DataWorks provides a comprehensive permission management system in terms of platform permissions and service permissions. Platform permissions are related to operations in the DataWorks console and are managed by using Resource Access Management (RAM) policies. For example, a specific platform permission allows users to create workspaces. Service permissions are managed by using the role-based access control (RBAC) mechanism and are divided into global and workspace-level permissions based on the scope of services. This topic describes the permission management system of DataWorks.
Permission management frameworks
|Permission type||Management method||Management scope|
|Permissions on console operations||RAM policies
Note A RAM policy is a set of permissions that are described based on the policy structure and syntax. You can use policies to describe the authorized resource sets, authorized operation sets, and authorization conditions.
|The following operations in the DataWorks console belong to this category: operations on the Workspaces, Resource Groups, and Alerts pages, such as creating a workspace and disabling a workspace.|
|Permissions on workspace-level services||Built-in RBAC
Note Workspace-level roles are used to manage permissions on workspace-level services.
|After you enter a service page, take note of the top navigation bar. If a drop-down list from which you can select a workspace exists, the service is a workspace-level service. For example, Data Integration and DataStuido are workspace-level services.|
|Permissions on global services||Built-in RBAC
Note Global roles are used to manage permissions on global services.
|After you enter a service page, take note of the top navigation bar. If a drop-down list from which you can select a workspace does not exist, the service is a global service. For example, Data Security Guard and Data Map are global services.|