Built-in workspace-level roles and permissions of these roles - DataWorks

DataWorks provides the following built-in workspace-level roles: Workspace Owner, Workspace Administrator, Data Analyst, Develop, O&M, Deploy, Visitor, Security Administrator, Model Designer, and Data Governance Administrator. This topic describes the permissions of these roles.

By default, the built-in workspace-level roles provided by DataWorks have read permissions on all workspace-level services. The management and operation permissions of different built-in workspace-level roles on workspace-level services vary. The following table describes the built-in workspace-level roles and the permissions of each built-in workspace-level role on workspace-level services.

Role	Description
Workspace Owner	This role has all permissions on a workspace. The owner of a workspace is an Alibaba Cloud account. For example, the Workspace Owner role can be used to assign a role to a RAM user and remove a member that is not the owner of a workspace from the workspace.
Workspace Administrator	This role has permissions that are second only to the permissions of the Workspace Administrator role. The Workspace Administrator role can also be used to perform operations such as adding a user to a workspace as a member, removing a member from a workspace, or assigning a role to a member.
Data Analyst	This role has permissions only on DataAnalysis.
Develop	This role has permissions to perform data development and maintenance operations on the DataStudio page of a workspace. Note If you want to perform data development operations as a RAM user, you must assign the Develop or Workspace Administrator role to the RAM user. If you want to perform the deploy operation as a RAM user, you must assign the O&M or Workspace Administrator role to the RAM user.
O&M	This role has permissions to deploy tasks to the production environment on the Create Deploy Task page and perform O&M operations on all tasks in a workspace in Operation Center.
Deploy	This role has permissions to review the code of a task and determine whether to commit the task to Operation Center in a workspace in standard mode.
Visitor	This role has read-only permissions on workflows and code on the DataStudio page of a workspace.
Security Administrator	This role has permissions only on Data Security Guard.
Model Designer	This role has permissions to view models in Data Modeling and modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. This role does not have permissions to publish models.
Data Governance Administrator	This role has permissions to view and manage data governance content of the workspace to which this role belongs in Data Governance Center. Note This role does not have permissions to view data governance situations of all workspaces in a region from the global perspective or manage global governance operations, such as enabling check items at the global level. If you want to allow a RAM user to perform global governance operations, assign the Data Governance Administrator role at the tenant level to the RAM user. For more information, see Data Governance Administrator role at the tenant level. For more information about the features that are supported by the Data Governance Administrator role at the workspace level, see Data Governance.

The tables in the following sections describe the permissions of different built-in workspace-level roles on workspace-level services. In the tables, Yes indicates that a role has the specified permission, and No indicates that a role does not have the specified permission.

Data management
Deployment management
Button control
Code development
Function development
Node type selection
Resource management
Workflow development
Workspace management
Workflow O&M
Node O&M
Dashboard
Baseline
Alerting and monitoring
Data Integration
Data Modeling
DataAnalysis
Data Governance

The built-in workspace-level roles also have specified permissions on the data of a MaxCompute compute engine. For more information, see Manage permissions on data in a MaxCompute compute engine instance.

Note

You can execute the related statement to query permissions on data of a MaxCompute compute engine. For more information, see Query permissions by using MaxCompute SQL. For example, you can execute the describe role Role_Project_Dev statement to query whether the Develop role of DataWorks has the Create Table permission on a MaxCompute compute engine.
For information about mappings between built-in workspace-level roles of DataWorks and roles of a MaxCompute compute engine, see Appendix: Mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute.

Data management

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Delete a self-created table
Configure a category for a self-created table
View a favorite table
Create a table
Show a self-created table
Modify the schema of a self-created table
View a self-created table
View the content of a self-submitted permission request
Hide a self-created table
Configure the time to live (TTL) for a self-created table
Request permissions on a table created by other users
Update a table in the development environment
Delete a table in the development environment
Preview data
Add assignment parameters

Deployment management

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Create a deployment package
View the list of deployment packages
Revoke a deployment package
Perform/Reject a deployment operation
View the content of a deployment package
Cancel deployment

Button control

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Stop
Format
Edit
Run
Zoom in
Save
Show/Hide
Delete

Code development

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Save and commit the code of a task
View the code of a task
Write the code of a task
Delete the code of a task
View the code of a task
Run the code of a task
Modify the code of a task
Download a file
Upload a file

Function development

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
View the details about a function
Create a function
Query a function
Delete a function

Node type selection

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
PAI
MR
CDP
SQL
XLIB
Shell
Zero load
script_seahawks
dtboost_analytic
dtboost_recommend
PyODPS
AnalyticDB for PostgreSQL
AnalyticDB for MySQL
HTTP Trigger
Database

Resource management

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
View the list of resources
Delete a resource
Upload a resource
Upload a JAR file
Upload a text file
Upload an archive file

Workflow development

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Run or stop a workflow
Save a workflow
View a workflow
Commit the code of a node
Modify a workflow
View the list of workflows
Change the owner of a workflow
View the code of a node
Delete a workflow
Create a workflow
Create a folder
Delete a folder
Modify a folder

