All Products
Search
Document Center

DataWorks:Data access control

Last Updated:Jun 30, 2026

Overview

Data access control is a feature in the DataWorks Security Center that provides a centralized, closed-loop portal for permission application, approval, and auditing across multiple engines. It is designed for three roles: applicants, approvers, and auditors, and supports asset permission control for seven engines: MaxCompute, Hologres, Data Lake Formation (DLF), Data Lake Formation (DLF) (Legacy), Hive (EMR), Lindorm, and StarRocks.

Path: DataWorks console > Data Governance > Security Center > Data Platform Security > Data Access Control.

Page structure

The Data Access Control page contains the following six tabs. The visibility of some tabs may vary based on the enabled engines and features.

Tab

Description

Permission Application

Users request permissions for data assets (such as tables, databases, columns, resources, and functions) in an engine. After submission, the request enters an approval process.

Direct Grant

Administrators directly grant a set of resource permissions to a specified RAM user or RAM role, bypassing the approval process. For more information, see the Direct grant section below.

Permission Approval

Approvers approve or deny incoming permission applications. This tab will be migrated to the Applications & Approvals > My Approval Tasks page in the future.

Permission Application Records

Displays all permission application records submitted by the current account. This tab will be migrated to the Applications & Approvals > My Applications page in the future.

Permission Approval Records

This tab is no longer available. To view your permission approval records, go to Applications & Approvals > My Approval Tasks and set the task status to All.

Permission Audit

Lets you view and revoke data permissions held by users. This feature is currently supported only for the MaxCompute engine.

Engine differences

Capabilities such as application granularity, direct grant, permission validity, renewal, and permission audit differ across engines. The following table provides a quick comparison. The engines visible in the UI depend on which ones are enabled in your workspace and your backend permissions.

Engine

Application granularity

Direct grant

Permission validity

Renewal

Withdrawal

Permission audit

MaxCompute

Table / Resource / Function (column-level supported for tables)

Supported

1/3/6/12 months, permanent, or custom

Supported

Supported

Supported

Hologres

Table (tables under a database)

Supported (RAM users only)

Permanent only

Not supported

Supported

Not supported

Data Lake Formation (DLF)

Metadatabase / Table / Column

Supported

Permanent only

Not supported

Supported

Not supported

Data Lake Formation (DLF-Legacy)

Catalog / Schema / Table / Column

Supported

Custom duration

Supported

Supported

Not supported

Hive (EMR)

Database / Table

Supported (RAM users only)

Permanent only

Not supported

Supported

Not supported

Lindorm

Table

Supported (RAM users only)

Permanent only

Not supported

Supported

Not supported

StarRocks

Database / Table

Supported

Permanent only

Not supported

Supported

Not supported

Note

Prerequisites for renewal and withdrawal: Renewal takes effect only for approved applications, and withdrawal takes effect only for applications that are pending approval. The differences across engines are determined by backend policies. The actual capabilities are subject to what is visible on the page.

Direct grant

Direct Grant is a separate tab alongside Permission Application. It allows administrators (typically workspace administrators or RAM users with grant permissions) to directly grant a set of resource permissions to a specified RAM user or RAM role without going through the approval process. The granted permissions take effect immediately.

  • Entry: On the Data Access Control page, click the Direct Grant tab.

  • Grant target: RAM users or RAM roles are supported. Whether a RAM role can be granted permissions depends on the resource type: Some engines or resource types support only RAM users. In this case, the RAM role option is grayed out with the message "This resource type supports only RAM users." For example, the direct grant feature for the Hologres engine supports only RAM users.

  • Configuration items: The same as Permission Application. First, select the application content (data source type, workspace, project, table, etc.), and then configure the grant information:

    • Grant target type: RAM user or RAM role.

    • Grant target: Select a specific RAM user or RAM role based on the selected type.

    • Permission validity: Same as the validity period for permission applications. For the Hologres engine, this field is hidden and the validity is permanently set to permanent.

    • Grant reason: Optional.

  • Submit: Click Confirm Grant to immediately write the permissions. The form is automatically cleared after successful submission. The page does not redirect.

  • Differences from permission application: Direct grant does not go through an approval process, so no record is generated in My Applications. The grant reason is optional. The "Application account type" option is not displayed.

  • Operation attribution: The related grant records in audit and backend logs are attributed to the currently logged-in account. Make sure that you use an appropriate account to perform grant operations.

Engine-specific guides

The permission application, approval, and configuration processes differ across engines. For detailed instructions, see the corresponding engine documentation: