DataWorks provides the following built-in workspace-level roles: Workspace Owner, Workspace Administrator, Data Analyst, Development, O&M, Deploy, Visitor, Security Manager, and Model Designer. This topic describes the permissions of these roles.
By default, the built-in workspace-level roles provided by DataWorks have read permissions on all workspace-level services. The management and operation permissions of different built-in workspace-level roles on workspace-level services vary. The following table describes the built-in workspace-level roles and the permissions of each built-in workspace-level role on workspace-level services.
Role | Description |
Workspace Owner | This role has all permissions on a workspace. In most cases, the owner of a workspace is an Alibaba Cloud account. For example, the Workspace Owner role can assign a role to a RAM user and remove a member that is not the owner of a workspace from the workspace. |
Workspace Administrator | This role has all permissions of the Development and O&M roles. This role also has permissions to perform operations such as adding a user to a workspace as a member, removing a member from a workspace, and creating a custom resource group. |
Data Analyst | This role has permissions only on DataAnalysis. For more information about DataAnalysis, see Overview. |
Development | This role has permissions to perform design and maintenance operations on the DataStudio page of a workspace. |
O&M | This role has permissions to manage the running of all tasks and perform the required operations on all tasks in a workspace in Operation Center. |
Deploy | This role has permissions to review the code of a task and determine whether to commit the task to Operation Center in a workspace in standard mode. |
Visitor | This role has read-only permissions on workflows and code on the DataStudio page. |
Security Manager | This role has permissions only on Data Security Guard. For more information about Data Security Guard, see Overview. |
Model Designer | This role has permissions to view models and modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. This role does not have permissions to publish models. |
The tables in the following sections describe the permissions of different built-in workspace-level roles on workspace-level services. In the tables, Yes indicates that a role has the specified permission, and No indicates that a role does not have the specified permission.
The built-in workspace-level roles also have specified permissions on the data of a MaxCompute compute engine instance. For more information, see Manage permissions on data in a MaxCompute compute engine instance.
You can execute the related statement to query permissions on data of a MaxCompute compute engine instance. For more information, see Query permissions by using MaxCompute SQL. For example, you can execute the describe role Role_Project_Dev statement to query whether the Development role of DataWorks has the Create Table permission on a MaxCompute compute engine instance.
For information about mappings between built-in workspace-level roles of DataWorks and roles of a MaxCompute compute engine instance, see Appendix: Mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute.
Data management
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
Delete a self-created table | Yes | Yes | No | Yes | No | No | No | No | No |
Configure a category for a self-created table | Yes | Yes | No | Yes | No | No | No | No | No |
View a favorite table | Yes | Yes | No | Yes | No | No | No | No | No |
Create a table in visualized mode | Yes | Yes | No | Yes | No | No | No | No | No |
Show a self-created table | Yes | Yes | No | Yes | No | No | No | No | No |
Modify the schema of a self-created table | Yes | Yes | No | Yes | No | No | No | No | No |
View a self-created table | Yes | Yes | No | Yes | No | No | No | No | No |
View the content of a self-submitted permission request | Yes | Yes | No | Yes | No | No | No | No | No |
Hide a self-created table | Yes | Yes | No | Yes | No | No | No | No | No |
Configure the time to live (TTL) for a self-created table | Yes | Yes | No | Yes | No | No | No | No | No |
Request permissions on a table created by other users | Yes | Yes | No | Yes | No | No | No | No | No |
Update a table in the development environment | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Delete a table in the development environment | Yes | Yes | No | Yes | No | No | No | No | No |
Preview data | Yes | Yes | No | Yes | Yes | Yes | Yes | Yes | No |
Deployment management
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
Create a deployment package | Yes | Yes | No | Yes | Yes | No | No | No | No |
View the list of deployment packages | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Delete a deployment package | Yes | Yes | No | Yes | Yes | No | No | No | No |
Deploy tasks in a deployment package | Yes | Yes | No | No | Yes | Yes | No | No | No |
View the content of a deployment package | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Button control
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
Stop | Yes | Yes | No | Yes | No | No | No | No | No |
Format | Yes | Yes | No | Yes | No | No | No | No | No |
Edit | Yes | Yes | No | Yes | No | No | No | No | No |
Run | Yes | Yes | No | Yes | No | No | No | No | No |
Zoom in | Yes | Yes | No | Yes | No | No | No | No | No |
Save | Yes | Yes | No | Yes | No | No | No | No | No |
Show/Hide | Yes | Yes | No | Yes | No | No | No | No | No |
Delete | Yes | Yes | No | Yes | No | No | No | No | No |
Code development
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
Save and commit the code of a task | Yes | Yes | No | Yes | No | No | No | No | No |
View the code of a task | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Write the code of a task | Yes | Yes | No | Yes | No | No | No | No | No |
Delete the code of a task | Yes | Yes | No | Yes | No | No | No | No | No |
View the code of tasks | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Run the code of a task | Yes | Yes | No | Yes | No | No | No | No | No |
Modify the code of a task | Yes | Yes | No | Yes | No | No | No | No | No |
Download a file | Yes | Yes | No | No | No | No | No | No | No |
Upload a file | Yes | Yes | No | Yes | No | No | No | No | No |
Function development
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
View details of a function | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Create a function | Yes | Yes | No | Yes | No | No | No | No | No |
Query a function | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Delete a function | Yes | Yes | No | Yes | No | No | No | No | No |
Node type selection
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
PAI | Yes | Yes | No | Yes | No | No | No | No | No |
MR | Yes | Yes | No | Yes | No | No | No | No | No |
CDP | Yes | Yes | No | Yes | No | No | No | No | No |
