DataWorks allows you to grant different permissions on workspace-level services in a workspace to workspace members by assigning the members different roles. The roles that can be assigned to members include built-in workspace-level roles and custom workspace-level roles. The built-in workspace-level roles are granted fixed permissions on specific workspace-level services. The custom workspace-level roles can be used to control the read and write permissions of members on workspace-level services. This topic describes the workspace-level roles that can be used to manage permissions on workspace-level services and the basic operations that can be performed to manage permissions of workspace members on workspace-level services.
Background information
No. | Description | References |
---|---|---|
1 | A DataWorks workspace is a basic unit in which different roles can be used for collaborative data development. All data development operations are performed in a specific workspace. If you want to allow a RAM user to collaboratively perform data development operations, you must add the RAM user to a workspace as a member and assign roles to the member based on your business requirements. You can assign the built-in workspace roles provided by DataWorks to the member. For example, if you assign the Development role to the member, the member can perform data development operations in a workspace but cannot perform the deploy operation. | Permissions of built-in workspace-level roles |
2 | If the built-in workspace-level roles cannot meet your business requirements, you can create a custom workspace-level role and assign the role to a RAM user. This way, you can control the permissions of the RAM user on a specific workspace-level service. For example, you can create a custom workspace-level role and assign the role to a RAM user to deny the access permissions on DataService Studio for the RAM user. | Workspace-level roles |
3 | Permission management on workspace-level services in DataWorks is performed based on the role-based access control (RBAC) model. After you add a RAM user to a workspace as a member and assign a workspace-level role to the member, the member is granted the permissions of the role on the related workspace-level service. | Overview of the DataWorks permission management system |
Limits
- Only workspaces of DataWorks Enterprise Edition support custom roles. For information about DataWorks editions, see Differences among DataWorks editions. If your workspace is not of DataWorks Enterprise Edition, you can upgrade DataWorks to this edition. For more information, see Billing of DataWorks advanced editions.
- You can use only the Workspace Manager and Project Owner roles to add members, change the roles that are assigned to members, remove members, and delete custom roles.
- You can use only a RAM user that is assigned the Admin or Super_Administrator role of a MaxCompute project or an Alibaba Cloud account to configure the mapping between a DataWorks custom workspace-level role and a role of a MaxCompute project.
- You cannot change the permissions of the built-in roles.
Workspace-level roles
DataWorks provides different identities, such as members and roles, at the workspace level. You can assign different roles to users based on the requirements of users for the workspace. DataWorks provides built-in workspace-level roles that are granted fixed permissions on specific workspace-level services. If the built-in workspace-level roles cannot meet your business requirements, you can create a custom workspace-level role on the Roles tab of the User Management page.
Built-in workspace-level roles
Role | Description |
---|---|
Project Owner | This role has all permissions on a workspace. The owner of a workspace is an Alibaba Cloud account. For example, the Project Owner role can be used to assign a role to a RAM user and remove a member that is not the owner of a workspace from the workspace. |
Workspace Manager | This role has permissions that are second only to the permissions of the Project Owner role. The Workspace Manager role can also be used to perform operations such as adding a user to a workspace as a member, removing a member from a workspace, or assigning a role to a member. |
Data Analyst | This role has permissions only on DataAnalysis. |
Development | This role has permissions to perform data development and maintenance operations on the DataStudio page of a workspace. Note
|
O&M | This role has permissions to deploy nodes to the production environment on the Create Deploy Task page and perform the O&M operations on all nodes in a workspace in Operation Center. |
Deploy | This role has permissions to review the code of a node and determine whether to commit the node to Operation Center in a workspace in standard mode. |
Visitor | This role has read-only permissions on workflows and code on the DataStudio page of a workspace. |
Safety Manager | This role has permissions only on Data Security Guard. |
Model Developer | This role has permissions to view models in Data Modeling and modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. This role does not have permissions to publish models. |
Custom workspace-level roles

- No permission: The role does not have permissions on the related service.
- Read only: The role can only view the data information in the related service.
- Read and write: The role can modify the data information in the related service.
Add a RAM user to a workspace as a member and assign roles to the member
After you add a RAM user to a workspace as a member, you can assign a built-in workspace-level role to the member based on your business requirements. By default, after a RAM user is added to a workspace as a member, the member can access all workspace-level services. If you want to prohibit the member from accessing a specific workspace-level service, you can create a custom workspace-level role for which access permissions on the service are denied and assign the role to the member. This way, the member cannot access the workspace-level service.
