Operation permission management - DataWorks - Alibaba Cloud Documentation Center

How do I grant users in a workspace the permissions on service modules?

You can assign built-in roles to RAM users to control their permissions on service modules based on your business scenarios. You can also assign custom workspace-level roles to the RAM users to control their read/write permissions on service modules. For more information about the permissions of each built-in role, see Permission list. For more information about custom workspace-level roles, see Manage members and roles.

How do I grant users in a workspace the operation permissions on compute engine instances?

After you assign a workspace-level role to a user, the operation permissions granted to the user are based on the compute engine type and compute engine configurations.

Logic of operation permissions on MaxCompute compute engine instances:

The DataWorks built-in roles and the roles in a MaxCompute project in the development environment have a permission mapping. By default, a DataWorks built-in role has all the permissions its mapped MaxCompute project role has on MaxCompute compute engine instances in the development environment.

The DataWorks built-in roles and the roles in a MaxCompute project in the production environment do not have a permission mapping. A DataWorks built-in role cannot directly manage resources of a MaxCompute project in the production environment.

Note For example, a user that is assigned the Workspace Manager or Development role has permissions on most service modules and all the permissions on a workspace in the development environment (a MaxCompute project in the development environment). By default, the user that is assigned the Workspace Manager or Development role does not have the permissions on the same workspace in the production environment (the same MaxCompute project in the production environment). If a RAM user wants to access a table in the production environment from the development environment, you must apply for the operation permissions on the table for the RAM user in Data Map. For more information, see Request permissions.


Node running environment	Scenario
The node is run in DataStudio (in the development environment).	Scenario 1: Use an Alibaba Cloud account or a RAM user to run the `select col1 from tablename` command to access a table in the development environment. Specify the table name in the following format: projectname_dev.tablename. Scenario 2: Use an Alibaba Cloud account or a RAM user to run the `select col1 from projectname.tablename` command to access a table in the production environment. Specify the table name in the following format: projectname.tablename. Note By default, a RAM user that is not selected when you associate a MaxCompute compute engine instance with a workspace does not have permissions to access data in the production environment. If you want to use the RAM user to access data in the production environment, you must apply for permissions in Data Map.
The node is run in Operation Center (in the production environment).	Scenario: Use the account that is selected when you associate a MaxCompute compute engine instance with a workspace to run the `select col1 from tablename` command to access a table in the production environment. Specify the table name in the following format: projectname.tablename.

Logic and description of operation permissions on E-MapReduce (EMR) compute engine instances:

Logic: If your workspace is associated with an EMR compute engine instance, the permissions of a built-in role on DataWorks service modules depend on the permissions of the role. The permissions of the built-in role on the compute engine instance are the same as the permissions of the account that is selected when the compute engine instance is associated with the workspace.


Mode	Environment	Account in use	How it works
Shortcut mode	The node is run in DataStudio (in the development environment).	Hadoop user
Shortcut mode	The node is run in Operation Center (in the production environment).	Hadoop user
Security mode	The node is run in DataStudio (in the development environment).	The account that you selected for the development environment when you configure the compute engine	You can configure the Lightweight Directory Access Protocol (LDAP) permission mapping for members in a DataWorks workspace to manage the permissions of a RAM user on EMR features when the RAM user uses DataWorks. When you use an Alibaba Cloud account or a RAM user to commit code in DataWorks, the user that has the same name in EMR will run the node. Note For more information about the permission mapping between DataWorks members and EMR users, see Associate an EMR cluster with a DataWorks workspace.
Security mode	The node is run in Operation Center (in the production environment).	The account that you selected for the production environment when you configure the compute engine

Permission control: You can use EMR Ranger to manage the permissions of each user in an EMR compute engine instance. This ensures that Alibaba Cloud accounts, node owners, or RAM users have different data permissions when they run EMR nodes in DataWorks.

Logic of operation permissions on other compute engine instances:
If you associate a workspace with a compute engine instance other than a MaxCompute or EMR compute engine instance, whether the node that you want to run in DataStudio can use the compute engine resources is determined by the account that is selected when you associate the compute engine instance with the workspace.

How do I allow access to the DataWorks console only from the internal network of an enterprise?

If you want to allow access to the DataWorks console only from the internal network of an enterprise, log on to the RAM console and configure a security policy to allow access only from the public IP addresses that are mapped to the private IP addresses of the enterprise.

For more information, see Configure security policies for RAM users.