If you want to allow a RAM user to use DataWorks, you can grant the RAM user the required permissions based on use scenarios. This topic describes how to manage permissions of RAM users in different use scenarios.

Background information

DataWorks provides a comprehensive permission management system for service management and service module usage. Service modules are classified into global- and workspace-level service modules based on their usage scope. DataWorks provides global- and workspace-level roles that you can use to manage permissions on the global- and workspace-level service modules. DataWorks allows you to use RAM policies to manage service management permissions. For more information, see Policy overview. DataWorks also allows you to use role-based access control (RBAC) to manage permissions on service modules. For more information, see Overview of users, roles, and permissions.

This topic describes the permission authorization process in various use scenarios of DataWorks. You can learn about the permission management system from the dimensions of product-level permission management, permission management on global-level service modules, and permission management on workspace-level service modules.

Permission management system

The following figure shows how to manage permissions of RAM users based on operation types and authorization types, such as RAM policy-based authorization and RBAC. Introduction to the permission management systemIf you want to perform global operations as a RAM user, make sure that the RAM user is granted coarse-grained product-level permissions. If you want to perform operations on a specific service module, in the DataWorks console, or on resource groups as a RAM user, make sure that the RAM user is granted fine-grained service module-level permissions.
Note The deny policies take precedence over the other policies that are configured for RAM users.
The following sections describe permission management for RAM users based on the permission management levels, including product-level and service module-level.

Product-level: DataWorks management and operation permission management

To perform product-level DataWorks management and operation permission management, you must use RAM policies.
Permission type Description Procedure References
Allow RAM users to manage DataWorks services
By default, you have permissions to manage DataWorks services only by using an Alibaba Cloud account. If you want to collaborate with a RAM user to manage DataWorks services, you must attach the required system policy to the RAM user.
Note After the authorization, the RAM user can manage DataWorks services on behalf of the Alibaba Cloud account, but the RAM user cannot purchase services.
  1. Log on to the Resource Access Management (RAM) console.
  2. Attach the AliyunDataWorksFullAccess policy to the RAM user.
Grant permissions to a RAM user
Allow RAM users to purchase resources and activate services By default, you can purchase resources and activate services only by using an Alibaba Cloud account. For example, you can purchase an advanced DataWorks edition by using an Alibaba Cloud account. If you want to allow a RAM user to purchase resources and activate services, you must attach the required system policy to the RAM user.
Note After the authorization, the RAM user can view, pay for, and cancel orders in Billing Management.
  1. Log on to the Resource Access Management (RAM) console.
  2. Attach the AliyunBSSOrderAccess policy to the RAM user.
Grant permissions to a RAM user
Prohibit RAM users from performing operations in DataWorks
If you want to prohibit a RAM user from accessing the DataWorks console or a specific service module, or prohibit a RAM user from calling API operations, you must create a custom policy and attach the policy to the RAM user.
Note By default, all RAM users that belong to an Alibaba Cloud account are assigned the tenant member role and are allowed to access the DataWorks console.
  1. Log on to the Resource Access Management (RAM) console.
  2. Create a custom policy. For more information, see Appendix 1: Prohibit RAM users from performing all operations.
  3. Attach the custom policy to the RAM user.
Prohibit RAM users from calling API operations By default, RAM users who have permissions on a DataWorks service module can call API operations of the service module. If you want to prohibit a RAM user from calling all API operations, you must create a custom policy and attach the policy to the RAM user.
  1. Log on to the Resource Access Management (RAM) console.
  2. Create a custom policy. For more information, see Appendix 2: Prohibit RAM users from calling API operations.
  3. Attach the custom policy to the RAM user.
Prohibit RAM users from accessing DataWorks service modules

If you want to prohibit a RAM user from accessing all service modules of DataWorks, you must create a custom policy and attach the policy to the RAM user.

Note
  • By default, all RAM users that belong to an Alibaba Cloud account are assigned the tenant member role. The RAM users can access the service modules of the workspace to which the RAM users are added as workspace members and all global-level service modules.
  • If you attach the custom policy to a RAM user, the RAM user cannot access all service modules of DataWorks, but can call API operations of the service modules on which the RAM user has permissions.
  1. Log on to the Resource Access Management (RAM) console.
  2. Create a custom policy. For more information, see Appendix 3: Prohibit RAM users from accessing DataWorks service modules.
  3. Attach the custom policy to the RAM user.