Step 1: Go to the Space member tab
- Log on to the DataWorks console and go to the Workspace page.
- On the Workspace page, click the Space member tab.
Step 2: Add a RAM user to a workspace as a member and manage members in the workspace
- On the Space member tab, click Add member.
- In the Add member dialog box, select one or more RAM users from the Account to be added list.
Operation Description Select the RAM users that you want to add to the workspace as members The Account to be added list displays all RAM users that belong to the current Alibaba Cloud account. You can select one or more RAM users that you want to add to the workspace as members from the list and click the > icon to move the selected RAM users to the Account added list. This way, the RAM users become the members in the workspace and can participate in data development. Note If the RAM user that you want to add to the workspace is not displayed in the Account to be added list, you can click Refresh in the prompt message that is displayed in the upper part of the dialog box to refresh the Account to be added list.Assign multiple roles to a RAM user You can select the roles that you want to assign to the selected RAM user and click Confirmation. This way, the selected roles are assigned to the RAM user at the same time, and the RAM user is granted the permissions of the roles. You can assign built-in workspace-level roles or custom workspace-level roles to the RAM user. Before you assign a custom workspace-level role to the RAM user, you must refer to the operations described in the following subsection to create a custom workspace-level role. Note- MaxCompute provides built-in roles for a MaxCompute compute engine. Mappings exist between the built-in workspace-level roles of DataWorks and the built-in roles of a MaxCompute compute engine instance in the development environment. This way, after a RAM user is assigned a built-in workspace-level role of DataWorks, the RAM user is automatically granted the permissions of the mapped built-in role of the associated MaxCompute compute engine instance in the development environment. However, the RAM user does not have the permissions of the mapped built-in role of the MaxCompute compute engine instance in the production environment by default.
- For information about how to grant permissions on a MaxCompute compute engine instance to a member in a workspace, see Manage permissions on data in a MaxCompute compute engine instance.
- For information about mappings between the built-in workspace-level roles of DataWorks and the built-in roles of a MaxCompute compute engine instance, see Mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute.
- If you want to use another type of compute engine instance in a workspace as a workspace member, you cannot grant permissions on the compute engine instance to the member by assigning a workspace-level role to the member.
- MaxCompute provides built-in roles for a MaxCompute compute engine. Mappings exist between the built-in workspace-level roles of DataWorks and the built-in roles of a MaxCompute compute engine instance in the development environment. This way, after a RAM user is assigned a built-in workspace-level role of DataWorks, the RAM user is automatically granted the permissions of the mapped built-in role of the associated MaxCompute compute engine instance in the development environment. However, the RAM user does not have the permissions of the mapped built-in role of the MaxCompute compute engine instance in the production environment by default.
- Click Confirmation. The selected RAM users are added to the workspace as members and the required roles are assigned to the members. Then, you can view information such as all members in the workspace and the account and roles of each member on the Space member tab. You can also specify the filter conditions to search for the desired member and change the workspace-level roles that are assigned to the member in the Role column. In addition, you can click Remove in the Actions column of a member to remove the member from the workspace.
(Optional) Create a custom workspace-level role
You cannot change the permissions of built-in workspace-level roles. If the built-in workspace-level roles cannot meet your business requirements for permission management, you can create a custom workspace-level role on the Space role tab.
- On the Workspace page, click Space role tab. On the Space role tab, click Add custom roles.
- In the Create Custom Role dialog box, specify a name for the role and configure permission settings on each workspace-level service for the role.
- No permission: The role does not have permissions on the related service.
- Read only: The role can only view the data information in the related service.
- Read and write: The role can modify the data information in the related service.
- In the Configure Account Mapping section, click Add to configure the mapping between the custom workspace-level role and a role of a compute engine. If you want to use a MaxCompute compute engine instance in the workspace, you can specify a built-in role of the MaxCompute compute engine instance and configure a mapping between the custom workspace-level role and the role of the MaxCompute compute engine instance when you create the custom workspace-level role. This way, after the custom workspace-level role is assigned to a member in the workspace, the member is automatically granted the permissions of the built-in role of the MaxCompute compute engine instance. For information about the mappings between the roles of different types of compute engine instances and the roles of DataWorks, see Appendix: Mappings between DataWorks built-in workspace-level roles and MaxCompute roles.
- Click Configure. When the Created successfully message appears, the custom workspace-level role is created. When you add a user to the workspace as a member, you can assign this role to the member. In addition, you can modify or delete the custom workspace-level role on the Space role tab.