be assigned to members include built-in workspace-level roles and custom workspace-level roles. The built-in workspace-level roles are granted fixed permissions on specific workspace-level services. The custom workspace-level roles can be used to control the read and write permissions of members on workspace-level services. This topic describes the workspace-level roles that can be used to manage permissions on workspace-level services and the basic operations that can be performed to manage permissions of workspace members on workspace-level services.
Background information
No. | Description | References |
---|---|---|
1 | A DataWorks workspace is a basic unit in which different roles can be used for collaborative data development. All data development operations are performed in a specific workspace. If you want to allow a RAM user to collaboratively perform data development operations, you must add the RAM user to a workspace as a member and assign roles to the member based on your business requirements. You can assign the built-in workspace roles provided by DataWorks to the member. For example, if you assign the Development role to the member, the member can perform data development operations in a workspace but cannot perform the deploy operation. | Permissions of built-in workspace-level roles |
2 | If the built-in workspace-level roles cannot meet your business requirements, you can create a custom workspace-level role and assign the role to a RAM user. This way, you can control the permissions of the RAM user on a specific workspace-level service. For example, you can create a custom workspace-level role and assign the role to a RAM user to deny the access permissions on DataService Studio for the RAM user. | Workspace-level roles |
3 | Permission management on workspace-level services in DataWorks is performed based on the role-based access control (RBAC) model. After you add a RAM user to a workspace as a member and assign a workspace-level role to the member, the member is granted the permissions of the role on the related workspace-level service. | Overview of the DataWorks permission management system |
Limits
- Only workspaces of DataWorks Enterprise Edition support custom roles. For information about DataWorks editions, see Differences among DataWorks editions. If your workspace is not of DataWorks Enterprise Edition, you can upgrade DataWorks to this edition. For more information, see Billing of DataWorks advanced editions.
- You can use only the Workspace Manager and Project Owner roles to add members, change the roles that are assigned to members, remove members, and delete custom roles.
- You can use only a RAM user that is assigned the Admin or Super_Administrator role of a MaxCompute project or an Alibaba Cloud account to configure the mapping between a DataWorks custom workspace-level role and a role of a MaxCompute project.
- You cannot change the permissions of the built-in roles.
Workspace-level roles
DataWorks provides different identities, such as members and roles, at the workspace level. You can assign different roles to users based on the requirements of users for the workspace. DataWorks provides built-in workspace-level roles that are granted fixed permissions on specific workspace-level services. If the built-in workspace-level roles cannot meet your business requirements, you can create a custom workspace-level role on the Roles tab of the User Management page.
Built-in workspace-level roles
Role | Description |
---|---|
Project Owner | This role has all permissions on a workspace. The owner of a workspace is an Alibaba Cloud account. For example, the Project Owner role can be used to assign a role to a RAM user and remove a member that is not the owner of a workspace from the workspace. |
Workspace Manager | This role has permissions that are second only to the permissions of the Project Owner role. The Workspace Manager role can also be used to perform operations such as adding a user to a workspace as a member, removing a member from a workspace, or assigning a role to a member. |
Data Analyst | This role has permissions only on DataAnalysis. |
Development | This role has permissions to perform data development and maintenance operations on
the DataStudio page of a workspace.
Note
|
O&M | This role has permissions to deploy nodes to the production environment on the Create Deploy Task page and perform the O&M operations on all nodes in a workspace in Operation Center. |
Deploy | This role has permissions to review the code of a node and determine whether to commit the node to Operation Center in a workspace in standard mode. |
Visitor | This role has read-only permissions on workflows and code on the DataStudio page of a workspace. |
Safety Manager | This role has permissions only on Data Security Guard. |
Model Developer | This role has permissions to view models in Data Modeling and modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. This role does not have permissions to publish models. |
Custom workspace-level roles

- Unauthorized: The role does not have permissions on the related service.
- Read-only: The role can only view the data in the related service.
- Read and Write: The role can modify the data in the related service.
Add a RAM user to a workspace as a member and assign roles to the member
After you add a RAM user to a workspace as a member, you can assign a built-in workspace-level role to the member based on your business requirements. By default, after a RAM user is added to a workspace as a member, the member can access all workspace-level services. If you want to prohibit the member from accessing a specific workspace-level service, you can create a custom workspace-level role for which access permissions on the service are denied and assign the role to the member. This way, the member cannot access the workspace-level service.
Go to the Manage Members tab
- Log on to the DataWorks console and go to the Workspace Management page.
- In the left-side navigation pane, click User Management. The Manage Members tab appears.
Add a RAM user to a workspace as a member and manage members in the workspace
(Optional) Create a custom workspace-level role
You cannot change the permissions of built-in workspace-level roles. If the built-in workspace-level roles cannot meet your business requirements for permission management, you can create a custom workspace-level role on the Roles tab.