DataWorks:Appendix: Mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute

Mapping

Permission description

DataWorks role or identity

MaxCompute role

Permission on data in the DataWorks development environment and the associated MaxCompute project

Permission on data in the DataWorks production environment and the associated MaxCompute project

Description of permissions in DataWorks

Workspace Administrator

Role_Project_Admin

• MaxCompute: This role has all permissions on the project and the tables, functions, resources, instances, and jobs in the project, and has Read permissions on the packages in the project.

• DataWorks: This role has permissions to perform data development operations and deploy tasks to the production environment.

No permissions by default. You must request the required permissions in Security Center.

A user with the Workspace Administrator role is the administrator of a workspace. The administrator has permissions to manage the basic properties, data sources, compute engine configurations, and members of the workspace and can assign the Workspace Administrator, Development, O&M, Deploy, or Visitor role to workspace members.

Development

Role_Project_Dev

• MaxCompute: This role has all permissions on the project and the tables, functions, resources, instances, and jobs in the project, and has Read permissions on the packages in the project.

• DataWorks: This role has permissions to perform data development operations but does not have permissions to deploy tasks to the production environment.

No permissions by default. You must request the required permissions in Security Center.

A user with the Development role has permissions to create workflows, script files, resources, user-defined functions (UDFs), tables, and deployment packages, and delete tables, but does not have permissions to perform deployment operations.

O&M

Role_Project_Pe

This role has all permissions on the project and the functions, resources, instances, and jobs in the project, Read permissions on the packages in the project, and Read and Describe permissions on the tables in the project.

No permissions by default. You must request the required permissions in Security Center.

The O&M role has deployment and online O&M permissions that are granted by the Workspace Administrator role but does not have permissions to perform data development operations.

Deploy

Role_Project_Deploy

No permissions by default.

No permissions by default. You must request the required permissions in Security Center.

The Deploy role has similar permissions to the O&M role, except for online O&M permissions.

Visitor

Role_Project_Guest

No permissions by default.

No permissions by default. You must request the required permissions in Security Center.

A user with the Visitor role has permissions to view data but does not have permissions to modify workflows or code.

Security Manager

Role_Project_Security

No permissions by default.

No permissions by default. You must request the required permissions in Security Center.

The Security Manager role can be used only in Data Security Guard and has permissions to configure sensitive data identification rules and audit data risks in Data Security Guard.

Data Analyst

Role_Project_Data_Analyst

No permissions by default.

No permissions by default. You must request the required permissions in Security Center.

This role has permissions only on DataAnalysis.

Model Designer

Pole_Project_Erd

No permissions by default.

No permissions by default. You must request the required permissions in Security Center.

This role has permissions to view models in Data Modeling and modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. This role does not have permissions to publish models.

Workspace owner (Alibaba Cloud account)

Project Owner

This identity is the owner of the project and has all permissions on the project.

The same permissions as in the development environment.

None.

None

Super_Administrator

This role is the super administrator of the project and has management permissions on the project and all permissions on all types of resources in the project.

The same permissions as in the development environment.

None.

None

Admin

When you create a project, the system creates an Admin role for this project and grants the role permissions to access all objects in the project, manage users or roles, and grant permissions to users or roles. Compared with the Project Owner role, the Admin role does not have permissions to perform the following operations: assign the Admin role to users, configure security policies for the project, modify the authentication model for the project, and modify the permissions of the Admin role. The Project Owner role can assign the Admin role to a user and authorize the user to manage security configurations.

The same permissions as in the development environment.

None.

None

Role_Project_Scheduler

No permissions by default.

• MaxCompute: This role has all permissions on the project and the tables, functions, resources, instances, and jobs in the project, and has Read permissions on the packages in the project.

• DataWorks: This role is used as the identity of committing tasks to the production environment for scheduling.

  Note

  If you specify a RAM user or RAM role as the default access identity when you add a MaxCompute project to a workspace in the production environment as a data source, the RAM user or RAM role is granted the permissions that are the same as those of the Role_Project_Scheduler role of the MaxCompute project. For information about how to specify the default access identity, see the Add a data source section in Add a MaxCompute data source.

The identity is used to schedule and run MaxCompute tasks in the production environment.