DataWorks provides a comprehensive permission control system in terms of platform permissions and service permissions. Alibaba Cloud Resource Access Management (RAM) policies are used to manage permissions on console operations, such as creating a workspace. This topic describes the permissions related to the DataWorks console.

Permission control scope

Platform permissions of DataWorks are the permissions that are required to perform operations in the DataWorks console. Such operations include creating, disabling, and deleting a workspace on the Workspaces page, creating and configuring network settings for an exclusive resource group on the Resource Groups page, and configuring alert contacts on the Alert Contacts page. Permissions on console operationsYou can log on to the DataWorks console to view the operations that are supported in the DataWorks console.
DataWorks provides the following two methods for you to manage permissions on console operations:

Usage notes

The feature of using fine-grained RAM policies to achieve custom permission control in DataWorks is not launched full-scale and can be used only by specific users. If this feature is unavailable to you, wait for the full-scale launch of the feature.

System policies: large-scope permission control for console operations

The following table describes the system policies that are provided by DataWorks. You can select the policies to grant corresponding permissions to a RAM user.
System policy Description
AliyunDataWorksFullAccess Allows the user to perform all the operations in a DataWorks workspace.
AliyunBSSOrderAccess Allows the user to purchase related services.
For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user in this topic.

Custom RAM policies: fine-grained permission control for console operations

A custom RAM policy contains the following elements:
  • A version number.
  • A list of statements. Each statement contains the following elements: effect, action, resource, and condition. The condition element is optional. Policy structure
    Note For more information about the syntax of RAM policies, see Policy structure and syntax.
Custom policy components provided by DataWorks can be categorized based on resource types.
Note When you configure resources, take note of the following items:
  • When you create a custom policy, replace the content that starts with the placeholder $ in the Resource column of the following table with a real ID. For example, you must replace $regionid with the ID of a region and $accountid with the UID of an Alibaba Cloud account.
  • The asterisk (*) is a wildcard. You can replace the asterisk with specific values to further scale down the scope of permission control. For example, if you replace workspace/* with workspace/workspaceid, the policy takes effect in the specified workspace.
  • Workspace-related permissionsWorkspaces
    Action Resource Description
    CreateWorkspace acs:dataworks:$regionid:$accountid:workspace/* Creates a workspace.
    ModifyWorkspace acs:dataworks:$regionid:$accountid:workspace/$workspaceName Modifies a workspace.
    DeleteWorkspace acs:dataworks:$regionid:$accountid:workspace/$workspaceName Deletes a workspace.
    DisableWorkspace acs:dataworks:$regionid:$accountid:workspace/$workspaceName Disables a workspace.
    EnableWorkspace acs:dataworks:$regionid:$accountid:workspace/$workspaceName Enables a workspace.
  • Resource group-related permissionsResource Groups
    Action Resource Description Remarks
    ListResourceGroup acs:dataworks:$regionid:$accountid:exclusive_resource_group/* Displays the Exclusive Resource Groups tab in the DataWorks console. If a user is not granted this permission, the Exclusive Resource Groups tab is not displayed in the console for the user. The ListResourceGroup and ShowResourceGroupDetail permissions are often used together to determine whether a user can view exclusive resource groups.
    • If the user is granted only the ListResourceGroup permission, the Exclusive Resource Groups tab is displayed but blank.
    • If the user is granted both the ListResourceGroup and ShowResourceGroupDetail permissions, the Exclusive Resource Groups tab is displayed. On the tab, the user can view the details of the resource groups that are specified by the ShowResourceGroupDetail action.
    Note Before you grant the ShowResourceGroupDetail permission to a user, you must grant the ListResourceGroup permission. If the user is granted only the ShowResourceGroupDetail permission, the user cannot view details of exclusive resource groups.
    ShowResourceGroupDetail acs:dataworks:$regionid:$accountid:exclusive_resource_group/$resourceGroupName Displays the details of the specified resource groups.
    CreateResourceGroup acs:dataworks:$regionid:$accountid:exclusive_resource_group/* Creates an exclusive resource group. This permission cannot allow a user to purchase exclusive resource groups. Instead, it allows a user to create a resource group in the DataWorks console based on a paid order. To allow a user to purchase, scale out, scale in, or renew a resource group or change the specifications of a resource group, you must grant the user the AliyunDataWorksFullAccess and AliyunBSSOrderAccess permissions.
    ModifyResourceGroup acs:dataworks:$regionid:$accountid:exclusive_resource_group/$resourceGroupName Modifies an exclusive resource group. -
  • Alert-related permissionsAlerts
    Action Resource Description
    ListContacts acs:dataworks:$regionid:$accountid:contacts_ram_user/* Lists the alert contacts.
    ModifyContacts acs:dataworks:$regionid:$accountid:contacts_ram_user/* Modifies the information about the alert contacts.
    ListAlarmResource acs:dataworks:$regionid:$accountid:alarm_resource/* Lists the alert resources.
    SetUpperLimits acs:dataworks:$regionid:$accountid:alarm_resource/* Sets upper limits on the usage of alert resources.
To grant a RAM user fine-grained permissions on console operations, you must create a custom policy based on the permissions described in the preceding tables and attach the policy to the RAM user. For more information about the procedure, see Grant permissions to a RAM user in this topic.