Service module-level: Permission management of operations in the DataWorks console

To perform service module-level permission management of operations in the DataWorks console, you must use RAM policies.
Permission type Description Procedure References
Allow RAM users to manage workspaces and resource groups

By default, you can manage DataWorks resources and workspaces only by using an Alibaba Cloud account. For example, you can modify the configurations of a resource group or a workspace, and delete a resource group by using an Alibaba Cloud account.

If you want to allow a RAM user to manage resource groups and workspaces, you must create a custom policy and attach the policy to the RAM user.

  1. Log on to the Resource Access Management (RAM) console.
  2. Create a custom policy.
    Note The RAM policies that are required vary based on the operations that you want to allow a RAM user to perform on a resource group or a workspace. For more information about how to create a custom policy, see Custom RAM policies: fine-grained permission control for console operations.
  3. Attach the custom policy to the RAM user.

Service module-level: Permission management on different DataWorks service modules

To perform service module-level permission management, you can use the user management feature on the Workspace Management page.
Permission type Description Procedure
Assign RAM users workspace-level roles A RAM user must be added as a workspace member before the RAM user can perform operations for data development in the workspace. You can assign the RAM user a specific workspace-level role to allow the RAM user to perform operations in specific service modules. Examples:
  • Assign the RAM user the Development role to allow the RAM user to perform operations for data development in a specified workspace. The Development role is a built-in workspace-level role. For example, the RAM user can create a table or execute SQL statements.
  • Assign the RAM user the O&M role to allow the RAM user to perform operations such as node deployment or O&M operations on a node in a specified workspace. The O&M role is a built-in workspace-level role.
  • Assign the RAM user a custom workspace-level role to allow the RAM user to have the permissions that you want the RAM user to possess.
Note For more information about the built-in and custom workspace-level roles, see Permissions of workspace-level roles.
  1. Go to the User Management page.
  2. Optional:Create a custom workspace-level role.
  3. Add a RAM user as a workspace member and assign the RAM user a built-in or custom workspace-level role.
Assign RAM users global-level roles By default, all RAM users that belong to an Alibaba Cloud account are assigned the tenant member role and are allowed to access but not allowed to manage global-level service modules. If you want to allow a RAM user to manage global-level service modules and implement permission management in different scenarios, you must assign the RAM user a required global-level role. Examples:
  • Assign the RAM user a specified role to allow the RAM user to have management permissions on specified service modules.
  • Assign the RAM user a specified role to prohibit the RAM user from accessing specified service modules.
Note For more information about the built-in and custom global-level roles, see Manage global roles and members.
  1. Go to the Global Member Management page.
  2. Optional:Create a custom global-level role.
  3. Add a RAM user as a workspace member and assign the RAM user a built-in or custom global-level role.

Appendix 1: Prohibit RAM users from performing all operations

The workspace administrator can attach the policy that prohibits RAM users from performing all operations to a RAM user. After the policy is attached, the RAM user cannot use all DataWorks features. For example, the RAM user cannot perform operations in the DataWorks console, use features on different service modules, or call API operations.

Authorization script: 
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "dataworks:*",
            "Resource": "*"
        }
    ]
}

Appendix 2: Prohibit RAM users from calling API operations

The workspace administrator can attach the policy that prohibits RAM users from calling API operations to a RAM user. After the policy is attached, the RAM user cannot call DataWorks API operations.

Authorization script: 
{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "dataworks:*",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "dataworks:Scope": "OpenAPI"
        }
      }
    }
  ]
}

Appendix 3: Prohibit RAM users from accessing DataWorks service modules

The workspace administrator can attach the policy that prohibits RAM users from accessing DataWorks service modules to a RAM user. After the policy is attached, the RAM user cannot access DataWorks service modules.
Note This policy only prohibits a RAM user from accessing service modules. If the RAM user has permissions to call API operations of a specific service module, the RAM user can still call the API operations.
Authorization script: 
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "dataworks:*",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "dataworks:Scope": "Page"
                }
            }
        }
    ]
}