You can use resource groups with Resource Access Management (RAM) to isolate resources and manage permissions with fine-grained control within a single Alibaba Cloud account. This topic explains how DataWorks supports resource groups and how to grant permissions at the resource group level.
-
Resource group-level authorization applies only to resource types that support resource groups and to actions that support resource group-level authorization.
-
For resource types that do not support resource groups, permissions granted at the resource group level are ignored. You must grant permissions at the account level. For more information, see Actions that do not support resource group-level authorization.
Resource group authorization
You can use resource groups to group and manage resources in your Alibaba Cloud account. For example, you can create a resource group for each project and move the project's resources into that group for centralized management. For more information, see What is a resource group?.
After grouping your resources, you can grant permissions scoped to a specific resource group to different RAM principals, such as RAM users, RAM user groups, or RAM roles. This restricts the principal to managing only the resources within that resource group. For more information, see Resource grouping and authorization.
This authorization method has the following advantages:
-
Fine-grained permissions: Allows you to grant each identity only the specific permissions it needs, thereby isolating resource management by project.
-
Scalability: When you add new resources, you only need to add them to the resource group. The RAM principal automatically gains the necessary permissions for the new resources, eliminating the need to grant permissions again.
Grant resource group-level permissions
This topic describes how to grant permissions to a RAM user on resources within a specific resource group.
Prerequisites
-
Create a RAM user. For more information, see Create a RAM user.
-
Create a resource group and move your existing resources to it. For more information, see Create a resource group, Automatically transfer resources to a resource group, and Manually transfer resources to a resource group.
Grant resource group-level permissions
Use either of the following methods to grant permissions at the resource group level.
Method 1: Resource Management console
Use the permission management feature of a resource group to grant permissions to a RAM user. For more information, see Grant permissions on a resource group to a RAM identity.
-
Log on to the Resource Management console.
-
On the Resource Groups page, find the target resource group and click Permission Management in the Actions column.
-
On the Permission Management tab, click Add Permission.
-
In the Add Permission panel, configure the principal and policy.
-
Principal: Select an existing RAM user.
-
Policy: Select a system policy or an existing custom policy. To create a custom policy, see Create a custom policy.
-
-
Click OK.
Method 2: RAM console
Use the RAM console to grant permissions at the resource group level to a RAM user. For more information, see Manage the permissions of a RAM user.
-
Log on to the RAM console as an Alibaba Cloud account (root account) or a RAM administrator.
-
In the left-side navigation pane, choose . On the Users page, find the target RAM user and click Add Permission in the Actions column.
-
In the Add Permission panel, configure the following parameters.
-
Resource Scope: Select Resource Group Level.
-
Principal: Select an existing RAM user.
-
Policy: Select a system policy or an existing custom policy. To create a custom policy, see Create a custom policy.
-
-
Click OK.
Resource types that support resource groups
This table lists the DataWorks resource types that support resource groups.
|
Cloud service |
Cloud service code |
Resource type |
|
DataWorks |
dide |
dwresourcegroup: DataWorks resource group |
|
DataWorks |
dide |
project: workspace |
|
DataWorks |
dide |
tenantresourcegroup: exclusive resource group |
For unsupported resource types, you can submit feedback in the resource group console.
Unsupported actions in resource group authorization
The following DataWorks actions do not support resource group-level authorization:
|
Actions |
Description |
|
dataworks:AddDpProjectSubUser |
- |
|
dataworks:AddDpProjectUserRole |
- |
|
dataworks:AddDpTenantSubUser |
- |
|
dataworks:AddEntityIntoMetaCollection |
