DataWorks provides a comprehensive permission management system for you to manage product-level permissions and module-level permissions. The module-level permissions are classified into permissions to perform operations in the DataWorks console and permissions to use DataWorks service modules. DataWorks allows you to use RAM policies to manage product-level permissions and the permissions to perform operations in the DataWorks console. DataWorks also allows you to use role-based access control (RBAC) to manage permissions on service modules. This topic describes the DataWorks permission management system.
Overview
The following figure shows the structure of the DataWorks permission management system based on management granularities.
Permission management method | Authorization method | Effective scope in DataWorks | References |
RAM policy-based authorization | Attach a policy to a user (RAM user or RAM role) to grant the user the permissions that are defined in the policy.
|
| |
RBAC | Assign a role to a user (RAM user or RAM role) to authorize the user to perform operations in specific DataWorks service modules.
|
|
This topic describes the basic information about the DataWorks permission management system. For information about fine-grained permission management for users in different scenarios, see Best practices for managing permissions of RAM users.
Precautions
By default, Alibaba Cloud accounts and RAM users to which the AdministratorAccess policy is attached have higher permissions.
Product-level permission management
DataWorks allows you to use RAM policies to manage product-level permissions. You can attach a built-in policy or a custom policy to a RAM user to implement DataWorks permission management.
Permission management method | Operation type | Description | References |
RAM policy-based authorization | Allow | You can attach the following system policies that are provided by DataWorks to RAM users:
| Use system policies and custom policies to manage permissions on the DataWorks services |
Deny | You can create a custom policy and attach the policy to a specified RAM user. Permission management scope:
|
Module-level permission management: Permissions to perform operations in the DataWorks console
DataWorks allows you to use RAM policies to manage the permissions to perform operations in the DataWorks console.
Permission management method | Managed entity | Operation | References |
RAM policy-based authorization | Workspace | You can perform various operations such as creating, disabling, or deleting a workspace on the Workspaces page. | |
Exclusive resource group | You can perform various operations such as creating an exclusive resource group and configuring the network of the exclusive resource group on the Resource Groups page. | ||
Alert | You can perform various operations such as configuring information about an alert contact on the Alerts page. |
Module-level permission management: Permissions to use DataWorks service modules
DataWorks service modules are classified into global- and workspace-level service modules based on their usage scope. DataWorks provides global- and workspace-level roles that you can use to manage permissions on the global- and workspace-level service modules. For more information, see Appendix 1: Division of global-level roles and workspace-level roles. DataWorks allows you to use RBAC to manage permissions on service modules.
Permission management method | Managed entity | Description | References |
RBAC | Workspace-level service modules |
Note DataWorks provides built-in workspace-level roles that are granted fixed permissions. DataWorks also allows you to create custom workspace-level roles. | |
Global-level service modules |
Note DataWorks provides built-in global-level roles. DataWorks also allows you to create custom global-level roles to control whether a specific role has the data read and write permissions on a specific global-level service module. |
Appendix 1: Division of global-level roles and workspace-level roles
DataWorks provides built-in global-level and workspace-level roles. You can assign these built-in roles to users to grant the users the required permissions on specific service modules. You can also create custom global-level or workspace-level roles based on your business requirements. The following figure shows the relationship among users, roles, and permissions.
Among all types of roles, only the tenant administrator role, which is a global-level role, has permissions on all service modules.
The tenant member role is automatically assigned to all RAM users that belong to an Alibaba Cloud account.
A custom global-level role has a higher permission priority than the tenant member role.
For example, RAM User A that belongs to an Alibaba Cloud account is automatically assigned the tenant member role, and can access Data Map. If the tenant administrator creates a custom global-level role that does not have permissions on Data Map, and assigns the custom global-level role to RAM User A, RAM User A cannot access Data Map.
Appendix 2: Distinguish between workspace-level service modules and global-level service modules
If a drop-down list from which you can select a workspace is displayed after you enter a page of a service module, the module is a workspace-level service module. For example, Data Integration and DataStudio are workspace-level service modules.
If no drop-down list from which you can select a workspace is displayed after you enter a page of a service module, the module is a global-level module. For example, Data Security Guard and Data Map are global-level service modules.