Workspace management

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
View the basic information about a workspace
Create a baseline
Delete a baseline
Edit a baseline
Query the list of baselines
View a baseline
Test network connectivity
Add a data source
Delete a data source
Edit a data source
Search for a data source
View the data sources added in a workspace
Enable scheduling
View the scheduling properties of a task
Add a member to a workspace
Change the roles of workspace members
View the list of members in a workspace
Remove a member from a workspace
Search for a workspace member
Modify the configurations of a compute engine
View the configurations of a compute engine
Query the list of members within a tenant
Modify the basic information about a workspace
Modify the scheduling enabling setting
Whether to allow code modification
Whether to allow the downloading of query results obtained by executing SELECT statements
Query the list of roles in a workspace
Associate a resource group with a workspace
Disassociate a resource group from a workspace
Specify a default resource group for a workspace
Query the list of resource groups that are associated with a workspace
Create a resource group in a workspace
Delete a resource group
Initialize servers in a resource group
Query the list of servers in a resource group
Add servers to a resource group
Remove servers from a resource group
Update the server status and slots of a resource group
Query the list of workspaces with which a resource group is associated
Associate multiple resource groups with a workspace at a time
Query the list of roles in a MaxCompute project
Create a MaxCompute role
Delete a MaxCompute role
Query the MaxCompute roles that are assigned to a member
Modify the MaxCompute roles that are assigned to a member
Query the permissions of a role on workspaces and tables
Revoke permissions on workspaces or tables
Grant permissions on workspaces or tables
Query the security policy of a MaxCompute project
Modify the setting of ACL-based access control
Modify the setting of allowing an object creator to access the object
Modify the setting of allowing an object creator to grant permissions on the object
Modify the data protection setting of a workspace
Control whether a RAM user can access a MaxCompute project
Update the object that you want to deploy in a workspace
Refresh a RAM user
Query the list of MaxCompute users
Share a data source
Migrate tables in databases
Import table model design into or export table model design from DataStudio
Configure a resource group for a synchronization task
Enable permission configuration for GPU resources for PAI and deep learning tasks in a workspace
Allow access from Management Center to the security configurations of a MaxCompute project
Create a real-time synchronization node
Delete a workspace

Workflow O&M

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
View a DAG
Go to the DataStudio page
View the DAG of an instance
View ancestor and descendant nodes in a DAG
View the list of workflows
View the operation logs of a workflow
Perform smoke testing
Backfill data
Change the owner of an object
View the details about a workflow
View ancestor and descendant instances of an instance in a DAG
Suspend an instance
Restore an instance
Terminate an instance
Terminate multiple instances at a time
View the list of instances
View run logs
Rerun an instance
Rerun multiple instances at a time
Search for an instance
Set the status of an instance to success
Rerun the descendant instances of an instance
Whether to perform a check for the first logon
View the DAG of a manually triggered node
Freeze and suspend a node
Unfreeze and resume a node
View the lineages of a node
View the details about a node
View the operation logs of a node
Change the baseline for a node
Resume an instance
Remove dependencies for an instance
View the lineages of an instance
View the details about an instance
View the running history of an instance
View the baselines affected by instances
Undeploy a node
Forcefully rerun the descendant nodes of a node
Forcibly rerun an instance
Change the running priority of an instance

Node O&M

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Change the baseline for a node
Change the baseline for multiple nodes at a time
View the code of a node
Change the owners of multiple nodes at a time
Change the resource group for a node
Change the resource groups for multiple nodes at a time
Perform smoke testing
Backfill data
Remove dependencies for an instance
Suspend an instance
Restore an instance
Refresh the attribute information about an instance
Terminate an instance
Terminate multiple instances at a time
Change the running priority of an instance
Refresh the dependencies of an instance
Rerun an instance
Set the status of an instance to success
Diagnose an instance
Diagnose the waiting duration
View the basic information about a resource group
View the information about an instance that is in the Running or Waiting state
View the usage trend of slots in a resource group
Query the list of tasks that occupy resources in a resource group
Show diagnostics information
Query the list of MaxCompute instances
Rerun a data quality check task
Use an HTTP Trigger node to trigger an instance

Dashboard

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
View the number of baselines in the Overtime state
Remove a record from the dashboard
View the ranking of tasks by error within 30 days
View the trend for the number of tasks that are scheduled
View the completion situations of tasks
View the running information about tasks
View the ranking of tasks by running duration
View the distribution of tasks by type
View top-priority items on the dashboard

Baseline

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
View the metrics of baselines
View the list of baselines

Monitoring and alerting

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
View the list of notification messages
Disable an alert
Disable multiple alerts at a time
Enable or disable phone call notifications
Create custom notification rules
Delete custom notification rules
Edit custom notification rules
View custom notification rules
View all events
View the details about an event
View the list of personal events