Adds an entity to a collection in Data Map. Supported collection types include Data Map categories and Data Albums. Currently, only tables are supported as entities. To add an entity to a Data Album, the caller must have the |
|
dataworks:AddRecognizeRule |
Adds a sensitive column recognition rule for data classification and sensitivity level grading in Data Security Guard. |
|
dataworks:AddTenantMemberToRole |
- |
|
dataworks:BatchUpdateTasks |
- |
|
dataworks:BindDpSubUserAk |
- |
|
dataworks:BindDpUserAk |
- |
|
dataworks:CheckAbTestFeatures |
- |
|
dataworks:CheckCallback |
- |
|
dataworks:CheckProjectIdentifier |
- |
|
dataworks:CheckRamPermissions |
- |
|
dataworks:CloneDataSource |
Clones a data source. |
|
dataworks:CreateBusiness |
- |
|
dataworks:CreateComponent |
Creates a component. |
|
dataworks:CreateComputeResource |
Creates a compute resource in a specified workspace for either the development or production environment. |
|
dataworks:CreateDIJob |
Creates a task for the new version of Data Integration. |
|
dataworks:CreateDataAssetTag |
- |
|
dataworks:CreateDataQualityAlertRule |
Creates a Data Quality monitoring alert rule in a specified workspace. |
|
dataworks:CreateDataQualityScan |
Creates a Data Quality monitoring task. |
|
dataworks:CreateDataQualityScanRun |
Executes a specified Data Quality monitoring task and returns the run instance ID. |
|
dataworks:CreateDataQualityTemplate |
Creates a Data Quality template. |
|
dataworks:CreateDataSource |
Creates a data source in a specified workspace for either the development or production environment. |
|
dataworks:CreateDataSourceSharedRule |
Creates a rule to share a data source with other workspaces or RAM users. |
|
dataworks:CreateDataWorksPayAsYouGoService |
- |
|
dataworks:CreateDataset |
Creates a dataset in a workspace that you have joined. Currently, only DataWorks datasets are supported. A maximum of 2,000 datasets can be created per tenant. |
|
dataworks:CreateDatasetVersion |
Creates a version for a dataset. Currently, this action is supported only for DataWorks datasets. A maximum of 20 versions are supported for each dataset. |
|
dataworks:CreateDpProject |
- |
|
dataworks:CreateDpSubUser |
- |
|
dataworks:CreateFile |
- |
|
dataworks:CreateFolder |
- |
|
dataworks:CreateIdentifyCredential |
Creates an identity credential. |
|
dataworks:CreateLineageRelationship |
Registers a data lineage relationship in Data Map. One of the entities must be a custom entity. |
|
dataworks:CreateMetaCollection |
Creates a collection in Data Map. Supported collection types include Data Map categories (with multi-level subcategories) and Data Albums (with album subcategories). |
|
dataworks:CreateProjectRole |
- |
|
dataworks:CreateResourceFile |
- |
|
dataworks:CreateRoute |
Creates a route for a network resource. |
|
dataworks:CreateTask |
- |
|
dataworks:CreateTenantRole |
- |
|
dataworks:CreateUdfFile |
- |
|
dataworks:CreateWorkflow |
- |
|
dataworks:CreateWorkflowInstances |
Creates workflow instances based on a configuration, such as workflow instances for data backfilling. |
|
dataworks:DataWorksMember |
- |
|
dataworks:DeleteBusiness |
- |
|
dataworks:DeleteCertificate |
Deletes a certificate file. |
|
dataworks:DeleteComponent |
Deletes a component. |
|
dataworks:DeleteComputeResource |
Deletes a specified compute resource by its ID. |
|
dataworks:DeleteDataAssetTag |
- |
|
dataworks:DeleteDataQualityAlertRule |
Deletes a Data Quality monitoring alert rule by its ID. |
|
dataworks:DeleteDataQualityScan |
Deletes a Data Quality monitoring task. |
|
dataworks:DeleteDataQualityTemplate |
Deletes a Data Quality rule template by its ID. |
|
dataworks:DeleteDataSource |
Deletes a specified data source by its ID. |
|
dataworks:DeleteDataSourceSharedRule |
Deletes a data source sharing rule by its ID. |
|
dataworks:DeleteDataset |
Deletes a dataset and cascades to delete all its versions. This action is supported only for DataWorks datasets. The caller must be the creator of the dataset or an administrator of the workspace to which the dataset belongs. |
|
dataworks:DeleteDatasetVersion |
Deletes a dataset version. This action is supported only for non-v1 versions of DataWorks datasets. To delete a v1 dataset, call the |
|
dataworks:DeleteDpProject |
- |
|
dataworks:DeleteDpProjectSubUser |
- |
|
dataworks:DeleteDpTenantSubUser |
- |
|
dataworks:DeleteFile |
- |
|
dataworks:DeleteFolder |
- |
|
dataworks:DeleteLineageRelationship |
