Overview
Data access control is a feature in the DataWorks Security Center that provides a centralized, closed-loop portal for permission application, approval, and auditing across multiple engines. It is designed for three roles: applicants, approvers, and auditors, and supports asset permission control for seven engines: MaxCompute, Hologres, Data Lake Formation (DLF), Data Lake Formation (DLF) (Legacy), Hive (EMR), Lindorm, and StarRocks.
Path: DataWorks console > Data Governance > Security Center > Data Platform Security > Data Access Control.
Page structure
The Data Access Control page contains the following six tabs. The visibility of some tabs may vary based on the enabled engines and features.
Tab |
Description |
Permission Application |
Users request permissions for data assets (such as tables, databases, columns, resources, and functions) in an engine. After submission, the request enters an approval process. |
Direct Grant |
Administrators directly grant a set of resource permissions to a specified RAM user or RAM role, bypassing the approval process. For more information, see the Direct grant section below. |
Permission Approval |
Approvers approve or deny incoming permission applications. This tab will be migrated to the Applications & Approvals > My Approval Tasks page in the future. |
Permission Application Records |
Displays all permission application records submitted by the current account. This tab will be migrated to the Applications & Approvals > My Applications page in the future. |
Permission Approval Records |
This tab is no longer available. To view your permission approval records, go to Applications & Approvals > My Approval Tasks and set the task status to All. |
Permission Audit |
Lets you view and revoke data permissions held by users. This feature is currently supported only for the MaxCompute engine. |
Engine differences
Capabilities such as application granularity, direct grant, permission validity, renewal, and permission audit differ across engines. The following table provides a quick comparison. The engines visible in the UI depend on which ones are enabled in your workspace and your backend permissions.
Engine |
Application granularity |
Direct grant |
Permission validity |
Renewal |
Withdrawal |
Permission audit |
MaxCompute |
Table / Resource / Function (column-level supported for tables) |
Supported |
1/3/6/12 months, permanent, or custom |
Supported |
Supported |
Supported |
Hologres |
Table (tables under a database) |
Supported (RAM users only) |
Permanent only |
Not supported |
Supported |
Not supported |
Data Lake Formation (DLF) |
Metadatabase / Table / Column |
Supported |
Permanent only |
Not supported |
Supported |
Not supported |
Data Lake Formation (DLF-Legacy) |
Catalog / Schema / Table / Column |
Supported |
Custom duration |
Supported |
Supported |
Not supported |
Hive (EMR) |
Database / Table |
Supported (RAM users only) |
Permanent only |
Not supported |
Supported |
Not supported |
Lindorm |
Table |
Supported (RAM users only) |
Permanent only |
Not supported |
Supported |
Not supported |
StarRocks |
Database / Table |
Supported |
Permanent only |
Not supported |
Supported |
Not supported |
Prerequisites for renewal and withdrawal: Renewal takes effect only for approved applications, and withdrawal takes effect only for applications that are pending approval. The differences across engines are determined by backend policies. The actual capabilities are subject to what is visible on the page.
Direct grant
Direct Grant is a separate tab alongside Permission Application. It allows administrators (typically workspace administrators or RAM users with grant permissions) to directly grant a set of resource permissions to a specified RAM user or RAM role without going through the approval process. The granted permissions take effect immediately.
-
Entry: On the Data Access Control page, click the Direct Grant tab.
-
Grant target: RAM users or RAM roles are supported. Whether a RAM role can be granted permissions depends on the resource type: Some engines or resource types support only RAM users. In this case, the RAM role option is grayed out with the message "This resource type supports only RAM users." For example, the direct grant feature for the Hologres engine supports only RAM users.
-
Configuration items: The same as Permission Application. First, select the application content (data source type, workspace, project, table, etc.), and then configure the grant information:
Grant target type: RAM user or RAM role.
Grant target: Select a specific RAM user or RAM role based on the selected type.
Permission validity: Same as the validity period for permission applications. For the Hologres engine, this field is hidden and the validity is permanently set to permanent.
Grant reason: Optional.
-
Submit: Click Confirm Grant to immediately write the permissions. The form is automatically cleared after successful submission. The page does not redirect.
-
Differences from permission application: Direct grant does not go through an approval process, so no record is generated in My Applications. The grant reason is optional. The "Application account type" option is not displayed.
-
Operation attribution: The related grant records in audit and backend logs are attributed to the currently logged-in account. Make sure that you use an appropriate account to perform grant operations.
Engine-specific guides
The permission application, approval, and configuration processes differ across engines. For detailed instructions, see the corresponding engine documentation: