DataWorks provides a comprehensive permission management system in terms of platform permissions and service permissions. Platform permissions are related to operations in the DataWorks console and are managed by using Resource Access Management (RAM) policies. For example, a specific platform permission allows users to create workspaces. Service permissions are managed by using the role-based access control (RBAC) mechanism and are divided into global and workspace-level permissions based on the scope of services. This topic describes the permission management system of DataWorks.

Permission management frameworks

The following table describes the permission management frameworks that DataWorks provides.
Permission type Management method Management scope
Permissions on console operations RAM policies
Note A RAM policy is a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.
For more information, see Permission control by fine-grained RAM policies.
Permissions on console operationsThe following operations in the DataWorks console belong to this category: operations on the Workspaces, Resource Groups, and Alerts pages, such as creating a workspace and disabling a workspace.
Permissions on workspace-level services Built-in RBAC
Note Workspace-level roles are used to manage permissions on workspace-level services.
Permissions on workspace-level servicesAfter you enter a service page, take note of the top navigation bar. If a drop-down list from which you can select a workspace exists, the service is a workspace-level service. For example, Data Integration and DataStuido are workspace-level services.
Permissions on global services Built-in RBAC
Note Global roles are used to manage permissions on global services.
Permissions on global servicesAfter you enter a service page, take note of the top navigation bar. If a drop-down list from which you can select a workspace does not exist, the service is a global service. For example, Data Security Guard and Data Map are global services.