Deletes a specified data lineage relationship in Data Map. |
|
dataworks:DeleteMetaCollection |
Deletes a specified collection, including a Data Map category or a Data Album, from Data Map. To delete a Data Album, the caller must have the |
|
dataworks:DeleteNetwork |
Unbinds and deletes a network resource from a general-purpose resource group. |
|
dataworks:DeleteProjectRole |
- |
|
dataworks:DeleteRecognizeRule |
Deletes a data classification and sensitivity level grading rule defined in Data Security Guard. |
|
dataworks:DeleteTask |
- |
|
dataworks:DeleteTenantRole |
- |
|
dataworks:DeleteWorkflow |
- |
|
dataworks:DeployFile |
- |
|
dataworks:DsgDesensPlanAddOrUpdate |
Creates or edits a data masking rule. |
|
dataworks:DsgDesensPlanDelete |
Deletes a data masking rule created in Data Security Guard. |
|
dataworks:DsgDesensPlanQueryList |
Lists the data masking rules in Data Security Guard. |
|
dataworks:DsgDesensPlanUpdateStatus |
Updates the activation status of a data masking rule. |
|
dataworks:DsgPlatformQueryProjectsAndSchemaFromMeta |
Lists the engine instances of different types under the current tenant. |
|
dataworks:DsgQueryDesensStatusList |
- |
|
dataworks:DsgQuerySensResult |
Retrieves the results of a sensitive data identification task from Data Security Guard. |
|
dataworks:DsgSceneAddOrUpdateScene |
Adds or edits a level-2 data masking scenario. |
|
dataworks:DsgSceneQuerySceneListByName |
Retrieves a list of data masking scenarios. |
|
dataworks:DsgScenedDeleteScene |
Deletes a level-2 data masking scenario created in Data Security Guard. |
|
dataworks:DsgStopSensIdentify |
Stops a sensitive data identification task for data classification and sensitivity level grading defined in Data Security Guard. |
|
dataworks:DsgUpdateDesensStatusList |
- |
|
dataworks:DsgUserGroupAddOrUpdate |
Adds or edits a user group in Data Security Guard. |
|
dataworks:DsgUserGroupDelete |
Deletes a user group configured in Data Security Guard. |
|
dataworks:DsgUserGroupGetOdpsRoleGroups |
Call the DsgUserGroupGetOdpsRoleGroups operation to query the list of MaxCompute roles that can be selected for user group members when the tenant creates or modifies a user group in Data Security Guard. |
|
dataworks:DsgUserGroupQueryList |
Lists user groups in Data Security Guard. |
|
dataworks:DsgUserGroupQueryUserList |
Lists users or roles under the current tenant. |
|
dataworks:DsgWhiteListAddOrUpdate |
Adds or edits a data masking allowlist. |
|
dataworks:DsgWhiteListDeleteList |
Deletes a data masking allowlist configured in Data Security Guard. |
|
dataworks:DsgWhiteListQueryList |
Lists the data masking allowlists configured in Data Security Guard. |
|
dataworks:EditRecognizeRule |
Edits a sensitive column recognition rule for data classification and sensitivity level grading in Data Security Guard. |
|
dataworks:EstablishRelationTableToBusiness |
- |
|
dataworks:ExecuteAdhocWorkflowInstance |
Creates a temporary workflow instance based on the specified configuration. |
|
dataworks:GetBusiness |
- |
|
dataworks:GetCatalog |
Retrieves the details of a specified data catalog in Data Map. This action currently supports DLF and StarRocks catalogs. |
|
dataworks:GetCertificate |
Retrieves a certificate file. |
|
dataworks:GetColumn |
Retrieves the details of a specified column in a Data Map table. |
|
dataworks:GetComponent |
Retrieves information about a component. |
|
dataworks:GetComputeResource |
Queries the specified compute resource by its ID. |
|
dataworks:GetConfig |
- |
|
dataworks:GetCreateWorkflowInstancesResult |
Queries the result of an asynchronous request to create workflow instances. |
|
dataworks:GetDataQualityAlertRule |
Queries the details of a Data Quality monitoring alert rule by its ID. |
|
dataworks:GetDataQualityScan |
Retrieves the details of a Data Quality monitoring task. |
|
dataworks:GetDataQualityScanRun |
Retrieves the details of a run instance for a Data Quality monitoring task. |
|
dataworks:GetDataQualityScanRunLog |
Queries the logs of a specified Data Quality monitoring task instance. |
|
dataworks:GetDataQualityTemplate |
Queries the details of a specified Data Quality rule template by its ID. |
|
dataworks:GetDataSource |
Queries a specified data source by its ID. |
|
dataworks:GetDatabase |
Retrieves the details of a specified database in Data Map. |
|
dataworks:GetDataset |
Retrieves the details of a dataset. |
|
dataworks:GetDatasetVersion |
Retrieves information about a specific version of a dataset. |
