Manage product-level and console access with RAM policies - DataWorks

DataWorks uses Alibaba Cloud Resource Access Management (RAM) policies for both product-level access control and management console access control. To grant permissions, you can attach an access policy to a user, such as a RAM user or a RAM role. The user is then granted the access permissions that are defined in the policy. This topic describes the supported access controls and explains how a root account can grant DataWorks management policies to a user.

Product-level coarse-grained access control: System and custom policies

By default, only an Alibaba Cloud account has product-level management permissions for DataWorks. If you need a RAM user to perform management tasks, you can grant the system policies in the following table to the user. The user then obtains all the operational permissions of the Alibaba Cloud account.

Permission type	Control scope	Permission Name	Description	References
Allowed operations for a RAM user (system policy)	Permissions to manage DataWorks services	AliyunDataWorksFullAccess	After you grant this permission, the RAM user has extensive permissions in DataWorks. The user can manage internal product features on behalf of the root account, but cannot perform purchase-related operations.	For the procedure to grant permissions to a RAM user, see Grant permissions to a RAM user.
Allowed operations for a RAM user (system policy)	Permissions to purchase resources	AliyunBSSOrderAccess	After you attach this system policy to a RAM user, the RAM user can view, pay for, and cancel orders in Billing Management. This permission allows a RAM user to purchase resources and renew services in the management console.
Denied operations for RAM users (custom policy)	Prohibit RAM users from performing operations in DataWorks (fine-grained)	Custom	Prohibits a user from entering the management console, accessing DataWorks module interfaces, or calling OpenAPI.	First, define the policy document by referring to Product-level control policies. Then, attach the custom policy to the RAM user to grant the permissions. For the procedure, see (Optional) Create a custom policy.
	Prohibit RAM users from calling OpenAPI (fine-grained)		By default, users in DataWorks with module-level permissions can call the corresponding OpenAPI operations. To prohibit a user from calling all OpenAPI operations, you can assign a specific permission to that user.
	Prohibit RAM users from accessing DataWorks module interfaces (fine-grained)		By default, all RAM users within an Alibaba Cloud account are members of the DataWorks tenant. They can access all global-level modules and the workspace-level modules of any workspace to which they are added as a member. You can prevent a user from accessing any module interfaces in DataWorks.

Fine-grained console access control: Custom policies

DataWorks supports fine-grained access control for operations on the following entities:

Object	Related operations	References
Workspace	Create a workspace Modify a workspace Delete a workspace Disable a workspace Enable a workspace	To grant fine-grained permissions for the console, first create a custom policy by referring to Console entity-level control policies. Then, attach the custom policy to the RAM user. For the procedure, see Grant permissions to a RAM user.
Resource group	Display exclusive resource groups Display the details of a resource group based on its name Create an exclusive resource group Modify an exclusive resource group
Alert information	List contacts Modify contact information List alert resources Set an upper limit for the number of alerts

Grant permissions to a RAM user

Log on to the RAM console as a RAM administrator.
In the navigation pane on the left, choose Identity Management > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Add Permissions panel, add permissions for the RAM user.
You can grant system policies and custom policies. To grant a custom policy, you must first create the custom policy. For information about the available system and custom policies, see Product-level coarse-grained access control: System and custom policies.
Note
For more information about parameter settings, see Manage permissions for a RAM user.

(Optional) Create a custom policy

If you want to implement fine-grained access control using a granular RAM policy, you must first create a custom policy. If you use system policies for coarse-grained authorization, you can skip this step.

Use your Alibaba Cloud account to create a custom policy in the Resource Access Management console. For more information, see Create a custom policy.

To create a custom product-level control policy, define the policy document based on Product-level control policies.

To create a custom console entity-level policy, configure it as described below: 自定义角色

Policy element	Description
Action	Configure the Action element in the custom policy based on the Action of the corresponding control item in Console entity-level control policies. The format is shown in the preceding figure.
Resource	Configure the Resource element in the custom policy based on the Resource of the corresponding control item in Console entity-level control policies. The format is shown in the preceding figure. Note Note about Resource: When you create a custom policy, replace the placeholder `$` in the Resource element with an actual ID. For example, replace `$regionid` with an actual region ID and `$accountid` with the UID of your Alibaba Cloud account. The asterisk (``) is a wildcard character. You can replace it with specific parameter values to further refine the scope of permissions. For example, if you replace `workspace/` with `workspace/workspaceid`, the policy takes effect only within the specified workspace.