The platform security diagnostics feature of DataWorks provides security capabilities for features, such as identity authentication, access control, and development mode, during the interactions between the current DataWorks workspace and the associated compute engine instances, such as data transmission, storage, and computing. In addition, best practices are provided for security diagnostics. The platform security diagnostics feature helps you identify the security risks of your platform at the earliest opportunity and build a basic security system before you perform related transactions.
Background information
- Data calculation and storage
This category of diagnostics item diagnoses security issues for features, such as data permission control, data storage encryption, and data storage backup, and identifies potential security risks at the earliest opportunity to improve security during data storage and access.
- Data transmission security diagnosis
This category of diagnostics item diagnoses security issues for features, such as the access control of data sources and the isolation of data sources in the production and development environments. This category of diagnostics item also identifies security risks during data transmission so that you can manage these risks at the earliest opportunity. This ensures a secure and reliable environment for data transmission.
- Standardized diagnosis of data production
This category of diagnostics item diagnoses security issues that are related to production processes, such as the rationality of the roles, number of administrators, and deployment persons within the current workspace, and allows you to identify and process security risks at the earliest opportunity. This category of diagnostics item improves the reliability and security of the data output system.
- Platform security configuration diagnosis
This category of diagnostics item diagnoses security issues for features, such as the auditing of DataWorks operations, to improve the overall data security.

Go to the Platform safety diagnosis page
View the diagnosis


- Security risks
Access permissions are not configured for the data sources. This way, users with lower security levels can access data with higher security levels. This leads to insecure access to the data sources.
- Suggestions
You can improve access security for the data sources by configuring access permissions for the data sources based on the provided suggestions.
Appendix: Details of diagnostics items
- Data calculation and storageThis category of diagnostics item improves security during data storage and access.
Diagnostics dimension Diagnostics item Diagnostics object Diagnostics method MaxCompute fine data permission control MaxCompute column-level permission control Note The security model of MaxCompute V2.0 provides more fine-grained data permission management capabilities, more scientific mechanisms of decentralized project management, and more powerful end-to-end identification capabilities. The security model allows you to implement security configurations that are more suitable for actual scenarios.MaxCompute project Column-level permission control relies on the MaxCompute V2.0 permission model. This diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is disabled. Data download control Note To avoid unexpected data leaks, we recommend that irrelevant users be strictly restricted from downloading data directly to the local by using MaxCompute Tunnel.MaxCompute project Download permission control relies on the MaxCompute V2.0 permission model and the download permissions. This diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is disabled. In addition, this diagnostics item detects the MaxCompute projects in which the MaxCompute V2.0 permission model is enabled and download permission control is disabled. For more information about whether and how to enable download permission control, see Download control. Data protection mode Note The data protection mechanism of MaxCompute projects allows you to manage the data outflow method.MaxCompute project This diagnostics item checks whether you have set the protection mode for some or all of the MaxCompute projects. For more information about the project data protection feature of MaxCompute, see Project data protection. MaxCompute storage security enhancement Data storage encryption Note MaxCompute supports data storage encryption based on Key Management Service (KMS), and provides static data protection for enterprises to meet the regulation and security compliance requirements. For more information, see Data encryption.MaxCompute project This diagnostics item detects and lists the MaxCompute projects in which data storage encryption is disabled. To enable data storage encryption for an existing MaxCompute project, submit a ticket. Data storage backup Note The system automatically backs up the historical versions of MaxCompute data and retains them for a certain period of time. During the retention period, you can quickly restore the data to prevent data loss due to accidental operations. For more information, see Backup and restoration.MaxCompute project By default, this feature is enabled for MaxCompute projects. You can adjust the retention period or restore data based on the actual situation. For more information, see Backup and restoration. EMR fine data permission control EMR secure access mode Note If an EMR cluster is associated with a DataWorks workspace by using the Security mode, data permissions are isolated among Alibaba Cloud accounts and RAM users. For more information about the Security mode, see Security mode.DataWorks workspace This diagnostics item detects the workspaces that are associated with EMR clusters by using a mode other than the Security mode. - Data transmission security diagnosisThis category of diagnostics item improves security prior to data transmission.