|
dataworks:GetDeploymentPackage |
- |
|
dataworks:GetDpProjectCreationInfo |
- |
|
dataworks:GetFile |
- |
|
dataworks:GetFileVersion |
- |
|
dataworks:GetFolder |
- |
|
dataworks:GetIDEEventDetail |
- |
|
dataworks:GetJobStatus |
Returns the status of an asynchronous task. After calling an asynchronous API, poll this operation to get the final status. |
|
dataworks:GetLineageRelationship |
Retrieves the details of a specified data lineage relationship in Data Map. |
|
dataworks:GetMetaCollection |
Retrieves the details of a specified collection in Data Map. This action supports both Data Map categories and Data Albums. |
|
dataworks:GetNetwork |
Retrieves the details of a network resource. |
|
dataworks:GetPartition |
Retrieves the details of a partition in a Data Map table. This action currently supports MaxCompute and HMS (EMR cluster) types. |
|
dataworks:GetRerunWorkflowInstancesResult |
Queries the result of an asynchronous request to rerun workflow instances. |
|
dataworks:GetSchema |
Retrieves the details of a specified schema in Data Map. This action currently supports MaxCompute and Hologres types. |
|
dataworks:GetTable |
Retrieves the details of a specified table in Data Map. You can choose whether to include business metadata in the response. |
|
dataworks:GetTask |
- |
|
dataworks:GetTaskInstance |
- |
|
dataworks:GetTaskInstanceLog |
- |
|
dataworks:GetTenantRole |
- |
|
dataworks:GetUser |
- |
|
dataworks:GetWorkflow |
- |
|
dataworks:GetWorkflowInstance |
- |
|
dataworks:ImportCertificate |
Imports a certificate file. |
|
dataworks:ListAlarmResource |
- |
|
dataworks:ListBusiness |
- |
|
dataworks:ListCatalogs |
Lists data catalogs in Data Map. This action currently supports DLF and StarRocks types. For DLF, it returns all supported data catalogs. For StarRocks, it returns the data catalogs of a specific instance. |
|
dataworks:ListCertificates |
Lists certificate files. |
|
dataworks:ListColumns |
Lists the columns of a specified table in Data Map. |
|
dataworks:ListComponents |
Lists components. |
|
dataworks:ListComputeResources |
Lists compute resources based on their business information. |
|
dataworks:ListContacts |
- |
|
dataworks:ListCrawlerTypes |
Lists the supported metadata crawler types in Data Map. The response includes the crawler types, their supported subtypes, and the hierarchical relationships between them. |
|
dataworks:ListDataAssetTags |
- |
|
dataworks:ListDataAssets |
- |
|
dataworks:ListDataQualityAlertRules |
Lists the Data Quality alert rules in a specified workspace. |
|
dataworks:ListDataQualityScanRuns |
Lists the run records of Data Quality monitoring tasks in a specified workspace. |
|
dataworks:ListDataQualityScans |
Retrieves a list of Data Quality check tasks for a specified project. |
|
dataworks:ListDataQualityTemplates |
Lists the Data Quality rule templates in a specified workspace. |
|
dataworks:ListDataSourceSharedRules |
Lists the sharing rules configured for a data source. |
|
dataworks:ListDataSources |
Lists data sources based on their business information. |
|
dataworks:ListDataWorksPayAsYouGoServices |
- |
|
dataworks:ListDatabases |
Lists the databases within a specified instance, cluster, or data catalog in Data Map. For DLF or StarRocks types, this action lists databases in a given data catalog (only the Internal Catalog is supported for StarRocks). For other types, it lists databases in a given instance or cluster. |
|
dataworks:ListDatasetVersions |
Lists the versions of a specified dataset. |
|
dataworks:ListDatasets |
Lists datasets. This action supports DataWorks and PAI datasets. |
|
dataworks:ListDeploymentPackages |
- |
|
dataworks:ListDownstreamTaskInstances |
- |
|
dataworks:ListDownstreamTasks |
- |
|
dataworks:ListDpProject |
- |
|
dataworks:ListDpProjectUser |
- |
|
dataworks:ListDpTenantUser |
- |
|
dataworks:ListEntitiesInMetaCollection |
Lists the entities in a Data Map collection. The collection can be a Data Map category or a Data Album. Currently, only tables are supported as entities. |
|
dataworks:ListFileVersions |
- |
|
dataworks:ListFiles |
- |
|
dataworks:ListFolders |
- |
|
dataworks:ListLineageRelationships |
Lists the data lineage relationships between two specified entities, such as tables, columns, or OSS files, in Data Map. |
|
dataworks:ListLineages |
Lists the upstream and downstream lineage entities for a specified entity in Data Map. You can choose whether to include specific data lineage relationship information. |
