Configure RAM Policies to Secure DataWorks Console Access - DataWorks - Alibaba Cloud - DataWorks

In DataWorks, both service-level permission control and management console permission control use Alibaba Cloud Resource Access Management (RAM) policies. You attach a RAM policy to a user, such as a RAM user or a RAM role, to grant the permissions defined in the policy. This topic describes the permission policies supported by DataWorks and explains how an Alibaba Cloud account can grant these policies to users.

Service-level permissions: system and custom policies

By default, only an Alibaba Cloud account has service-level permissions for DataWorks. If you need a RAM user to manage services, you can grant them the following system policies. This gives the RAM user the same operational permissions as the Alibaba Cloud account.

Type	Scope	Policy name	Description	Documentation
Allowed actions for RAM users (system policies)	Manage DataWorks services	AliyunDataWorksFullAccess	This permission grants the RAM user broad permissions to manage DataWorks features on behalf of the Alibaba Cloud account, excluding purchasing-related features.	For instructions on how to grant permissions to a RAM user, see Grant permissions to a RAM user.
Allowed actions for RAM users (system policies)	Purchase resources	AliyunBSSOrderAccess	Allows the RAM user to view, pay for, and cancel orders in Billing Management. The RAM user can also purchase resources and renew services on the management console.
Denied actions for RAM users (custom policies)	Prevent a RAM user from performing operations in DataWorks (fine-grained)	Custom	Prevents a user from accessing the management console, entering DataWorks module interfaces, or calling any OpenAPI.	First, define the policy content by referring to Service-level permission control policies. Then, attach the custom policy to the RAM user to grant the permissions. For more information, see (Optional) Create a custom policy below.
	Prevent a RAM user from calling any OpenAPI (fine-grained)		By default, users with permissions for a DataWorks module can call its corresponding OpenAPI. You can attach this policy to prevent a user from calling any OpenAPI.
	Prevent a RAM user from accessing DataWorks module interfaces (fine-grained)		By default, all RAM users under an Alibaba Cloud account are members of the DataWorks tenant. They can access global modules and the modules in workspaces they have joined. You can prevent a user from accessing all DataWorks module interfaces.

Fine-grained console permission control: custom policies

DataWorks supports fine-grained permission control for operations on the following entities:

Object	Actions	Documentation
Workspace	Create a workspace Modify a workspace Delete a workspace Disable a workspace Enable a workspace	To grant fine-grained permissions for console operations, first create a custom policy as described in Console entity-level permission control policies. Then, attach the custom policy to a RAM user. For instructions, see Grant permissions to a RAM user.
Resource group	List exclusive resource groups View the details of a resource group by name Create an exclusive resource group Modify an exclusive resource group
Alerts	List contacts Modify contact information List alert resources Set an upper limit for the number of alerts

Grant permissions to a RAM user

In the left-side navigation pane, choose Identity management > User.
In the Add Permissions panel, grant permissions to the RAM user.

You can grant both system and custom policies. To grant a custom policy, you must first create one before you can assign it. For a list of available policies, see Service-level permissions: system and custom policies.

Note
For more information about parameter settings, see Manage permissions for a RAM user.

(Optional) Create a custom policy

If you want to implement fine-grained permission control by using a RAM policy, you must create a custom policy. You can skip this step if you use a system policy for broad permissions.

You can use your Alibaba Cloud account to create a custom policy on the Access Control console. For more information, see Create a custom policy.

To create a custom policy for service-level control, define the policy content as described in Service-level permission control policies.

To create a custom policy for entity-level control on the console, navigate to Permission management > Policies in the left-side navigation pane of the RAM console. Click Create Policy and select the Script tab. The policy must be in the following JSON format: {"Version":"1","Statement":[{"Effect":"Allow","Action":"dataworks:OperationName","Resource":"acs:dataworks:$regionid:$accountid:ResourceType/*"}]}. The values for Action and Resource correspond to the entries in the Action and Resource columns of the relevant permission table.

Parameter	Description
Action	Set the Action element in your custom policy to the Action value of the corresponding permission in Console entity-level permission control policies.
Resource	Set the Resource element in your custom policy to the Resource value of the corresponding permission in Console entity-level permission control policies. Note Notes on the Resource element: Replace placeholders that start with a dollar sign (`$`) with actual values. For example, replace `$regionid` with a valid region ID and `$accountid` with the UID of your Alibaba Cloud account. The asterisk (``) is a wildcard. You can replace it with a specific value to further refine the permission scope. For example, replacing `workspace/` with `workspace/workspaceid` limits the policy to the specified workspace.