All Products
Search

This Product

    DataWorks:Log on via RAM role

    Document Center

    DataWorks:Log on via RAM role

    Last Updated:Mar 27, 2026

    DataWorks supports role-based single sign-on (SSO), which lets a RAM user assume a RAM role and work in DataWorks under that role's identity. When a RAM role logs on, the role itself becomes the workspace member. The user who assumes the RAM role has the same permissions as the Alibaba Cloud account or RAM user that you use to log on to the DataWorks console.

    Background information

    You can use one of the following methods to log on to the DataWorks console:

    • Use an Alibaba Cloud account or a RAM user — log on with your Alibaba Cloud account or a RAM user and password. The account or RAM user becomes a workspace member and is granted permissions to use DataWorks features.

    • Use role-based SSO — the RAM role becomes a workspace member. Some enterprises prefer this method as regulatory requirements for enterprise security become increasingly strict. For more information about roles, see Overview and Overview.

    Prerequisites

    Before you begin, ensure that you have:

    • An Alibaba Cloud account with administrator access

    • A DataWorks workspace associated with a MaxCompute or Hologres compute engine

    Note

    Role-based SSO only works with DataWorks workspaces that use MaxCompute or Hologres as the compute engine.

    To grant or manage permissions using a RAM user or RAM role, attach the AliyunRAMFullAccess policy to that RAM user or RAM role. For details, see Grant permissions to a RAM user.

    Step 1: Create a RAM role

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the left navigation pane, choose Identity Management > Roles.

    3. On the Roles page, click Create Role and follow the on-screen instructions. Choose the trusted entity type based on how the role will be assumed:

    Step 2: Define the trust policy

    On the Roles page, click the role name. On the role details page, click the Trust Policy tab and replace the existing policy with one of the following, depending on your scenario.

    Every trust policy for DataWorks SSO has two parts:

    • Who can assume the role — either a RAM user or an on-premises IdP

    • The DataWorks service (dataworks.aliyuncs.com) — required so DataWorks can schedule tasks using the role's identity

    image

    Replace the placeholders before saving:

    Placeholder Description
    UID The UID of your Alibaba Cloud account
    IDP The name of your on-premises IdP (scenario 2 only)

    Scenario 1: RAM user assumes the role

    Use this policy when a RAM user switches to the role in the Alibaba Cloud Management Console.

    The Principal.RAM field grants a RAM user in your account (acs:ram::UID:root) permission to call the Security Token Service (STS) AssumeRole operation. The Principal.Service field grants DataWorks the same permission so it can run tasks as the role.

    {
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "RAM": [
                    "acs:ram::UID:root"
                ]
            }
        },
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dataworks.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

    Scenario 2: On-premises IdP assumes the role

    Use this policy when an on-premises identity provider (IdP) authenticates users via SAML and federates them into the role.

    The Principal.Federated field identifies your SAML provider (acs:ram::UID:saml-provider/IDP). The Condition enforces that the SAML assertion targets the correct SSO endpoint. The Principal.Service field grants DataWorks permission to assume the role for task scheduling.

    {
   "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "saml:recipient": "https://signin.aliyun.com/saml-role/sso"
                }
            },
            "Effect": "Allow",
            "Principal": {
                "Federated": [
                    "acs:ram::UID:saml-provider/IDP"
                ]
            }
        },
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "dataworks.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

    Step 3: Attach the AssumeRole policy to the RAM user

    Note

    Skip this step if you are using an on-premises IdP (scenario 2).

    For a RAM user to call the STS AssumeRole operation and obtain an STS token for the role, attach the AliyunSTSAssumeRoleAccess policy to the RAM user. For details, see Grant permissions to a RAM user.

    Step 4: Log on to the DataWorks console by using a RAM user that assumes the RAM role

    After you perform the operations in this step, you can use DataWorks as the RAM role. For information about role-based SSO, see Overview.

    1. Log on to the DataWorks console as a RAM user.

    2. In the upper-right corner, hover over your user profile icon to open the account menu.

    3. Click Switch Identity to switch to the RAM role.

    What's next

    After switching to the RAM role, the workspace administrator can add the role as a workspace member and configure its scheduling identity:

    • Add the RAM role as a workspace member — the workspace administrator adds the RAM role to the DataWorks workspace to enable data development. See Add and manage workspace members and their role permissions.

    • Use the RAM role as the MaxCompute scheduling identity — when adding a MaxCompute data source, specify the RAM role as the access identity for production scheduling. If you do this, keep the role dedicated to DataWorks scheduling and run all MaxCompute tasks through exclusive resource groups.