|
dataworks:ListMeasureData |
Retrieves the usage data for voice call and SMS alerts within your tenant over the last 30 days. |
|
dataworks:ListMeasuresGroupByModule |
- |
|
dataworks:ListMetaCollections |
Lists collections in Data Map. This action supports both Data Map categories and Data Albums. |
|
dataworks:ListPartitions |
Lists the partitions of a specified table in Data Map. This action currently supports MaxCompute and HMS (EMR cluster) types. |
|
dataworks:ListPermissions |
- |
|
dataworks:ListProjectIds |
Lists the IDs of DataWorks workspaces in a specified region where the specified Alibaba Cloud account or RAM user has role permissions. |
|
dataworks:ListProjectModules |
- |
|
dataworks:ListProjectProcesses |
- |
|
dataworks:ListRegions |
- |
|
dataworks:ListResourceGroup |
- |
|
dataworks:ListSchemas |
Retrieves the list of schemas for a specified database or MaxCompute project in the Data Map. This operation currently supports the MaxCompute and Hologres types. |
|
dataworks:ListTables |
Queries the list of tables in the Data Map. For data source types that do not support schemas, you can query the list of tables in a specified database. For data source types that support schemas, you can query the list of tables in a specified database, MaxCompute project, or schema. The returned results contain only basic table information and do not include technical or business metadata. |
|
dataworks:ListTaskInstanceOperationLogs |
- |
|
dataworks:ListTaskInstances |
Retrieves a paginated list of task instances. You can also filter the results by specifying conditions. |
|
dataworks:ListTaskOperationLogs |
Retrieves a paginated list of operation logs for a specified task. |
|
dataworks:ListTasks |
- |
|
dataworks:ListTenantMembers |
- |
|
dataworks:ListTenantRoles |
- |
|
dataworks:ListUpstreamTaskInstances |
- |
|
dataworks:ListUpstreamTasks |
- |
|
dataworks:ListUserResources |
- |
|
dataworks:ListWorkflowInstances |
- |
|
dataworks:ListWorkflows |
- |
|
dataworks:MetaListDpOuterResource |
- |
|
dataworks:MetaListDpTable |
- |
|
dataworks:ModifyContacts |
- |
|
dataworks:ModifyResourceGroup |
- |
|
dataworks:MoveComponent |
- |
|
dataworks:OpenDataWorksStandardService |
- |
|
dataworks:PreviewDatasetVersion |
Previews the content of a specified dataset version. This action is currently supported only for text files in OSS datasets. The supported MIME types are application/json, application/xml, text/html, text/plain, and application/octet-stream. |
|
dataworks:QueryDefaultTemplate |
Call the QueryDefaultTemplate API to query the default data classification template defined by Data Security Guard. |
|
dataworks:QueryDefaultTemplates |
Call the DsgQueryDefaultTemplates operation to query for a list of available sensitive data type templates and their supported data masking rules. You can refer to the parameters returned by this operation to configure data masking rules. |
|
dataworks:QueryRecognizeDataByRuleType |
Call the QueryRecognizeDataByRuleType operation to retrieve a list of sensitive column identification methods for Data Security Guard. |
|
dataworks:QueryRecognizeRuleDetail |
Queries the details of a specified sensitive column rule in Data Security Guard. |
|
dataworks:QueryRecognizeRulesType |
Call the QueryRecognizeRulesType API to query the built-in recognition rule types for sensitive columns defined by Data Security Guard. |
|
dataworks:QuerySensClassification |
Call the QuerySensClassification API to query classification nodes in Data Security Guard. |
|
dataworks:QuerySensLevel |
Call the QuerySensLevel API to query the sensitive data levels defined in Data Security Guard. |
|
dataworks:QuerySensNodeInfo |
Queries the data classification and sensitivity level grading recognition rules in Data Security Guard. |
|
dataworks:RemoveEntityFromMetaCollection |
Removes an entity from a Data Map collection. The collection can be a Data Map category or a Data Album. Currently, only tables are supported as entities. To remove an entity from a Data Album, the caller must have the |
|
dataworks:RemoveProjectMembers |
- |
|
dataworks:RemoveTaskInstanceDependencies |
- |
|
dataworks:RemoveTenantMemberFromRole |
- |
|
dataworks:RerunTaskInstances |
- |
|
dataworks:RerunWorkflowInstances |
Reruns workflow instances. |
|
dataworks:ResumeTaskInstances |
- |
|
dataworks:RunIdentifyOpenapi |
