Sharing an Alibaba Cloud account across a team creates significant security risks. Instead, add RAM (Resource Access Management) users as workspace members and assign each one a role. This gives you fine-grained access control, protects data security, and standardizes development workflows.
How it works
DataWorks member management is based on the Alibaba Cloud RAM and role-based access control (RBAC) models:
Member identity: Members are RAM users under your Alibaba Cloud account. DataWorks does not create or store user identities.
Role authorization: Grant permissions by assigning roles — such as administrator, developer, and O&M — to each member within a workspace.
Permission mapping: DataWorks role permissions map to the underlying compute engine. For example, assigning the Developer role automatically grants that member read and write permissions in the attached MaxCompute project. Understanding this mapping is essential for configuring permissions correctly.
For details on the full permission system, see Overview of the DataWorks permission system.
Prerequisites
Before you begin, ensure that you have:
The Workspace Manager role in the target workspace
The Alibaba Cloud account that creates a workspace is granted the Workspace Manager role by default.
Add members and assign roles
Go to the DataWorks Management Center, find the target workspace, and click Go To Management Center.
In the left navigation pane, click Workspace Members and Roles, then click Add Members in the upper-right corner.
(Optional) To create a new RAM user first, click RAM console in the prompt at the top of the dialog box and create a RAM user in the RAM console.
In the Add Members dialog, select the accounts to add and move them to the Selected Accounts list. Set a role for each account, then click Confirm.
ImportantThe Workspace Administrator role grants all permissions in the workspace, including managing members and modifying workspace configurations. Assign this role only when strictly necessary. For more information about available roles and their permissions, see Workspace-level access control.
After adding members, view and manage them in the Workspace Members list. To change a member's role, update the Role column. To remove a member, use the Actions column.
The project owner cannot be removed. The project owner is the Alibaba Cloud account that created the workspace and holds full permissions for it.
Apply in production
Principle of least privilege
Do not assign the Workspace Manager role to developers or O&M engineers. Instead, assign the Development, O&M, or Deploy role based on each person's responsibilities. Limiting elevated roles reduces the blast radius if an account is compromised or a misoperation occurs.
Limit the Workspace Manager role
Restrict the Workspace Manager role to one or two core owners. This role grants unrestricted permissions — including the ability to manage members and change workspace configurations — so a single misoperation or compromised account can severely affect the entire project.
Review members regularly
The project owner should review the Workspace Members list on a regular schedule to remove members who have left the team or changed roles. Without regular reviews, former employees or reassigned personnel may retain write access to production resources indefinitely.
What's next
After adding members, explore these resources to get started with DataWorks:
Quick start: Comprehensive: Website user profile analysis
More tutorials: Product tutorials
FAQ
I can't find the RAM user I want to add in the Available Accounts list.
The RAM user may not exist yet in your Alibaba Cloud account. Go to the RAM console and create the user first. Once created, return to the Add Members dialog and click Refresh to reload the account list.
I can't remove a specific workspace member.
The project owner cannot be removed. The project owner is the Alibaba Cloud account that created the workspace and has full permissions for it.