Permission control by fine-grained RAM policies - Basic Operations| Alibaba Cloud Documentation Center

Permission control scope

Platform permissions of DataWorks are the permissions that are required to perform operations in the DataWorks console. Such operations include creating, disabling, and deleting a workspace on the Workspaces page, creating and configuring network settings for an exclusive resource group on the Resource Groups page, and configuring alert contacts on the Alert Contacts page. Permissions on console operations

You can log on to the DataWorks console to view the operations that are supported in the DataWorks console.

DataWorks provides the following two methods for you to manage permissions on console operations:

You can use the system policies provided by DataWorks to grant large-scope permissions to a RAM user. For more information, see System policies: large-scope permission control for console operations in this topic.
DataWorks provides fine-grained RAM policy components that you can use to create custom policies based on your needs. This allows you to scale down the scope of permissions. You can select a custom policy when you grant permissions to users. For more information, see Custom RAM policies: fine-grained permission control for console operations in this topic.

Usage notes

The feature of using fine-grained RAM policies to achieve custom permission control in DataWorks is not launched full-scale and can be used only by specific users. If this feature is unavailable to you, wait for the full-scale launch of the feature.

System policies: large-scope permission control for console operations

The following table describes the system policies that are provided by DataWorks. You can select the policies to grant corresponding permissions to a RAM user.


System policy	Description
AliyunDataWorksFullAccess	Allows the user to perform all the operations in a DataWorks workspace.
AliyunBSSOrderAccess	Allows the user to purchase related services.

For more information about how to grant permissions to a RAM user, see Grant permissions to a RAM user in this topic.

Custom RAM policies: fine-grained permission control for console operations

A custom RAM policy contains the following elements:

A version number.
A list of statements. Each statement contains the following elements: effect, action, resource, and condition. The condition element is optional.

Note For more information about the syntax of RAM policies, see Policy structure and syntax.

Custom policy components provided by DataWorks can be categorized based on resource types.

Note When you configure resources, take note of the following items:

When you create a custom policy, replace the content that starts with the placeholder $ in the Resource column of the following table with a real ID. For example, you must replace $regionid with the ID of a region and $accountid with the UID of an Alibaba Cloud account.
The asterisk (*) is a wildcard. You can replace the asterisk with specific values to further scale down the scope of permission control. For example, if you replace workspace/* with workspace/workspaceid, the policy takes effect in the specified workspace.

Workspace-related permissions Workspaces


Action	Resource	Description
CreateWorkspace	acs:dataworks:$regionid:$accountid:workspace/*	Creates a workspace.
ModifyWorkspace	acs:dataworks:$regionid:$accountid:workspace/$workspaceName	Modifies a workspace.
DeleteWorkspace	acs:dataworks:$regionid:$accountid:workspace/$workspaceName	Deletes a workspace.
DisableWorkspace	acs:dataworks:$regionid:$accountid:workspace/$workspaceName	Disables a workspace.
EnableWorkspace	acs:dataworks:$regionid:$accountid:workspace/$workspaceName	Enables a workspace.

Resource group-related permissions


Action	Resource	Description	Remarks
ListResourceGroup	acs:dataworks:$regionid:$accountid:exclusive_resource_group/*	Displays the Exclusive Resource Groups tab in the DataWorks console. If a user is not granted this permission, the Exclusive Resource Groups tab is not displayed in the console for the user.	The ListResourceGroup and ShowResourceGroupDetail permissions are often used together to determine whether a user can view exclusive resource groups. If the user is granted only the ListResourceGroup permission, the Exclusive Resource Groups tab is displayed but blank. If the user is granted both the ListResourceGroup and ShowResourceGroupDetail permissions, the Exclusive Resource Groups tab is displayed. On the tab, the user can view the details of the resource groups that are specified by the ShowResourceGroupDetail action. Note Before you grant the ShowResourceGroupDetail permission to a user, you must grant the ListResourceGroup permission. If the user is granted only the ShowResourceGroupDetail permission, the user cannot view details of exclusive resource groups.
ShowResourceGroupDetail	acs:dataworks:$regionid:$accountid:exclusive_resource_group/$resourceGroupName	Displays the details of the specified resource groups.
CreateResourceGroup	acs:dataworks:$regionid:$accountid:exclusive_resource_group/*	Creates an exclusive resource group.	This permission cannot allow a user to purchase exclusive resource groups. Instead, it allows a user to create a resource group in the DataWorks console based on a paid order. To allow a user to purchase, scale out, scale in, or renew a resource group or change the specifications of a resource group, you must grant the user the AliyunDataWorksFullAccess and AliyunBSSOrderAccess permissions.
ModifyResourceGroup	acs:dataworks:$regionid:$accountid:exclusive_resource_group/$resourceGroupName	Modifies an exclusive resource group.	-

Alert-related permissions Alerts


Action	Resource	Description
ListContacts	acs:dataworks:$regionid:$accountid:contacts_ram_user/*	Lists the alert contacts.
ModifyContacts	acs:dataworks:$regionid:$accountid:contacts_ram_user/*	Modifies the information about the alert contacts.
ListAlarmResource	acs:dataworks:$regionid:$accountid:alarm_resource/*	Lists the alert resources.
SetUpperLimits	acs:dataworks:$regionid:$accountid:alarm_resource/*	Sets upper limits on the usage of alert resources.