Call the DsgRunSensIdentify API operation to start a sensitive data identification task in Data Security Guard. |
|
dataworks:SetConfig |
- |
|
dataworks:SetSuccessTaskInstances |
- |
|
dataworks:ShowResourceGroupDetail |
- |
|
dataworks:StartWorkflowInstances |
- |
|
dataworks:StopTaskInstances |
- |
|
dataworks:StopWorkflowInstances |
- |
|
dataworks:SubmitFile |
- |
|
dataworks:SuspendTaskInstances |
- |
|
dataworks:SyncRAMContactInfo |
- |
|
dataworks:TagDataAssets |
- |
|
dataworks:TerminateDISyncInstance |
- |
|
dataworks:TestDataSourceConnectivity |
Tests the connectivity of a data source on a resource group. |
|
dataworks:TriggerSchedulerTaskInstance |
- |
|
dataworks:UnTagDataAssets |
- |
|
dataworks:UpdateBusiness |
- |
|
dataworks:UpdateColumnBusinessMetadata |
Updates the business metadata of a specified column in a Data Map table. Currently, only the business description of the column can be updated. |
|
dataworks:UpdateComponent |
Updates a component. |
|
dataworks:UpdateComputeResource |
Modifies a specified compute resource based on its ID. |
|
dataworks:UpdateContactInfo |
- |
|
dataworks:UpdateDataAssetTag |
- |
|
dataworks:UpdateDataQualityAlertRule |
Updates a specified data quality monitoring alert rule. |
|
dataworks:UpdateDataQualityEvaluationTask |
Update a Data Quality check task. |
|
dataworks:UpdateDataQualityScan |
Update Data Quality monitoring. |
|
dataworks:UpdateDataQualityTemplate |
Updates the configuration of a Data Quality rule template in a specified project. |
|
dataworks:UpdateDataSource |
Modifies the specified data source based on the data source ID. |
|
dataworks:UpdateDataset |
You can update the information of a DataWorks dataset if you are the creator of the dataset or an administrator of the workspace where the dataset is located. |
|
dataworks:UpdateDatasetVersion |
You can update the version information of a DataWorks dataset only if you are its creator or an administrator of its workspace. |
|
dataworks:UpdateFile |
- |
|
dataworks:UpdateFolder |
- |
|
dataworks:UpdateIDEEventResult |
- |
|
dataworks:UpdateMetaCollection |
Updates Data Map collection objects, including Data Map categories and Data Albums. You can update the collection name, description, and administrator information. When updating a Data Album, the caller is required to have the AliyunDataWorksFullAccess permission or be the creator or an administrator of the album. |
|
dataworks:UpdateProjectRole |
- |
|
dataworks:UpdateTableBusinessMetadata |
You can update the business metadata of a Data Map table. Currently, you can only update the table's description. |
|
dataworks:UpdateTask |
- |
|
dataworks:UpdateTaskInstances |
- |
|
dataworks:UpdateTenantRole |
- |
|
dataworks:UpdateUdfFile |
- |
|
dataworks:UpdateWorkflow |
- |
|
dataworks:createIdentifyCredential |
- |
A scope at the resource group level has no effect on actions that do not support resource group-level authorization. To grant a RAM user permissions for such actions, create a custom policy at the account level.
Below are two examples of custom permission policies. Adjust the policies as needed.
-
Allows all read-only operations that do not support resource group-level authorization: The
Actionelement lists all read-only operations that do not support resource group-level authorization.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "dataworks:ListAlarmResource", "dataworks:ListContacts", "dataworks:ListResourceGroup", "dataworks:ListUserResources", "dataworks:ShowResourceGroupDetail" ], "Resource": "*" } ] } -
Allows all actions that do not support resource group-level authorization: The
Actionelement lists all actions that do not support resource group-level authorization.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "dataworks:AddDpProjectSubUser", "dataworks:AddDpProjectUserRole", "dataworks:AddDpTenantSubUser", "dataworks:AddEntityIntoMetaCollection", "dataworks:AddRecognizeRule", "dataworks:AddTenantMemberToRole", "dataworks:BatchUpdateTasks", "dataworks:BindDpSubUserAk", "dataworks:BindDpUserAk", "dataworks:CheckAbTestFeatures", "dataworks:CheckCallback", "dataworks:CheckProjectIdentifier", "dataworks:CheckRamPermissions", "dataworks:CloneDataSource", "dataworks:CreateBusiness", "dataworks:CreateComponent", "dataworks:CreateComputeResource", "dataworks:CreateDIJob", "dataworks:CreateDataAssetTag", "dataworks:CreateDataQualityAlertRule", "dataworks:CreateDataQualityScan", "dataworks:CreateDataQualityScanRun", "dataworks:CreateDataQualityTemplate", "dataworks:CreateDataSource", "dataworks:CreateDataSourceSharedRule", "dataworks:CreateDataWorksPayAsYouGoService", "dataworks:CreateDataset", "dataworks:CreateDatasetVersion", "dataworks:CreateDpProject", "dataworks:CreateDpSubUser", "dataworks:CreateFile", "dataworks:CreateFolder", "dataworks:CreateIdentifyCredential", "dataworks:CreateLineageRelationship", "dataworks:CreateMetaCollection", "dataworks:CreateProjectRole", "dataworks:CreateResourceFile", "dataworks:CreateRoute", "dataworks:CreateTask", "dataworks:CreateTenantRole", "dataworks:CreateUdfFile", "dataworks:CreateWorkflow", "dataworks:CreateWorkflowInstances", "dataworks:DataWorksMember", "dataworks:DeleteBusiness", "dataworks:DeleteCertificate", "dataworks:DeleteComponent", "dataworks:DeleteComputeResource", "dataworks:DeleteDataAssetTag", "dataworks:DeleteDataQualityAlertRule", "dataworks:DeleteDataQualityScan", "dataworks:DeleteDataQualityTemplate", "dataworks:DeleteDataSource", "dataworks:DeleteDataSourceSharedRule", "dataworks:DeleteDataset", "dataworks:DeleteDatasetVersion", "dataworks:DeleteDpProject", "dataworks:DeleteDpProjectSubUser", "dataworks:DeleteDpTenantSubUser", "dataworks:DeleteFile", "dataworks:DeleteFolder", "dataworks:DeleteLineageRelationship", "dataworks:DeleteMetaCollection", "dataworks:DeleteNetwork", "dataworks:DeleteProjectRole", "dataworks:DeleteRecognizeRule", "dataworks:DeleteTask", "dataworks:DeleteTenantRole", "dataworks:DeleteWorkflow", "dataworks:DeployFile", "dataworks:DsgDesensPlanAddOrUpdate", "dataworks:DsgDesensPlanDelete", "dataworks:DsgDesensPlanQueryList", "dataworks:DsgDesensPlanUpdateStatus", "dataworks:DsgPlatformQueryProjectsAndSchemaFromMeta", "dataworks:DsgQueryDesensStatusList", "dataworks:DsgQuerySensResult", "dataworks:DsgSceneAddOrUpdateScene", "dataworks:DsgSceneQuerySceneListByName", "dataworks:DsgScenedDeleteScene", "dataworks:DsgStopSensIdentify", "dataworks:DsgUpdateDesensStatusList", "dataworks:DsgUserGroupAddOrUpdate", "dataworks:DsgUserGroupDelete", "dataworks:DsgUserGroupGetOdpsRoleGroups", "dataworks:DsgUserGroupQueryList", "dataworks:DsgUserGroupQueryUserList", "dataworks:DsgWhiteListAddOrUpdate", "dataworks:DsgWhiteListDeleteList", "dataworks:DsgWhiteListQueryList", "dataworks:EditRecognizeRule", "dataworks:EstablishRelationTableToBusiness", "dataworks:ExecuteAdhocWorkflowInstance", "dataworks:GetBusiness", "dataworks:GetCatalog", "dataworks:GetCertificate", "dataworks:GetColumn", "dataworks:GetComponent", "dataworks:GetComputeResource", "dataworks:GetConfig", "dataworks:GetCreateWorkflowInstancesResult", "dataworks:GetDataQualityAlertRule", "dataworks:GetDataQualityScan", "dataworks:GetDataQualityScanRun", "dataworks:GetDataQualityScanRunLog", "dataworks:GetDataQualityTemplate", "dataworks:GetDataSource", "dataworks:GetDatabase", "dataworks:GetDataset", "dataworks:GetDatasetVersion", "dataworks:GetDeploymentPackage", "dataworks:GetDpProjectCreationInfo", "dataworks:GetFile", "dataworks:GetFileVersion", "dataworks:GetFolder", "dataworks:GetIDEEventDetail", "dataworks:GetJobStatus", "dataworks:GetLineageRelationship", "dataworks:GetMetaCollection", "dataworks:GetNetwork", "dataworks:GetPartition", "dataworks:GetRerunWorkflowInstancesResult", "dataworks:GetSchema", "dataworks:GetTable", "dataworks:GetTask", "dataworks:GetTaskInstance", "dataworks:GetTaskInstanceLog", "dataworks:GetTenantRole", "dataworks:GetUser", "dataworks:GetWorkflow", "dataworks:GetWorkflowInstance", "dataworks:ImportCertificate", "dataworks:ListAlarmResource", "dataworks:ListBusiness", "dataworks:ListCatalogs", "dataworks:ListCertificates", "dataworks:ListColumns", "dataworks:ListComponents", "dataworks:ListComputeResources", "dataworks:ListContacts", "dataworks:ListCrawlerTypes", "dataworks:ListDataAssetTags", "dataworks:ListDataAssets", "dataworks:ListDataQualityAlertRules", "dataworks:ListDataQualityScanRuns", "dataworks:ListDataQualityScans", "dataworks:ListDataQualityTemplates", "dataworks:ListDataSourceSharedRules", "dataworks:ListDataSources", "dataworks:ListDataWorksPayAsYouGoServices", "dataworks:ListDatabases", "dataworks:ListDatasetVersions", "dataworks:ListDatasets", "dataworks:ListDeploymentPackages", "dataworks:ListDownstreamTaskInstances", "dataworks:ListDownstreamTasks", "dataworks:ListDpProject", "dataworks:ListDpProjectUser", "dataworks:ListDpTenantUser", "dataworks:ListEntitiesInMetaCollection", "dataworks:ListFileVersions", "dataworks:ListFiles", "dataworks:ListFolders", "dataworks:ListLineageRelationships", "dataworks:ListLineages", "dataworks:ListMeasureData", "dataworks:ListMeasuresGroupByModule", "dataworks:ListMetaCollections", "dataworks:ListPartitions", "dataworks:ListPermissions", "dataworks:ListProjectIds", "dataworks:ListProjectModules", "dataworks:ListProjectProcesses", "dataworks:ListRegions", "dataworks:ListResourceGroup", "dataworks:ListSchemas", "dataworks:ListTables", "dataworks:ListTaskInstanceOperationLogs", "dataworks:ListTaskInstances", "dataworks:ListTaskOperationLogs", "dataworks:ListTasks", "dataworks:ListTenantMembers", "dataworks:ListTenantRoles", "dataworks:ListUpstreamTaskInstances", "dataworks:ListUpstreamTasks", "dataworks:ListUserResources", "dataworks:ListWorkflowInstances", "dataworks:ListWorkflows", "dataworks:MetaListDpOuterResource", "dataworks:MetaListDpTable", "dataworks:ModifyContacts", "dataworks:ModifyResourceGroup", "dataworks:MoveComponent", "dataworks:OpenDataWorksStandardService", "dataworks:PreviewDatasetVersion", "dataworks:QueryDefaultTemplate", "dataworks:QueryDefaultTemplates", "dataworks:QueryRecognizeDataByRuleType", "dataworks:QueryRecognizeRuleDetail", "dataworks:QueryRecognizeRulesType", "dataworks:QuerySensClassification", "dataworks:QuerySensLevel", "dataworks:QuerySensNodeInfo", "dataworks:RemoveEntityFromMetaCollection", "dataworks:RemoveProjectMembers", "dataworks:RemoveTaskInstanceDependencies", "dataworks:RemoveTenantMemberFromRole", "dataworks:RerunTaskInstances", "dataworks:RerunWorkflowInstances", "dataworks:ResumeTaskInstances", "dataworks:RunIdentifyOpenapi", "dataworks:SetConfig", "dataworks:SetSuccessTaskInstances", "dataworks:ShowResourceGroupDetail", "dataworks:StartWorkflowInstances", "dataworks:StopTaskInstances", "dataworks:StopWorkflowInstances", "dataworks:SubmitFile", "dataworks:SuspendTaskInstances", "dataworks:SyncRAMContactInfo", "dataworks:TagDataAssets", "dataworks:TerminateDISyncInstance", "dataworks:TestDataSourceConnectivity", "dataworks:TriggerSchedulerTaskInstance", "dataworks:UnTagDataAssets", "dataworks:UpdateBusiness", "dataworks:UpdateColumnBusinessMetadata", "dataworks:UpdateComponent", "dataworks:UpdateComputeResource", "dataworks:UpdateContactInfo", "dataworks:UpdateDataAssetTag", "dataworks:UpdateDataQualityAlertRule", "dataworks:UpdateDataQualityEvaluationTask", "dataworks:UpdateDataQualityScan", "dataworks:UpdateDataQualityTemplate", "dataworks:UpdateDataSource", "dataworks:UpdateDataset", "dataworks:UpdateDatasetVersion", "dataworks:UpdateFile", "dataworks:UpdateFolder", "dataworks:UpdateIDEEventResult", "dataworks:UpdateMetaCollection", "dataworks:UpdateProjectRole", "dataworks:UpdateTableBusinessMetadata", "dataworks:UpdateTask", "dataworks:UpdateTaskInstances", "dataworks:UpdateTenantRole", "dataworks:UpdateUdfFile", "dataworks:UpdateWorkflow", "dataworks:createIdentifyCredential" ], "Resource": "*" } ] }
A RAM user or RAM role with account-level permissions can manage all resources in the account. Use caution when granting these permissions. Always verify that the permissions are necessary and follow the principle of least privilege.
FAQ
Check the resource group of a resource
-
Method 1: Click the resource name to open its details page, which shows the resource group.
-
Method 2: Log on to the Resource Management console and go to . On the left, select the account that owns the resource (the default is current account). Use the filters to locate the target resource and view its resource group.
View product resources in a resource group
-
Method 1: Log on to the Resource Management console and go to . On the left, under the account that owns the resources (the default is current account), click the name of the target resource group. Then, on the right, select the product from the Select Resource Type list to view all of its resources.
-
Method 2: Log on to the Resource Management console and click . Find the target resource group and click Resource Management in the Actions column. On the Resource Management page, select the product from the product dropdown list at the top to view all of its resources.
Transfer resources to a different resource group
Log on to the Resource Management console and click . In the Actions column for the target resource group, click Resource Management. Use the filters to locate the target resources, select their checkboxes in the first column, and click Transfer Resource Group at the bottom of the page. Follow the on-screen instructions to complete the transfer.