Grant permissions to a RAM user

To grant permissions to a RAM user by using an Alibaba Cloud account or the credentials of a RAM user that has the AdministratorAccess permission, perform the following steps:

  1. (Optional) Create a custom policy.
    To achieve fine-grained permission control, you must first create a custom policy based on your needs. If you want to grant large-scale permissions by using system policies, skip this step.

    Log on to the RAM console by using your Alibaba Cloud account. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, create a custom policy. For more information, see Create a custom policy.

    DataWorks allows you to create a custom policy only by script editing. You can use the custom policy components that are supported based on your needs. The following figure provides an example on how to edit the script. Custom role
    Note When you configure resources, take note of the following items:
    • When you create a custom policy, replace the content that starts with the placeholder $ in the Resource column of the following table with a real ID. For example, you must replace $regionid with the ID of a region and $accountid with the UID of an Alibaba Cloud account.
    • The asterisk (*) is a wildcard. You can replace the asterisk with specific values to further scale down the scope of permission control. For example, if you replace workspace/* with workspace/workspaceid, the policy takes effect in the specified workspace.
    The following examples provide sample code for typical scenarios:
  2. Grant permissions to the RAM user.
    Log on to the RAM console by using your Alibaba Cloud account. In the left-side navigation pane, choose Permissions > Grants. On the Grants page, grant permissions to the RAM user. For more information, see Grant permissions to a RAM user.

Example 1: Authorize a custom role to modify workspaces

Use the following code to edit the script for the policy:
{
    "Statement": [
        {
            "Action": "dataworks:ModifyWorkspace",
            "Effect": "Allow",
            "Resource": "acs:dataworks:$regionid:$accountid:workspace/$workspaceName"
        }
    ],
    "Version": "1"
}

Example 2: Authorize a custom role to view and manage an exclusive resource group

Use the following code to edit the script for the policy:
{
"Statement": [
{
"Action": "dataworks:ListResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:1111:exclusive_resource_group/*"
},
{
"Action": "dataworks:ShowResourceGroupDetail",
"Effect": "Allow",
"Resource": "acs:dataworks:*:11111:exclusive_resource_group/resourceGroupName2"
},
{
"Action": "dataworks:ModifyResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:111:exclusive_resource_group/resourceGroupName2"
}
],
"Version": "1"
}

Example 3: Authorize a custom role to view alert resources, set upper limits on the usage of alert resources, and view alert contacts

Use the following code to edit the script for the policy:
{
  "Statement": [
    {
      "Action": "dataworks:ListAlarmResource",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "dataworks:SetUpperLimits",
      "Effect": "Allow",
      "Resource": "acs:dataworks:$regionid:$accountid:alarm_resource/*"
    },
    {
      "Action": "dataworks:ListContacts",
      "Effect": "Allow",
      "Resource": "acs:dataworks:$regionid:$accountid:contacts_ram_user/*"
    }
  ],
  "Version": "1"
}

Example 4: Authorize a custom role to view resource groups that reside in the China (Shanghai) region and create and modify exclusive resource groups

Note In this example, a user granted related permissions will be able to create a resource group based on a paid order but cannot purchase an exclusive resource group.
Use the following code to edit the script for the policy:
{
  "Statement": [
    {
      "Action": "dataworks:ListResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:*:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:ShowResourceGroupDetail",
      "Effect": "Allow",
      "Resource": "acs:dataworks::cn-shanghai:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:CreateResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:ModifyResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/resourceGroupName1"
    },
    {
      "Action": "dataworks:ModifyResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/resourceGroupName2"
    }
  ],
  "Version": "1"
}