To grant a RAM user fine-grained permissions on console operations, you must create a custom policy based on the permissions described in the preceding tables and attach the policy to the RAM user. For more information about the procedure, see Grant permissions to a RAM user in this topic.

Grant permissions to a RAM user

To grant permissions to a RAM user by using an Alibaba Cloud account or the credentials of a RAM user that has the AdministratorAccess permission, perform the following steps:

(Optional) Create a custom policy.
To achieve fine-grained permission control, you must first create a custom policy based on your needs. If you want to grant large-scale permissions by using system policies, skip this step.
Log on to the RAM console by using your Alibaba Cloud account. In the left-side navigation pane, choose Permissions > Policies. On the Policies page, create a custom policy. For more information, see Create a custom policy.
DataWorks allows you to create a custom policy only by script editing. You can use the custom policy components that are supported based on your needs. The following figure provides an example on how to edit the script.
Note When you configure resources, take note of the following items:

When you create a custom policy, replace the content that starts with the placeholder $ in the Resource column of the following table with a real ID. For example, you must replace $regionid with the ID of a region and $accountid with the UID of an Alibaba Cloud account.

The asterisk (*) is a wildcard. You can replace the asterisk with specific values to further scale down the scope of permission control. For example, if you replace workspace/* with workspace/workspaceid, the policy takes effect in the specified workspace.
The following examples provide sample code for typical scenarios:
Grant permissions to the RAM user.
Log on to the RAM console by using your Alibaba Cloud account. In the left-side navigation pane, choose Permissions > Grants. On the Grants page, grant permissions to the RAM user. For more information, see Grant permissions to a RAM user.

Example 1: Authorize a custom role to modify workspaces

Use the following code to edit the script for the policy:

{
    "Statement": [
        {
            "Action": "dataworks:ModifyWorkspace",
            "Effect": "Allow",
            "Resource": "acs:dataworks:$regionid:$accountid:workspace/$workspaceName"
        }
    ],
    "Version": "1"
}

Example 2: Authorize a custom role to view and manage an exclusive resource group

Use the following code to edit the script for the policy:

{
"Statement": [
{
"Action": "dataworks:ListResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:1111:exclusive_resource_group/*"
},
{
"Action": "dataworks:ShowResourceGroupDetail",
"Effect": "Allow",
"Resource": "acs:dataworks:*:11111:exclusive_resource_group/resourceGroupName2"
},
{
"Action": "dataworks:ModifyResourceGroup",
"Effect": "Allow",
"Resource": "acs:dataworks:*:111:exclusive_resource_group/resourceGroupName2"
}
],
"Version": "1"
}

Example 3: Authorize a custom role to view alert resources, set upper limits on the usage of alert resources, and view alert contacts

Use the following code to edit the script for the policy:

{
  "Statement": [
    {
      "Action": "dataworks:ListAlarmResource",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": "dataworks:SetUpperLimits",
      "Effect": "Allow",
      "Resource": "acs:dataworks:$regionid:$accountid:alarm_resource/*"
    },
    {
      "Action": "dataworks:ListContacts",
      "Effect": "Allow",
      "Resource": "acs:dataworks:$regionid:$accountid:contacts_ram_user/*"
    }
  ],
  "Version": "1"
}

Example 4: Authorize a custom role to view resource groups that reside in the China (Shanghai) region and create and modify exclusive resource groups

Note In this example, a user granted related permissions will be able to create a resource group based on a paid order but cannot purchase an exclusive resource group.

Use the following code to edit the script for the policy:

{
  "Statement": [
    {
      "Action": "dataworks:ListResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:*:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:ShowResourceGroupDetail",
      "Effect": "Allow",
      "Resource": "acs:dataworks::cn-shanghai:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:CreateResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/*"
    },
    {
      "Action": "dataworks:ModifyResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/resourceGroupName1"
    },
    {
      "Action": "dataworks:ModifyResourceGroup",
      "Effect": "Allow",
      "Resource": "acs:dataworks:cn-shanghai:$accountid:exclusive_resource_group/resourceGroupName2"
    }
  ],
  "Version": "1"
}