Diagnostics dimension Diagnostics item Diagnostics object Diagnostics method Data source protection Data source access control Note DataWorks allows you to set access permissions for the configured data sources to prevent users with lower security levels from accessing data with higher security levels.DataWorks workspace data source This diagnostics item detects the workspaces in which access permissions are not set for the configured data sources. For more information about how to set access permissions for data sources, see Manage connection permissions. Production and Development Data Source Isolation Note In a workspace in standard mode, the configurations of a data source vary based on whether the data source is used in the production or development environment. This prevents data leaks from the development environment. You can evaluate and modify data sources. For more information, see Isolate connections between the development and production environments.DataWorks workspace data source This diagnostics item detects the workspaces in standard mode in which a data source has the same configurations in the production and development environments. Data source access mode Note DataWorks supports role-based access to OSS data sources. This mode is more secure than the traditional AccessKey mode and can effectively prevent leaks of AccessKey pairs.DataWorks workspace data source This diagnostics item detects the workspaces in which OSS data sources can be accessed in AccessKey mode. You can modify the data sources. For more information, see Use the RAM authorization mode to configure connections to data stores. - Standardized diagnosis of data productionThis category of diagnostics item improves the stability and security of the data output system.
Diagnostics dimension Diagnostics item Diagnostics object Diagnostics method Reasonable planning of working space Use the "standard mode" workspace for data production Note A workspace in standard mode is more secure than a workspace in basic mode. For more information, see Basic mode and standard mode.DataWorks workspace mode This diagnostics item detects the workspaces in basic mode in the current region. You can upgrade a workspace in basic mode to a workspace in standard mode based on the actual situation. Proceed with caution when you perform this operation. For more information, see Upgrade the workspace mode. Computing Engine Production Development Environment Isolation Note In a workspace in standard mode, the configurations of a compute engine instance vary based on whether the compute engine instance is used in the production or development environment. This prevents data leaks from the development environment.DataWorks workspace compute engine This diagnostics item detects the workspaces in which an associated compute engine instance has the same configurations in the development and production environments in the current region. Reasonably specify the number of workspace administrators Note In a single workspace, too many administrators may cause disordered management. We recommend that you set no more than three administrators for each workspace.DataWorks workspace member management This diagnostics item detects the workspaces in which more than three workspace administrators are set. Reasonable allocation of workspace member roles Note In a single workspace, we recommend that each member play a dedicated role to prevent unauthorized operations caused by one member playing multiple roles.DataWorks workspace member management This diagnostics item detects the workspaces in which one member plays multiple roles in the current region. We recommend that you configure roles after understanding the purpose of each role. For more information, see Permissions of built-in workspace-level roles . Avoid frequent logons of sub-accounts as scheduled access identities Note To prevent irrelevant users from viewing key compute engine data, we recommend that you prohibit logons as RAM users that are scheduling access identities of compute engines.DataWorks workspace management This diagnostics item detects the workspaces that allowed logons to DataWorks as RAM users that are scheduling access identities in the past three months in the current region. Standardized data production Code review Note DataWorks provides the code review feature. If you enable forcible code reviews, you must commit each node for the specified reviewer to review the code of the node. You can deploy the node only after the reviewer approves the code. For more information, see Code review.DataWorks workspace management This diagnostics item detects the workspaces in which the code review feature is disabled or the code review scope is not configured in the current region. You can configure the workspaces. For more information, see Code review. Reasonable Arrangement of Publish Personnel Note In a workspace in standard mode, the person who deploys a task must be distinguished from the task developer.DataWorks workspace management This diagnostics item detects the tasks that were developed and deployed by the same person in the past 30 days. - Platform security configuration diagnosisThis category of diagnostics item improves the overall data security.
Diagnostics dimension Diagnostics item Diagnostics object Diagnostics method DataWorks operation behavior audit DataWorks operation behavior audit Note DataWorks supports the operation audit feature. You can audit user operations in DataWorks by using ActionTrail with a delay of about 5 to 10 minutes. For more information, see Use ActionTrail to query behavior events.DataWorks workspace management By default, this feature is enabled for DataWorks workspaces. After you activate ActionTrail, you can record DataWorks operation logs.