All Products
Search
Document Center

DataWorks:Manage permissions on MaxCompute

Last Updated:Sep 12, 2024

The data access control feature of DataWorks allows you to manage permissions on the MaxCompute compute engine that you associate with your workspace. You can use this feature to request permissions on MaxCompute tables, process permission requests, audit permissions, and view permission request records and request processing records. This topic describes how to manage permissions on MaxCompute.

Background information

In a DataWorks workspace in standard mode, the workspace members have the read permissions on all data in the MaxCompute project that is associated with the workspace in the development environment. For more information, see Data access behaviors in and required access permissions on MaxCompute compute engine instances associated with workspaces in different modes.

If the workspace members want to use resources and functions in the MaxCompute project that is associated with the workspace in the production environment, the workspace members must follow the instructions in this topic to go to Security Center and request the access permissions on the tables, resources, and functions in the MaxCompute project in the production environment.

Note
  • By default, in a DataWorks workspace in standard mode, no mappings are configured between members in the workspace in the production environment and roles in the MaxCompute project that is associated with the workspace in the production environment.

  • A user can use tables, resources, and functions in the MaxCompute project that is associated with a workspace in the development environment only after the application submitted by the user is approved.

Prerequisites

  • You can request permissions on tables, resources, and functions of a MaxCompute data source.

  • Column-level access control is enabled for the MaxCompute project that is associated with the workspace in the development environment and the MaxCompute project that is associated with the workspace in the production environment in the MaxCompute console. This allows you to request permissions on fields in the tables of the MaxCompute projects in the development and production environments in Security Center. For more information, see Label-based access control.

Process of managing permissions on MaxCompute

Scenarios

Scenario

You want to use a RAM user in the development environment of a workspace to access tables, resources, and functions in the production environment of the workspace.

场景1

If the RAM user that you want to use to access DataWorks is not specified as the access identity of the compute engine in the production environment, you cannot use the RAM user to perform operations on tables in the production environment on the DataStudio page by default. If you want to use the RAM user to perform operations on tables in the production environment on the DataStudio page, you must request the required permissions for the RAM user in Security Center. After the request is approved, you can use the RAM user to perform operations on tables in the production environment on the DataStudio page.

You want to use a RAM user in the development or production environment of Workspace A to access tables, resources, and functions in the development or production environment of Workspace B on the DataStudio page of Workspace A.

场景2

By default, you cannot use a RAM user in Workspace A to access tables in the development or production environment of Workspace B on the DataStudio page of Workspace A. If you want to use the RAM user in Workspace A to access tables in the development or production environment of Workspace B, you must request the required permissions for the RAM user in Security Center. After the request is approved, you can use the RAM user to perform operations on the tables on the DataStudio page of Workspace A.

Permission application procedure

On the Data Access Control page, you can request permissions, process permission requests, audit permissions, and view permission request records and request processing records. If a RAM user cannot access specific tables during data development, you can request the required permissions for the RAM user on the Permission Application tab. After an approver, which can be assumed by a workspace administrator or a table owner, approves the request on the Permission Application Processing tab, the RAM user can access the specific tables.

Note

DataWorks Security Center provides a default request processing procedure. You can also specify a custom request processing procedure in Approval Center. When you request permissions on a field in a MaxCompute table, DataWorks determines the request processing procedure that you can use based on the field.

image
Note

You cannot specify a custom request processing procedure or audit permissions for resources and functions.

  • Requester: You can request permissions on MaxCompute tables in Security Center. You can view the records of permission requests that are submitted by using the current logon account on the Permission Application Records tab.

  • Approver: You can view and process requests as a workspace administrator or a table owner on the Permission Application Processing tab. You can view the processing results of table, resource, and function permission requests that are processed by using the current logon account on the Permission Application Processing Record tab.

  • Auditor: You can manage the permissions of a workspace member on tables and revoke the permissions on tables from the workspace member on the Permission Audit tab by using an Alibaba Cloud account or as a workspace administrator.

Step 1: Go to the Data Access Control page

Log on to the DataWorks console. In the top navigation bar, select the desired region. Then, choose Data Governance > Security Center in the left-side navigation pane. On the page that appears, click Go to Security Center.

Step 2: Request permissions

When you request permissions on tables, resources, and functions on the Data Access Control page, you must configure parameters in the Application Content and Application Information sections of the Data Access Control page. For more information, see the following tables.

Note

You cannot specify a custom request processing procedure or audit permissions for resources and functions.

Request permissions on tables

  1. Go to the Permission Application tab.

  2. Select tables on which you want to request permissions.

    1. In the Application Content section, set Data Source Type to MaxCompute, and select a workspace and a project.

    2. In the Tables to Be Added section, select the tables on which you want to request permissions.

      After you select tables, the information about the tables is displayed on the right side. You can click the 展开 icon on the left side of a table name to view all fields in the table. You can request the permissions on specific or all fields. By default, the permissions on all fields are requested.image

      Note
      • Column-level access control is enabled for the MaxCompute project that is associated with the workspace in the development environment and the MaxCompute project that is associated with the workspace in the production environment in the MaxCompute console. This allows you to request permissions on fields in the tables of the MaxCompute projects in the development and production environments in Security Center. For more information, see Label-based access control.

