Authorize another workspace to call an API - DataWorks

Prerequisites

Before you begin, make sure you have:

A published API. Only published APIs support authorization, unpublishing, and protocol changes. For more information, see Publish an API.
The Tenant Account ID of the Alibaba Cloud account you want to authorize. To find the ID, go to Account Center > Security Settings.Account Management

Go to the Manage APIs page

Log on to the DataWorks console. In the top navigation bar, select a region. In the left-side navigation pane, choose Data Analysis and Service > DataService Studio. Select the desired workspace from the drop-down list and click Go to DataService Studio.
In the top navigation bar, click Service Management. The Published APIs tab appears.

Grant permissions to call an API

On the Published APIs tab, find the API and click Authorize in the Actions column.

In the API Authorization dialog box, configure the following parameters.

Parameter	Description
API name	The name of the API to authorize. Read-only.
Tenant Account ID	The ID of the Alibaba Cloud account that owns the target workspace.
Authorized workspace	The workspace to grant permission to. Select from the drop-down list. Only workspaces under the current Alibaba Cloud account are listed.
Validity period	How long the permission lasts. If Limited, the workspace can call the API only before the expiration date you select. If Unlimited, the permission never expires and must be revoked manually.

API Authorization dialog box

Click OK.

Other operations on the Published APIs tab

Unpublish an API

Find the API and click Unpublish in the Actions column. In the Unpublish API message, click OK.

Warning

Unpublishing or deleting an API revokes call access for all authorized workspaces. If you republish or modify and republish the API, you must re-authorize each workspace.

Test an API

Find the API and click Test in the Actions column. For more information, see Test an API.

Change the protocol

Find the API, move the pointer over More, and then select Change Protocol. In the Change Protocol dialog box, update the protocol and click OK.

Warning

Removing a protocol takes effect immediately. The API can no longer be called using the removed protocol. Proceed with caution.

View APIs your workspace is authorized to call

On the Manage APIs page, click the Authorized to Use tab. From here you can:

Test an API: Click Test in the Actions column. For more information, see Test an API.
Remove an authorization: Click Delete in the Actions column, then click OK in the Delete authorized message.

View APIs you have authorized other workspaces to call

On the Manage APIs page, click the Authorize Others to Use tab. From here you can:

Test an API: Click Test in the Actions column. For more information, see Test an API.
Manage permissions: Click Manage in the Actions column. In the Authorization dialog box, click Revoke or Change to remove or update a workspace's permission.

How API authorization works

API authorization grants an application permission to call an API. An application is the identity used during an API call. By default, DataWorks DataService Studio uses Alibaba Cloud APP for authentication, and grants the application that has the same name as the workspace the permissions to call APIs in that workspace. Callers use the application's AppCode, AppKey, and AppSecret to make authenticated API calls. For more information, see View the authentication information for calling APIs.

Depending on how you manage callers and authentication credentials, choose the authorization approach that fits your setup.

Scenario 1: Members in a workspace share one application

All workspace members call APIs using the same application identity.

Scenario 2: Each RAM user uses a dedicated application

Each RAM user has a separate application, making it easy to trace calls back to individual users.

Scenario 3: RAM users in a group share one application

RAM users in the same group call APIs using a shared application, with group-level traceability.