All Products
Search

This Product

    DataWorks:Role mappings: DataWorks vs MaxCompute

    Document Center

    DataWorks:Role mappings: DataWorks vs MaxCompute

    Last Updated:Mar 26, 2026

    Each DataWorks workspace-level role maps to a corresponding MaxCompute role. This mapping determines what a member can do in the MaxCompute development project and production project, and what operations they can perform in the DataWorks console.

    Permission management is not available for workspaces in basic mode. The development environment and production environment permission descriptions in the table below apply only to workspaces in standard mode. For details about workspace modes, see Differences between workspaces in basic mode and workspaces in standard mode.

    Role capability overview

    Use the following matrix to identify which role fits a given need.

    Capability Workspace Administrator Development O&M Deploy Visitor Security Manager Data Analyst Model Designer Data Governance Administrator
    Manage workspace settings and members
    Perform data development
    Deploy tasks to the production environment
    Perform online O&M
    View data (read-only)
    Use DataAnalysis
    View data models
    Edit data models
    Manage data governance issues
    Configure sensitive data identification rules

    DataWorks workspace roles

    The following table describes the nine built-in workspace roles, their corresponding MaxCompute roles, and the permissions granted in each environment.

    DataWorks role MaxCompute role Dev environment permissions Prod environment permissions DataWorks permissions
    Workspace Administrator Role_Project_Admin MaxCompute: All permissions on the project, including tables, functions, resources, instances, and jobs; Read permission on packages.
    DataWorks: Data development and task deployment to the production environment.



    		 No permissions by default. Request permissions in Security Center. - Manage workspace basic properties, data sources, and compute engine configurations
    - Add and remove workspace members
    - Assign the Workspace Administrator, Development, O&M, Deploy, or Visitor role to members
    Development Role_Project_Dev MaxCompute: All permissions on the project, including tables, functions, resources, instances, and jobs; Read permission on packages.
    DataWorks: Data development only; cannot deploy tasks to the production environment.



    		 No permissions by default. Request permissions in Security Center. - Create workflows, script files, resources, user-defined functions (UDFs), tables, and deployment tasks
    - Delete tables
    - No deployment permissions
    O&M (Operations and Maintenance) Role_Project_Pe MaxCompute: All permissions on the project and the functions, resources, instances, and jobs in the project; Read permission on packages; Read and Describe permissions on tables.
    Note

    The O&M role has permissions on the MaxCompute compute engine but cannot run nodes in the DataWorks console.








    		 No permissions by default. Request permissions in Security Center. - Deploy tasks and perform online O&M (permissions granted by the Workspace Administrator)
    - No data development permissions
    Deploy Role_Project_Deploy No permissions by default. No permissions by default. Request permissions in Security Center. - Deploy tasks to the production environment
    - No online O&M permissions
    - No data development permissions
    Visitor Role_Project_Guest No permissions by default. No permissions by default. Request permissions in Security Center. - View data only
    - Cannot modify workflows or code
    Security Manager Role_Project_Security No permissions by default. No permissions by default. Request permissions in Security Center. Available only in Data Security Guard:
    - Configure sensitive data identification rules
    - Audit data risks
    Data Analyst Role_Project_Data_Analyst MaxCompute: CreateInstance and CreateTable permissions in the project.
    DataWorks: View models in Data Modeling; view and use features in DataAnalysis.



    		 No permissions by default. Request permissions in Security Center. Permissions only on DataAnalysis.
    Model Designer Pole_Project_Erd No permissions by default. No permissions by default. Request permissions in Security Center. - View models in Data Modeling
    - Modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric
    - No permissions to publish models
    Data Governance Administrator Role_Project_Data_Governance No permissions by default. No permissions by default. Request permissions in Security Center. Permissions only on Data Governance Center:
    - View and manage detected data governance issues
    - Configure data governance plans
    - Enable check items
    - No data development or O&M permissions

    MaxCompute-only identities

    The following identities exist at the MaxCompute project level and have no corresponding DataWorks workspace role.

    Identity Dev environment permissions Prod environment permissions
    Workspace owner (Alibaba Cloud account) → Project Owner Owner of the project; all permissions on the project. Same as the development environment.
    Super_Administrator Super administrator of the project; management permissions on the project and all permissions on all resource types. Same as the development environment.
    Admin Access all objects, manage users and roles, and grant permissions to users or roles.

    Compared with the Project Owner, the Admin role cannot: assign the Admin role to users, configure security policies, modify the authentication model, or modify Admin role permissions. The Project Owner can assign the Admin role to a user and authorize that user to manage security configurations.










    		 Same as the development environment.
    Role_Project_Scheduler No permissions by default. MaxCompute: All permissions on the project, including tables, functions, resources, instances, and jobs; Read permission on packages.
    DataWorks: Identity used to commit tasks to the production environment for scheduling.
    Note

    If you specify a RAM user or RAM role as the default access identity when adding a MaxCompute project to a workspace in the production environment, that RAM user or RAM role gets the same permissions as Role_Project_Scheduler. For details, see the Add a data source section in Add a new MaxCompute data source.

    For more information about MaxCompute permissions, see MaxCompute permissions and Manage permissions on data in a MaxCompute compute engine.