DataWorks uses role-based access control (RBAC) to manage what workspace members can do in each service. There is no limit on the number of members you can add to a workspace. Assign built-in roles for standard access patterns, or create custom roles to grant or restrict access to specific services.
This page covers workspace-level roles and member management. For permissions on data within a compute engine such as MaxCompute, see Manage permissions on data in a MaxCompute compute engine.
Who can manage members and roles
| Task | Required role |
|---|---|
| Add members | Workspace Owner or Workspace Administrator |
| Change role assignments | Workspace Owner or Workspace Administrator |
| Remove members | Workspace Owner or Workspace Administrator |
| Delete custom roles | Workspace Owner or Workspace Administrator |
| Map a custom role to a MaxCompute project role | Alibaba Cloud account, or a RAM user with the Admin or Super_Administrator role in the MaxCompute project |
Workspace-level roles
DataWorks provides two types of workspace-level roles:
-
Built-in roles — fixed permission sets. All built-in roles have read access to all workspace-level services by default. You cannot modify their permissions.
-
Custom roles — configurable roles that grant No Permissions, Read-only, or Read and Write access per service. Available on DataWorks Enterprise Edition only.
Built-in roles
| Role | Capabilities |
|---|---|
| Workspace Owner | Full permissions on the workspace. Always an Alibaba Cloud account — cannot be assigned to a RAM user. Can assign roles and remove any non-owner member. |
| Workspace Administrator | Second-highest permissions. Can add and remove members and assign roles. |
| Develop | Data development and maintenance in DataStudio. Cannot deploy tasks. To deploy, the member also needs the O&M or Workspace Administrator role. |
| O&M | Deploy tasks to the production environment via the Create Deploy Task page, and perform O&M operations on all tasks in Operation Center. |
| Deploy | Review task code and commit tasks to Operation Center in standard mode. |
| Visitor | Read-only access to workflows and code in DataStudio. |
| Data Analyst | Access to DataAnalysis only. No access to DataStudio or other services. |
| Security Administrator | Access to Data Security Guard only. No access to DataStudio or other services. |
| Model Designer | View models in Data Modeling. Modify parameters in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. Cannot publish models. |
| Data Governance Administrator | View and manage data governance content for this workspace in Data Governance Center. Does not have cross-workspace or global governance permissions. To perform global governance operations across all workspaces in a region, assign the tenant-level Data Governance Administrator role. |
The Workspace Owner is the Alibaba Cloud account used to create the workspace. If a RAM user creates the workspace, the owner is the Alibaba Cloud account the RAM user belongs to.
For the full permission matrix, see Permissions of built-in workspace-level roles.
Custom roles
Custom roles let you set one of three permission levels per workspace-level service:
| Permission level | Access |
|---|---|
| No Permissions | No access to the service |
| Read-only | View data in the service |
| Read and Write | View and modify data in the service |
If you use MaxCompute, map the custom role to a MaxCompute role so members assigned the custom role automatically receive the corresponding MaxCompute permissions.
Custom roles require DataWorks Enterprise Edition. See Differences among DataWorks editions for edition details, and Billing of DataWorks editions for pricing.
To upgrade, unsubscribe from your current edition before purchasing the new one. Upgrading directly requires paying the price difference for the remaining period. See the "General reference: Stop using DataWorks features or resources" topic for unsubscription steps.
Add a member and assign roles
Step 1: Go to the Workspace Members tab
-
In the left-side navigation pane, click Workspace Members and Roles. On the Workspace page, click the Workspace Members tab.
Step 2: Add a RAM user as a member
-
In the upper-right corner of the Workspace Members tab, click Add Members.
-
In the Add Members dialog box, select one or more RAM users from the Available Accounts list, then click the > icon to move them to the Selected Accounts list.
If a RAM user does not appear in the list, click Refresh in the prompt message at the top of the dialog box.
-
Select the roles to assign to the member. You can assign built-in roles, custom roles, or a combination of both. To assign a custom role, create it first.
Built-in DataWorks workspace roles are automatically mapped to built-in MaxCompute roles in the development environment. Members do not automatically receive production environment MaxCompute permissions. To grant production access, see Manage permissions on data in a MaxCompute compute engine. For role mapping details, see Appendix: Mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute. For other compute engine types, workspace-level roles do not grant compute engine permissions.
-
Click Confirmation.
After adding, the Workspace Members tab shows each member's account and assigned roles. Use the Role column to change role assignments, or click Remove in the Actions column to remove a member.
Create a custom role
-
On the Workspace page, click the Workspace Roles tab, then click Create Custom Role.
-
In the Create Custom Role dialog box, enter a name for the role and set the permission level for each workspace-level service.
-
(Optional) In the Configure Mappings Between a DataWorks Custom Role and a Role of a Compute Engine section, click Add to map this role to a MaxCompute role. Members assigned this custom role automatically receive the permissions of the mapped MaxCompute role. For mapping details, see Appendix: Mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute.
-
Click Create. When the Created message appears, the custom role is ready to assign to members.
To edit or delete a custom role, use the Workspace Roles tab.