Data Integration

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Edit a node
View a node
Delete a node
Access the menu for managing data synchronization resources
View the list of resource groups for data synchronization
Create a resource group for data synchronization
View the list of Elastic Compute Service (ECS) instances in a resource group for data synchronization
Add an ECS instance to a resource group for data synchronization
Remove an ECS instance from a resource group for data synchronization
Modify an ECS instance in a resource group for data synchronization
Obtain the AccessKey pair for accessing a resource group for data synchronization
Delete a resource group for data synchronization
Monitor resource consumption
Change the resource groups for tasks in Operation Center
Access the menu for managing synchronization tasks
Switch to the code editor
Obtain the list of members in a workspace
Call the API operation to write the code of a task
Call the API operation to save or update the code of a task
Call the API operation to obtain the code of a task based on the file ID
Query the list of Data Integration nodes
Call the API operation to query a table
Call the API operation to query a field
Call the API operation to query the list of data sources
Call the API operation to add a data source
Call the API operation to query the details about a data source
Call the API operation to update a data source
Call the API operation to delete a data source
Test network connectivity
Preview data
Check whether the Stream feature is enabled for a Tablestore table
Activate Tablestore
Query the statement used to create a MaxCompute table
Create a MaxCompute table
Query the creation status of a MaxCompute table
Share a data source added in Data Integration

Data Modeling

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Data Metric -- Edit
Data Metric -- View
Data Metric -- Publish
Dimensional Modeling -- View
Dimensional Modeling -- Edit
Dimensional Modeling -- Publish
Data Standard -- View
Data Standard -- Edit
Data Standard -- Publish
Data Warehouse Planning -- View
Data Warehouse Planning -- Edit
Dimensional Modeling -- Publish an object to the development environment

DataAnalysis

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Developer	Data Governance Administrator
Access pages in DataAnalysis
Use DataAnalysis

Note

By default, a custom role does not have the permissions of the Data Analyst role. If you want to use DataAnalysis by assuming a custom role, you can ask a user with the Workspace Administrator role to assign the Data Analyst role to you. For more information about how to assign a role to a workspace member, see Manage permissions on workspace-level services. For more information about custom roles, see Permissions of workspace-level roles.

Data Governance

Permission	Workspace Owner	Workspace Administrator	Data Governance Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer
View governance effectiveness from the global perspective on the Assessment tab
View governance effectiveness from the workspace perspective on the Assessment tab
View the governance effectiveness of each governance owner from the individual perspective on the Assessment tab
View the governance ranking of a workspace on the Governance Rankings page
View the governance ranking of user accounts in a workspace on the Governance Rankings page
View governance issues from the workspace perspective on the Governance Issue page
View governance issues from the individual perspective on the Governance Issue page
Change the owner of a table from the workspace perspective
Change the owner of a table from the individual perspective
Change the TTL of a table from the workspace perspective
Change the TTL of a table from the individual perspective
Create an undeployment plan for a table from the workspace perspective
Execute an undeployment plan that is created for a table from the workspace perspective
Create an undeployment plan for a table from the individual perspective
Execute an undeployment plan that is created for a table from the individual perspective
Change the owner of a task from the workspace perspective
Change the owner of a task from the individual perspective
Create an undeployment plan for a task from the workspace perspective
Create an undeployment plan for a task from the individual perspective
Complete missing dependencies for a task in a workspace
Add a table to a whitelist from the workspace perspective on the Governance Issue page
View all metric data for check events from the workspace perspective on the Check Event page
View all whitelists in a workspace on the Whitelist page
Disable a whitelist created in a workspace on the Whitelist page
Create an undeployment plan on the Graceful Shutdown page
View all undeployment plans created in the current workspace on the Graceful Shutdown page
View the details of an undeployment plan on the Graceful Shutdown page
Perform operations on an undeployment plan on the Graceful Shutdown page
View recommended materialized views by workspace on the Materialized View page
Create a materialized view in a workspace on the Materialized View page
View the list of recommended materialized views in a workspace on the Materialized View page
View the list of materialized views in a workspace on the Materialized View page
View the panoramic information of a table in a workspace on the Table 360 page
View the panoramic information of a task in a workspace on the Task 360 page
View exported data from the individual dimension on the Workbench tab
Export data on the Workbench tab
Export data from the individual perspective on the Workbench tab
Perform resource usage analysis for all workspaces on the Use Analysis tab
Perform resource usage analysis for a single workspace on the Use Analysis tab
View information about governance items and check items on the Knowledge tab
Use a solution template provided on the Solution Template page
View the configuration of a check item on the Configure Check Item page
Enable or disable all check items for a workspace on the Configure Check Item page
Perform operations on a check item on the Configure Check Item page
View governance items on the Configure Governance Item page
Configure an exclusion rule for governance items on the Configure Governance Item page
View notification settings configured for a workspace on the Notification Settings page
Configure notification settings from the global perspective on the Notification Settings page
Configure notification settings from the workspace perspective on the Notification Settings page
Configure notification settings from the individual perspective on the Notification Settings page