Document Center

All Products

Document Center

DataWorks:Permission control for compute engines and data

Last Updated:Jun 10, 2026

DataWorks workspace members obtain engine resource permissions through different methods depending on the data source type. This page explains the permission model for each supported engine.

Prerequisites

You are familiar with DataWorks workspace properties. Differences between workspace modes.
You understand how engine environments map to DataWorks module operations. Mapping between engine environments and DataWorks module operations.

Data sources and data permission control

Permission models vary by engine type.

Data source type	Permission description	Related topics
MaxCompute engine	Preset roles DataWorks workspace-level roles map to MaxCompute engine roles. RAM users with preset workspace roles inherit the permissions of the mapped development engine roles. Development environment: Preset workspace-level roles grant direct access to MaxCompute tables in the development environment by default. Production environment: Preset workspace-level roles do not include production MaxCompute permissions. Request access through Security Center. Custom roles When you create a custom role and map it to a MaxCompute engine role, the custom role inherits the permissions of that engine role.	Appendix: Mapping between preset workspace-level roles and MaxCompute engine permissions Background: MaxCompute data access control User Guide: Request MaxCompute permissions Extension: MaxCompute role planning and management
EMR cluster	Configure cluster account mappings for workspace members to grant them the permissions of the mapped cluster accounts.	DataStudio (Legacy): Attach EMR computing resources EMR data permission control
CDH/CDP cluster	Configure mappings between workspace members and Linux or Kerberos accounts to grant cluster permissions.	DataStudio (Legacy): Attach CDH computing resources
Hologres	Hologres uses its own authorization policy. After you create a workspace and a Hologres data source, grant engine permissions to workspace members following the Hologres permission model.	Overview of Hologres permission management
Other engines	Permissions are determined by the account configured as the engine access identity when you create the data source. Note When creating a data source, set the scheduling identity for each environment. For example, for an AnalyticDB for PostgreSQL data source, specify the database username and password. All workspace-level roles (preset and custom) use the scheduling identity configured in the data source to run tasks. Workspace-level roles do not directly control permissions for non-MaxCompute engines.	-