This topic describes how to add and manage members in a DataWorks workspace and assign roles to them. It also describes the permissions of different roles.
Plan a role
DataWorks provides two types of roles: workspace-level and global (region-level).
For workspace-level roles in DataWorks, you can grant workspace-level permissions to RAM users. DataWorks provides preset roles. You can also configure custom roles. After you add a RAM user to a DataWorks workspace, you can assign a preset role or a custom role in this workspace to the RAM user. For more information, see Manage permissions on workspace-level services.
DataWorks provides two types of global roles: preset roles and custom roles. An administrator can create custom global roles to grant permissions for specific global modules.
NoteIf a tenant administrator creates a custom global role and explicitly denies permissions for specific global modules, such as Data Map, this custom role's restrictions have a higher priority than the permissions granted by the tenant member role.
Assign a workspace-level role to a user
When you add a RAM user or RAM role to a DataWorks workspace, they are automatically assigned a workspace-level role.
Only workspace administrators can assign workspace-level roles to other users. For more information, see Add workspace members and assign roles to them.
The Alibaba Cloud account and the RAM users to which the AliyunDataWorksFullAccess policy is attached have the permissions of the workspace administrator role.
Assign a global role to a user
You can assign global roles to a RAM user or RAM role by using the global role management feature.
Only users with the tenant administrator role or an Alibaba Cloud account with the AliyunDataWorksFullAccess policy attached can assign global roles.
A tenant administrator can grant the tenant administrator role to another user.