All Products
Search

This Product

    DataWorks:Data Map permission management

    Document Center

    DataWorks:Data Map permission management

    Last Updated:Jun 21, 2026

    By default, all members of a DataWorks tenant can access the Data Map module and view the metadata of all connected projects. This document describes how to configure fine-grained access control at different levels.

    Data Map permission management

    Data Map supports metadata permission management at three levels: Functional module, Project, and Table.数据地图权限管控 The following sections detail the policies and configuration steps for each level:

    Module-level permission management

    You can manage access to the entire Data Map module.

    Permission policies

    Configuration guide

    All tenant members can access the Data Map module.

    Note

    All RAM users under an Alibaba Cloud account owner are considered DataWorks tenant members and can access the Data Map module by default.

    This is the Default module-level permission policy and requires no configuration.

    Restrict specific RAM users from accessing the Data Map module.

    Use the global-level permission management feature of DataWorks.

    1. Create a custom global role that does not include permissions for the Data Map module.

    2. Assign this custom role to the RAM user.

    For more information, see Manage permissions on global-level services. After you complete these steps, RAM users assigned this role can no longer access the Data Map module.

    Require RAM users to join a workspace before they can access the Data Map module.

    On the Data Map page, hover over the image icon in the left-side navigation pane and choose Manage Configurations > Other Settings to configure security controls. For more information, see Other settings.

    Project-level permission management

    Note

    • Only the Alibaba Cloud account owner, RAM users with the AliyunDataWorksFullAccess permission, and RAM users with the tenant administrator or Workspace Administrator role can configure the following permissions.

    • Currently, project-level permission management is supported only for the MaxCompute compute engine.

      By default, DataWorks collects metadata from other compute engines only after you configure metadata collection for them. If you do not want to collect metadata from other compute engines, do not configure metadata collection for them. For information about how to configure metadata collection, see Collect metadata.

    Permission policies

    Configuration guide

    Control whether to display the metadata of a project in Data Map.

    By default, the metadata of all MaxCompute projects is collected and displayed in Data Map.

    On the Data Map page, hover over the image icon in the left-side navigation pane and choose Manage Configurations > Manage Workspaces to open the workspace management page, where you can configure which project metadata is displayed in Data Map. For more information, see Manage Workspaces. On the DataWorks Manage Workspaces page, select the target workspace (for example, doc_test_3) from the workspace list on the left. In the MaxCompute Engine Configuration area on the right, turn on the Collect Metadata switch for the corresponding compute engine.

    Control whether to allow members of other projects to view the metadata of a specific project in Data Map.

    By default, all DataWorks global members can view the metadata of any MaxCompute project in Data Map.

    On the Data Map page, hover over the image icon in the left-side navigation pane and choose Manage Configurations > Manage Workspaces to open the workspace management page, where you can set whether only members of this project can view its metadata. For more information, see Manage Workspaces. On the DataWorks Manage Workspaces page, select the target workspace (for example, doc_test_3). In the MaxCompute Engine Configuration area on the right, use the member-only visibility switch.

    Table-level permission management

    Note

    • Only the Alibaba Cloud account owner, table owner, and Workspace Administrators can configure the following permissions.

    • Currently, table-level permission management is supported only for the MaxCompute compute engine.

    Permission policies

    Configuration guide

    Control metadata visibility for users other than the table owner and Workspace Administrators.

    By default, all DataWorks global members can view the metadata of tables in a MaxCompute project in Data Map.

    On the Data Map page, click the image icon in the left-side navigation pane to open My Data and configure the table's visibility. For more information, see My Data. In the left-side navigation pane of Data Map, choose My Data > Data I Own. Find the target table, and in the Visibility column, click the drop-down menu to set the visibility to Show, Hide, or Project members only.

    Control whether to allow users who are not members of the project to view the table's metadata in Data Map.