All Products
Search
Document Center

DataWorks:Identity credentials

Last Updated:Apr 02, 2026

Identity credentials map Alibaba Cloud RAM users or RAM roles to data source access accounts. After an administrator configures identity credentials, users can request data access permissions for StarRocks, Hive, and Lindorm in DataWorks, with access control enforced by Ranger.

Overview

When users access data sources such as StarRocks, Hive, or Lindorm through DataWorks, these data engines do not natively support authentication with Alibaba Cloud RAM users or RAM roles. Instead, they require the data source's own accounts, such as a username and password. The identity credential feature centrally maps RAM users or RAM roles to data source access accounts. This mitigates risks such as credential leakage, malicious tampering, and privilege abuse.

Identity credentials fit into the Ranger access control workflow as follows:

  1. Add a Ranger configuration: Configure the connection information for the Ranger instance in the security center. For more information, see Add a Ranger configuration.

  2. Add a service association: Add a StarRocks, Hive, or Lindorm type service to the Ranger instance. For more information, see Add a service.

  3. Configure identity credentials: Map RAM users or RAM roles to their corresponding data source accounts.

  4. Request permissions: Users submit permission requests in Data Access Control > Permission Application. After a security administrator approves the request, Ranger automatically generates a policy.

Prerequisites

  • You have completed the Ranger configuration and service association. For more information, see Add a Ranger configuration.

  • You must be a Tenant Administrator to access the Identity Credentials page and perform configurations.

Go to the identity credentials page

  1. Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Governance > Security Center. On the page that appears, click Go to Security Center.

  2. In the left-side navigation pane, click Identity Credentials.

Add an identity credential

On the Identity Credentials page, click New in the upper-left corner. In the New Access Identity dialog box, configure the following parameters.

Parameter

Description

Alibaba Cloud RAM user/Role

Select the RAM user or RAM role that will use this identity credential to access the data source.

Data Source Type

Select the type of data source to access. Supported types: StarRocks, Hive, and Lindorm.

Note

The selected data source type must match the configured Ranger service type. For example, to request permissions for Lindorm, you must configure a Lindorm-type service in Ranger.

Cluster/Instance

Based on the selected data source type, select the corresponding cluster or instance:

  • If the data source type is StarRocks or Hive, select the corresponding EMR cluster.

  • If the data source type is Lindorm, select the corresponding Lindorm instance.

Important

You must have the AliyunEMRReadOnlyAccess or AliyunLindormReadOnlyAccess permission to retrieve the list of corresponding Cluster/Instance.

Account Type

Select the account type. The account type determines whether the user has approval permissions:

  • Administrator: Has approval permissions. Can approve or deny data permission requests submitted by other users.

  • Ordinary User: Can only submit permission requests and cannot approve them.

    Important

    You must configure at least one administrator account to enable the access control approval workflow.

Account Name

The account name that the Alibaba Cloud RAM user or RAM role uses to access the data source.

Important

This account name must match the username configured in Ranger. Otherwise, Ranger cannot correctly match permission policies.

Account password

The password that the Alibaba Cloud RAM user or RAM role uses to access the data source.

Next steps

After configuring an identity credential, users can go to Data Access Control > Permission Application, select the databases or tables they need to access, and submit a permission request. For more information, see data access control.