By default, all tenant members in DataWorks can access Data Map and view the metadata of every project. This topic describes how to restrict metadata visibility at the service module, project, and table levels.
Permission management levels
Data Map supports metadata access control at three levels. Each level controls a different scope of visibility, and each requires a different role to configure.
| Level | What you control | Supported compute engine | Who can configure |
|---|---|---|---|
| Service module | Which RAM users can open Data Map | All | Default: all tenant members have access. To restrict access, use custom global roles. |
| Project | Which projects appear in Data Map and who can view their metadata | MaxCompute only | Alibaba Cloud account owner, RAM users with AliyunDataWorksFullAccess, tenant administrators, or Workspace Administrators |
| Table | Which tables are visible in Data Map and to whom | MaxCompute only | Alibaba Cloud account owner, the table owner, or Workspace Administrators |
Module-level permission management
Module-level permissions control which users can open Data Map. The default policy grants access to all tenant members — every RAM user under an Alibaba Cloud account.
| Policy | Effect | How to configure |
|---|---|---|
| All tenant members can access Data Map | Every RAM user under an Alibaba Cloud account can open Data Map. This is the default behavior and requires no configuration. | No configuration required. |
| Specific RAM users cannot access Data Map | The specified RAM user loses all access to Data Map. | Create a custom global role that excludes Data Map access permissions, then assign the role to the RAM user. For details, see Manage permissions on global-level services. |
| A RAM user can access Data Map only after being added to a workspace | Users who are not workspace members are blocked from opening Data Map. | In the left-side navigation pane of the DataMap page, move the pointer over the settings icon and choose Manage Configurations > Other Settings. In the Security Control section, configure the required parameters. For details, see Other settings. |
Project-level permission management
Project-level permission management is only supported on the MaxCompute compute engine. To make metadata from other compute engines appear in Data Map, create and configure a metadata collector for that engine. For details, see Collect metadata of a compute engine.
Project-level permissions control two things: whether a project's metadata appears in Data Map at all, and who can view that metadata. By default, metadata from all MaxCompute projects is collected and displayed, and all DataWorks tenants can view any project's metadata.
| Policy | Effect | How to configure |
|---|---|---|
| Show or hide a project's metadata in Data Map | When hidden, no user can find the project's tables in Data Map. | In the left-side navigation pane of the DataMap page, move the pointer over the settings icon and choose Manage Configurations > Manage Workspaces. Select the projects whose metadata should appear in Data Map. For details, see Manage table visibility. |
| Restrict a project's metadata to project members only | Users outside the project cannot find the project's tables when searching Data Map. | In the left-side navigation pane of the DataMap page, move the pointer over the settings icon and choose Manage Configurations > Manage Workspaces. Enable the member-only visibility option for the project. For details, see Manage table visibility. |
Table-level permission management
Table-level permission management is only supported on the MaxCompute compute engine.
Table-level permissions let the table owner or a Workspace Administrator control the visibility of individual tables in Data Map. By default, all DataWorks tenants can view the metadata of any table in a MaxCompute project.
| Policy | Effect | How to configure |
|---|---|---|
| Show or hide a specific table for project members | When hidden, project members (other than the table owner and Workspace Administrators) cannot see the table's metadata in Data Map. | In the left-side navigation pane of the DataMap page, click the personal data icon. In the My Data section, set the table visibility to shown or hidden. For details, see My Data. |
| Prevent non-project members from viewing a table's metadata | Users outside the project cannot find or view the table in Data Map. | — |