SQL | Yes | Yes | No | Yes | No | No | No | No | No |
XLIB | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Shell | Yes | Yes | No | Yes | No | No | No | No | No |
Zero load | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
script_seahawks | Yes | Yes | No | Yes | No | No | No | No | No |
dtboost_analytic | Yes | Yes | No | Yes | No | No | No | No | No |
dtboost_recommend | Yes | Yes | No | Yes | No | No | No | No | No |
PyODPS | Yes | Yes | No | Yes | No | No | No | No | No |
AnalyticDB for PostgreSQL | Yes | Yes | No | Yes | No | No | No | No | No |
AnalyticDB for MySQL | Yes | Yes | No | Yes | No | No | No | No | No |
HTTP Trigger | Yes | Yes | No | Yes | No | No | No | No | No |
Resource management
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
View the list of resources | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Delete a resource | Yes | Yes | No | Yes | No | No | No | No | No |
Create a resource | Yes | Yes | No | Yes | No | No | No | No | No |
Upload a JAR file | Yes | Yes | No | Yes | No | No | No | No | No |
Upload a text file | Yes | Yes | No | Yes | No | No | No | No | No |
Upload an archive file | Yes | Yes | No | Yes | No | No | No | No | No |
Workflow development
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
Run or stop a workflow | Yes | Yes | No | Yes | No | No | No | No | No |
Save a workflow | Yes | Yes | No | Yes | No | No | No | No | No |
View a workflow | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Commit the code of a node | Yes | Yes | No | Yes | No | No | No | No | No |
Modify a workflow | Yes | Yes | No | Yes | No | No | No | No | No |
View the list of workflows | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Change the owner of a workflow | Yes | Yes | No | No | No | No | No | No | No |
View the code of a node | Yes | Yes | No | Yes | No | No | No | No | No |
Delete a workflow | Yes | Yes | No | Yes | No | No | No | No | No |
Create a workflow | Yes | Yes | No | Yes | No | No | No | No | No |
Create a folder | Yes | Yes | No | Yes | No | No | No | No | No |
Delete a folder | Yes | Yes | No | Yes | No | No | No | No | No |
Modify a folder | Yes | Yes | No | Yes | No | No | No | No | No |
Data Integration
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
Edit a node | Yes | Yes | No | Yes | No | No | No | No | No |
View a node | Yes | Yes | No | Yes | No | No | No | No | No |
Delete a node | Yes | Yes | No | Yes | No | No | No | No | No |
Access the menu for managing data synchronization resources | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
View the list of resource groups for data synchronization | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Create a resource group for data synchronization | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
View the list of Elastic Compute Service (ECS) instances in a resource group for data synchronization | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Add an ECS instance to a resource group for data synchronization | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Remove an ECS instance from a resource group for data synchronization | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Modify an ECS instance in a resource group for data synchronization | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Obtain the AccessKey pair for accessing a resource group for data synchronization | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Delete a resource group for data synchronization | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Monitor resource consumption | Yes | Yes | No | No | No | No | No | No | No |
Change the resource group for tasks in Operation Center | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Access the menu for managing synchronization tasks | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Switch to the code editor | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Obtain the list of members in a workspace | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Call the API operation for writing the code of a task | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Call the API operation for saving or updating the code of a task | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Call the API operation for obtaining the code of a task based on the file ID | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Obtain the list of Data Integration nodes | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Call the API operation for querying a table | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Call the API operation for querying a field | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Call the API operation for querying data sources | Yes | Yes | No | Yes | Yes | Yes | Yes | No | No |
Call the API operation for adding a data source | Yes | Yes | No | No | Yes | No | No | No | No |
Call the API operation for querying the details of a data source | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Call the API operation for updating a data source | Yes | Yes | No | No | Yes | No | No | No | No |
Call the API operation for deleting a data source | Yes | Yes | No | No | Yes | No | No | No | No |
Test network connectivity | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Preview data | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Check whether the Stream feature is enabled for a Tablestore table | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Activate Tablestore | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Query the statement used to create a MaxCompute table | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Create a MaxCompute table | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Query the creation status of a MaxCompute table | Yes | Yes | No | Yes | Yes | Yes | No | No | No |
Migrate database tables | Yes | Yes | No | No | No | No | No | No | No |
Data Modeling
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
View a model | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Edit a model | Yes | Yes | No | Yes | Yes | No | No | No | Yes |
Publish a model | Yes | Yes | No | No | Yes | No | No | No | No |
DataAnalysis
Permission | Workspace Owner | Workspace Administrator | Data Analyst | Development | O&M | Deploy | Visitor | Security Manager | Model Designer |
Access pages in DataAnalysis | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
Use DataAnalysis | Yes | Yes | Yes | Yes | Yes | Yes | No | Yes | Yes |
By default, a custom role does not have the permissions of the Data Analyst role. If you want to use DataAnalysis by assuming a custom role, you can ask a user with the Workspace Administrator role to assign the Data Analyst role to you. For more information about how to assign a role to a workspace member, see Manage permissions on workspace-level services. For more information about custom roles, see Permissions of workspace-level roles.