This topic describes the responsibilities and permissions of a workspace administrator. By default, the Alibaba Cloud account that creates a workspace is the owner and administrator of the workspace and has full permissions on the workspace.

The owner can also specify a Resource Access Management (RAM) user as a workspace administrator.

Create a workspace

After you create a workspace by using your Alibaba Cloud account or as a RAM user that is managed by your account, the workspace belongs to the Alibaba Cloud account. For more information about how to create a workspace, see Create a workspace.
Note
  • A RAM user can create a workspace only if it has the AliyunDataWorksFullAccess permission. For more information, see Grant permissions to the RAM user.
  • A workspace administrator needs to maintain stable execution of the workspace in the production environment, grant least permissions to workspace members, and control operation permissions on tables in the workspace.

Add workspace members

A workspace administrator can add RAM users as members of the workspace and assign roles to the members as required. For more information about the permissions of each role, see Permissions of built-in workspace-level roles.
Note We recommend that you do not assign the Development and O&M roles to the same member.

Manage permissions

DataWorks roles are divided into preset roles and workspace-level custom roles. Each role has different permissions. You can assign a role to a user when you add the user to a workspace. This way, the user obtains the permissions that are configured for the role. For more information, see Manage workspace-level roles and members. Each role has different operation permissions on the DataWorks console. For more information, see Permissions of built-in workspace-level roles.

If you use a MaxCompute engine, mappings are established between the preset roles of DataWorks and the MaxCompute roles for projects in Dev mode. In other words, after a preset role of DataWorks is assigned to a user, the user can manage the resources of the corresponding project in Dev mode in MaxCompute. For more information, see Users, roles, and permissions.

To ensure stability and security of the production environment, DataWorks does not allow RAM users to perform operations on tables in the production environment. For example, RAM users cannot modify or delete tables in the production environment. In addition, workspace members must be granted related permissions before they can commit nodes.

Other permissions:
  • Data Integration: Only the owner and administrator of a workspace can perform operations such as adding data sources and migrating tables to the cloud in the workspace.
  • MaxCompute Management: A workspace administrator can bind a resource group to a workspace. Then, O&M engineers can view the system status, allocate resource groups, and monitor nodes in MaxCompute Management.
  • Operation Center: Only a member that is assigned the O&M role or an administrator of a workspace can perform advanced operations in Operation Center.
  • DataStudio: Only a developer or an administrator of a workspace can perform development operations in DataStudio.
When you create a workspace, you must first specify whether to use your Alibaba Cloud account or the credentials of a RAM user to run nodes in the workspace. An invalid setting will damage the permission system of DataWorks.
  • Alibaba Cloud account: The AccessKey ID and AccessKey secret of your Alibaba Cloud account are required to execute SQL statements. The SQL statements can be executed on tables in all workspaces in the specified region. Exercise caution when you select this option.
  • RAM user: The AccessKey ID and AccessKey secret of a RAM user are required to execute SQL statements. The permissions of RAM users are strictly controlled. Only authorized RAM users can perform operations on tables in the production environment.
Note

To ensure data security, we recommend that you assign roles with least permissions to RAM users.