DataWorks provides a comprehensive permission control system in terms of platform permissions and service permissions. Alibaba Cloud Resource Access Management (RAM) policies are used to manage permissions on console operations, such as creating a workspace. This topic describes the permissions related to the DataWorks console.
Permission control scope

- You can use the system policies provided by DataWorks to grant large-scope permissions to a RAM user. For more information, see System policies: large-scope permission control for console operations in this topic.
- DataWorks provides fine-grained RAM policy components that you can use to create custom policies based on your needs. This allows you to scale down the scope of permissions. You can select a custom policy when you grant permissions to users. For more information, see Custom RAM policies: fine-grained permission control for console operations in this topic.
Usage notes
The feature of using fine-grained RAM policies to achieve custom permission control in DataWorks is not launched full-scale and can be used only by specific users. If this feature is unavailable to you, wait for the full-scale launch of the feature.
System policies: large-scope permission control for console operations
System policy | Description |
---|---|
AliyunDataWorksFullAccess | Allows the user to perform all the operations in a DataWorks workspace. |
AliyunBSSOrderAccess | Allows the user to purchase related services. |
Custom RAM policies: fine-grained permission control for console operations
- A version number.
- A list of statements. Each statement contains the following elements: effect, action,
resource, and condition. The condition element is optional. Note For more information about the syntax of RAM policies, see Policy structure and syntax.
- When you create a custom policy, replace the content that starts with the placeholder
$
in the Resource column of the following table with a real ID. For example, you must replace$regionid
with the ID of a region and$accountid
with the UID of an Alibaba Cloud account. - The asterisk (
*
) is a wildcard. You can replace the asterisk with specific values to further scale down the scope of permission control. For example, if you replaceworkspace/*
withworkspace/workspaceid
, the policy takes effect in the specified workspace.
- Workspace-related permissions
Action Resource Description CreateWorkspace acs:dataworks:$regionid:$accountid:workspace/* Creates a workspace. ModifyWorkspace acs:dataworks:$regionid:$accountid:workspace/$workspaceName Modifies a workspace. DeleteWorkspace acs:dataworks:$regionid:$accountid:workspace/$workspaceName Deletes a workspace. DisableWorkspace acs:dataworks:$regionid:$accountid:workspace/$workspaceName Disables a workspace. EnableWorkspace acs:dataworks:$regionid:$accountid:workspace/$workspaceName Enables a workspace. - Resource group-related permissions
Action Resource Description Remarks ListResourceGroup acs:dataworks:$regionid:$accountid:exclusive_resource_group/* Displays the Exclusive Resource Groups tab in the DataWorks console. If a user is not granted this permission, the Exclusive Resource Groups tab is not displayed in the console for the user. The ListResourceGroup and ShowResourceGroupDetail permissions are often used together to determine whether a user can view exclusive resource groups. - If the user is granted only the ListResourceGroup permission, the Exclusive Resource Groups tab is displayed but blank.
- If the user is granted both the ListResourceGroup and ShowResourceGroupDetail permissions, the Exclusive Resource Groups tab is displayed. On the tab, the user can view the details of the resource groups that are specified by the ShowResourceGroupDetail action.
Note Before you grant the ShowResourceGroupDetail permission to a user, you must grant the ListResourceGroup permission. If the user is granted only the ShowResourceGroupDetail permission, the user cannot view details of exclusive resource groups.ShowResourceGroupDetail acs:dataworks:$regionid:$accountid:exclusive_resource_group/$resourceGroupName Displays the details of the specified resource groups. CreateResourceGroup acs:dataworks:$regionid:$accountid:exclusive_resource_group/* Creates an exclusive resource group. This permission cannot allow a user to purchase exclusive resource groups. Instead, it allows a user to create a resource group in the DataWorks console based on a paid order. To allow a user to purchase, scale out, scale in, or renew a resource group or change the specifications of a resource group, you must grant the user the AliyunDataWorksFullAccess and AliyunBSSOrderAccess permissions. ModifyResourceGroup acs:dataworks:$regionid:$accountid:exclusive_resource_group/$resourceGroupName Modifies an exclusive resource group. - - Alert-related permissions
Action Resource Description ListContacts acs:dataworks:$regionid:$accountid:contacts_ram_user/* Lists the alert contacts. ModifyContacts acs:dataworks:$regionid:$accountid:contacts_ram_user/* Modifies the information about the alert contacts. ListAlarmResource acs:dataworks:$regionid:$accountid:alarm_resource/* Lists the alert resources. SetUpperLimits acs:dataworks:$regionid:$accountid:alarm_resource/* Sets upper limits on the usage of alert resources.
Grant permissions to a RAM user
To grant permissions to a RAM user by using an Alibaba Cloud account or the credentials of a RAM user that has the AdministratorAccess permission, perform the following steps:
Example 1: Authorize a custom role to modify workspaces
{
"Statement": [
{
"Action": "dataworks:ModifyWorkspace",
"Effect": "Allow",
"Resource": "acs:dataworks:$regionid:$accountid:workspace/$workspaceName"
}
],
"Version": "1"
}
Example 2: Authorize a custom role to view and manage an exclusive resource group
{
"Statement": [
{
"Action": "dataworks:ListResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:1111:exclusive_resource_group/*"
},
{
"Action": "dataworks:ShowResourceGroupDetail",
"Effect": "Allow",
"Resource": "acs:dataworks:*:11111:exclusive_resource_group/resourceGroupName2"
},
{
"Action": "dataworks:ModifyResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:111:exclusive_resource_group/resourceGroupName2"
}
],
"Version": "1"
}
Example 3: Authorize a custom role to view alert resources, set upper limits on the usage of alert resources, and view alert contacts
{
"Statement": [
{
"Action": "dataworks:ListAlarmResource",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "dataworks:SetUpperLimits",
"Effect": "Allow",
"Resource": "acs:dataworks:$regionid:$accountid:alarm_resource/*"
},
{
"Action": "dataworks:ListContacts",
"Effect": "Allow",
"Resource": "acs:dataworks:$regionid:$accountid:contacts_ram_user/*"
}
],
"Version": "1"
}
Example 4: Authorize a custom role to view resource groups that reside in the China (Shanghai) region and create and modify exclusive resource groups
{
"Statement": [
{
"Action": "dataworks:ListResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:$accountid:exclusive_resource_group/*"
},
{
"Action": "dataworks:ShowResourceGroupDetail",
"Effect": "Allow",
"Resource": "acs:dataworks::cn-shanghai:$accountid:exclusive_resource_group/*"
},
{
"Action": "dataworks:CreateResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/*"
},
{
"Action": "dataworks:ModifyResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/resourceGroupName1"
},
{
"Action": "dataworks:ModifyResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/resourceGroupName2"
}
],
"Version": "1"
}