      • You can request the following column-level permissions: SELECT and UPDATE. You can request the following table-level permissions: DESCRIBE, DROP, ALTER, SELECT, and UPDATE. You can also request permissions on a specific field. After you are granted the SELECT and UPDATE column-level permissions on a table, you are automatically granted the SELECT and UPDATE column-level permissions on the columns that are added to the table.

  3. In the Application Information section, configure the parameters. The following table describes the parameters.

    Parameter

    Description

    User

    The account or user for which you request permissions on MaxCompute tables.

    • Current login account: indicates that you want to request permissions on the tables for the account that is used to access the current workspace.

    • Account Used for Scheduling: indicates that you want to request permissions on the tables for the RAM user that is specified as a scheduling access identity.

    • Apply on Behalf of Others: indicates that you want to request permissions on the tables for an account that is not used to access the current workspace. If you select this option, you must configure the Username parameter.

    Workspace

    The workspace in which you want to use the tables if you set User to Account Used for Scheduling.

    Application Duration

    The validity period of the requested permissions on tables. The permissions are automatically revoked after the validity period expires.

    Note

    You can configure this parameter only after you enable policy-based authorization for the MaxCompute project that contains the tables on which you request the permissions. For more information about how to enable policy-based authorization, see Manage permissions on data in a MaxCompute compute engine instance. For more information about the policy-based access control of MaxCompute, see Policy-based access control.

    Reason for Application

    The reason why you want to request the permissions.

  4. Click Apply for permission to submit the request.

    You can view the processing details and record of the current request on the Permission Application Records tab.

Request permissions on resources

Section and parameter

Description

Screenshot

Application Content

Application Type

Resources

image

Data Source Type

The default value is MaxCompute and cannot be modified.

Workspace

The workspace to which the resource on which you request permissions belongs.

MaxCompute Project

The MaxCompute project that is associated with the workspace to which the resource belongs.

Resource Name

The name of the resource on which you want to request permissions.

Application Information

User

The account or user for which you request permissions on the resource.

  • Current login account: indicates that you want to request permissions on the resource for the account that is used to access the current workspace.

  • Account Used for Scheduling: indicates that you want to request permissions on the resource for the RAM user that is specified as a scheduling access identity.

  • Apply on Behalf of Others: indicates that you want to request permissions on the resource for an account that is not used to access the current workspace. If you select this option, you must configure the Username parameter.

image

Application Duration

The validity period of the requested permissions on the resource. The permissions are automatically revoked after the validity period expires.

Reason for Application

The reason why you want to request the permissions.

After you complete the configurations, click Apply for permission to submit the request.

You can view the processing details and record of the current request on the Permission Application Records tab.

Request permissions on functions

Section and parameter

Description

Screenshot

Application Content

Application Type

Function

image

Data Source Type

The default value is MaxCompute and cannot be modified.

Workspace

The workspace to which the function on which you request permissions belongs.

MaxCompute Project

The MaxCompute project that is associated with the workspace to which the function belongs.

Function Name

The name of the function on which you want to request permissions.

Application Information

User

The account or user for which you request permissions on the function.

  • Current login account: indicates that you want to request permissions on the function for the account that is used to access the current workspace.

  • Account Used for Scheduling: indicates that you want to request permissions on the function for the RAM user that is specified as a scheduling access identity.

  • Apply on Behalf of Others: indicates that you want to request permissions on the function for an account that is not used to access the current workspace. If you select this option, you must configure the Username parameter.

image

Application Duration

The validity period of the requested permissions on the function. The permissions are automatically revoked after the validity period expires.

Reason for Application

The reason why you want to request the permissions.

After the configuration is complete, click Apply for permission to submit the request.

You can view the processing details and record of the current request on the Permission Application Records tab.

Step 3: Process requests

  1. View the information about pending requests.

    Go to the Permission Application Processing tab. You can specify the following filter conditions to search for the pending requests within the current Alibaba Cloud account: Application Account Number, Application Time, Workspace, Project Name, and Object Name.审批申请

    Note

    If a permission request order is submitted to request permissions on multiple tables that belong to different owners, the system splits the request order into multiple requests based on the table owners.

  2. View the details about a permission request.

    Find the permission request and click Approval in the Operation column. You can view the details and processing record of the permission request in the Approval details dialog box.

  3. Process permission requests.

    To process a single permission request, enter your comments and click Agree or Rejection based on your business requirements.

    To process multiple requests at the same time, select all requests that you want to process on the Permission Application Processing tab, click Batch Consent or Batch rejection, and then enter your comments.

View historical permission requests and their processing records

  • View permission request records. You can specify filter conditions such as Approval Status, Application Time, and Workspace to view the permission request records of the current Alibaba Cloud account.

    To view the details about a permission request, click View details in the Operation column of the request. You can continue to process requests whose processing status is In approval.

  • View request processing records. You can specify filter conditions such as Application Account Number, Approval Results, and Workspace to view the request processing records of the current Alibaba Cloud account.

    To view the details about a permission request, click View details in the Operation column of the request.