Workspace roles and MaxCompute permissions - DataWorks - Alibaba Cloud Documentation Center

This table maps DataWorks workspace-level roles to MaxCompute project permissions and details the permissions for each role. For more information about MaxCompute permissions, see MaxCompute permissions and MaxCompute data permission control details.

Note

The permissions in the Development environment permissions and Production environment permissions columns apply only to workspaces in standard mode. For more information about DataWorks workspace modes, see Differences between workspace modes.

Mapping		Permission details
DataWorks role or identity	MaxCompute role	Development environment permissions	Production environment permissions	Description
Workspace Administrator	Role_Project_Admin	MaxCompute engine level: All permissions for project/table/function/resource/instance/job in the current project, and the `read` permission on `package`s. DataWorks level: Can perform data development and deploy tasks to the production environment.	By default, this role has no permissions. Permissions require approval in Security Center.	Users with this role can manage the workspace's basic properties, data sources, compute engine configurations, and members. They can also assign the Workspace Administrator, Development, O&M, Deploy, and Visitor roles to other members.
Development	Role_Project_Dev	At the MaxCompute engine level: all permissions on projects, tables, functions, resources, instances, and jobs in the current project, and `package`'s `read` permission. DataWorks level: Can perform data development but cannot deploy tasks to the production environment.	By default, this role has no permissions. Permissions require approval in Security Center.	Users with this role can create workflows, script files, resources, UDFs, and deployment packages. They can also create and delete tables but cannot perform deployment.
O&M	Role_Project_Pe	Has all permissions on project, function, resource, instance, and job objects in the current project, plus Read permission on packages and Read/Describe permissions on tables. Note Although this role has permissions at the MaxCompute engine level, users with the O&M role cannot directly run nodes from the DataWorks UI.	By default, this role has no permissions. Permissions require approval in Security Center.	A Workspace Administrator grants the O&M role. Users with this role can perform deployment and online O&M, but not data development.
Deploy	Role_Project_Deploy	No permissions by default.	By default, this role has no permissions. Permissions require approval in Security Center.	This role is similar to the O&M role but does not include permissions for online O&M.
Visitor	Role_Project_Guest	No permissions by default.	By default, this role has no permissions. Permissions require approval in Security Center.	Users with this role have view-only access. They cannot edit workflows, code, or other items.
Security Manager	Role_Project_Security	No permissions by default.	By default, this role has no permissions. Permissions require approval in Security Center.	The Security Manager is used only in the Data Security Guard module for tasks such as sensitive rule configuration and data risk auditing.
Data Analyst	Role_Project_Data_Analyst	MaxCompute engine level: Has `CreateInstance` and `CreateTable` permissions in the current project. DataWorks level: Can view models in Data Modeling and use features in Data Analysis.	By default, this role has no permissions. Permissions require approval in Security Center.	Grants permissions only for operations in the Data Analysis module.
Model Designer	Role_Project_Erd	No permissions by default.	By default, this role has no permissions. Permissions require approval in Security Center.	Users with this role can view models in Data Modeling and manage data warehouse planning, data standards, dimensional modeling, and data metrics. This role does not grant permission to publish models.
Data Governance Administrator	Role_Project_Data_Governance	No permissions by default.	By default, this role has no permissions. Permissions require approval in Security Center.	This role applies only to Data Governance Center. It allows users to view governance issues, define governance plans, and enable check items in the workspaces they manage. It does not grant permissions for data development or O&M.
workspace owner (Alibaba Cloud account)	Project Owner	As the MaxCompute project owner, this role has all permissions on the project.	Has all permissions.	N/A
N/A	Super_Administrator	As the super administrator of the MaxCompute project, this role holds administrative permissions and all permissions on all resource types within it.	Has all permissions.	N/A
N/A	Admin	When a project is created, an Admin role is automatically created with a fixed set of permissions. This role can access all objects in the project and manage and authorize users and roles. Unlike the project owner, the Admin role cannot assign Admin permissions to other users, configure security settings for the project, or modify the project's authentication model. The project owner can assign the Admin role to a user to delegate security management.	Has all permissions.	N/A
N/A	Role_Project_Scheduler	No permissions by default.	MaxCompute engine level: Has all permissions on project, table, function, resource, instance, and job objects in the current project, plus the read permission on packages. DataWorks level: Used as the execution identity in the production scheduling environment. Note When a RAM user or RAM role is set as the scheduling access identity for the production environment of a MaxCompute project (that is, configured as the Default Access Identity when you create a production data source), DataWorks maps the user or role to the Role_Project_Scheduler role of the MaxCompute project. For more information about how to configure the default access identity, see Bind a MaxCompute compute engine.	Acts as the unified identity to schedule and run MaxCompute tasks in the production environment.