DataWorks provides the data query and analysis control feature. This feature allows you to grant a role or member the permissions to query a specified data source in a DataWorks module. This feature also allows you to manage the permissions on query results, such as the permissions to display, copy, download, and share query results, to ensure data security. This topic describes how to use the data query and analysis control feature.
Background information
The data query and analysis control feature allows you to manage the permissions to query a data source and manage the permissions on query results, such as the permissions to display, copy, download, and share query results.
Manage the permissions to query a data source
The feature allows you to manage the permissions to query a data source. Data sources in DataWorks are classified into data sources that are automatically generated when you associate compute engines with a workspace and data sources that are added to DataWorks on the Data source page. The following table describes the users who are automatically granted the permissions to query different types of data sources and other users to whom you can grant the permissions to query different types of data sources.
Data source type
User who is automatically granted the query permissions on data sources
User to whom you can grant the query permissions on data sources
References
Data sources generated for compute engines
The account or role that you specify as the scheduling access identity when you associate a compute engine with a workspace has the permissions to query the data source that is automatically generated based on the compute engine.
You can use the Manage the query permissions on data sources feature to grant the query permissions on data sources to other users or roles. Take note of the following items when you grant the query permissions:
After you grant a member or role the permissions to query a data source, the member or role has the same permissions as the access identity of the data source. To ensure data security, especially the security of data in the production environment, we recommend that you grant permissions to users based on appropriate planning.
For a workspace in standard mode, you must associate compute engines with the workspace in the development and production environments. Then, the system automatically generates data sources based on the compute engines. You must obtain the access identities of the data sources in the development and production environments.
Data sources that you add to DataWorks
The account that you specify to access a data source when you add the data source to DataWorks on the Data source page has the access permissions on the data source.
The data query and analysis control feature can be used to manage only the query permissions on data sources. For information about how to manage the read and write permissions on data sources, see Processing procedure for permissions on Data Integration nodes.
Manage the permissions on query results
DataWorks allows you to perform various operations on query results of data sources. For example, you can display, copy, download, and share query results. DataWorks also allows you to configure policies for these operations that you can perform on query results in the DataAnalysis module to ensure data security. The following table describes the users who are automatically granted the permissions on query results and other users to whom you can grant the permissions on query results.
User who is automatically granted the permissions on query results
User to whom you can grant the permissions on query results
All users have the permissions to display, copy, download, and share query results.
You can use the Manage the permissions on query results feature to configure policies for the operations that you can perform on query results:
Specify whether to allow users to copy, download, and share query results.
Specify the upper limits for the numbers of entries that can be displayed, copied, and downloaded.
Limits
Manage the query permissions on data sources
The following table describes the limits on the functionality of permission management on data source query.
Item
Description
Module on which permission management takes effect
You can manage the query permissions on data sources only in the DataAnalysis module.
For a workspace in standard mode, you can grant users the query permissions only on the data source that is automatically generated when you associate a compute engine with the workspace in the development environment. To query data sources in a workspace in basic mode, users must request for the query permissions on the data sources. After the request is approved, the users can query the data sources.
You cannot grant users the query permissions on the data source that is automatically generated when you associate a MaxCompute compute engine with a workspace in the production environment. In the DataAnalysis module, you can query a table in the production environment by specifying the project to which the table belongs. By default, the current logon account is used to query data.
Supported data source type
You can manage the query permissions on data source types only supported by the DataAnalysis module.
NoteThe data source types supported by the DataAnalysis module include data sources that are automatically generated when you associate compute engines with a workspace and data sources that are added to DataWorks on the Data source page. For more information, see SQL query.
Role
The tenant administrator and tenant security administrator roles can grant users the permissions on data sources in all workspaces within the current tenant.
The Workspace Manager role can grant users the permissions on data sources in the workspaces that the role manages.
Manage the permissions on query results
The following table describes the limits on the functionality of permission management on query results.
Item
Description
Module on which permission management takes effect
You can manage the query permissions on data sources only in the DataAnalysis module.
Operation
You can perform permission management only on displaying, copying, downloading, and sharing query results.
Number of entries that can be displayed: The maximum number of entries that the system can display is 10,000. Default value: 10000.
Number of entries that can be copied: The maximum number of entries that you can copy is 10,000. Default value: 100.
Number of entries that can be downloaded: The maximum number of entries that you can download varies based on the edition of DataWorks. For more information, see Appendix: Maximum numbers of entries that you can download in each DataWorks edition.
Region and role
Policies for the operations that you can perform on query results take effect for the current region in which the current tenant is used, and only the tenant administrator and tenant security administrator roles can modify policies.
NoteFor the same tenant that is used in different regions, the tenant must configure separate policies for the operations that you can perform on query results in the regions.
If a user needs to modify a policy for the operations that you can perform on query results, the tenant administrator or tenant security administrator role must be assigned to the user.
Go to the Data query and analysis control page
Go to the Security Center page.
Log on to the DataWorks console. In the left-side navigation pane, choose . On the page that appears, click Go to Security Center.
Go to the Data query and analysis control page.
In the top toolbar of Security Center, click Security policy.
In the left-side navigation pane of the page that appears, click Data query and analysis control.
On the Data query and analysis control page, you can perform the following operations:
Grant a member or role the permissions to query a specified data source in the DataAnalysis module. For more information, see Manage the query permissions on data sources.
Configure policies for the operations that you can perform on query results, such as displaying, copying, downloading, and sharing query results. For more information, see Manage the permissions on query results.
Manage the query permissions on data sources
If no data source is added, you can go to the Data Source page to add a data source.
You can follow the procedure shown in the following figure to grant a member or role the permissions to query the desired data source in the DataAnalysis module in a specified workspace. You must configure the following parameters.
Parameter | Description |
Workspace | You can select only workspaces in which the current account is assigned the Workspace Manager role from the Workspace drop-down list. After you select such a workspace, all data sources in the workspace are displayed. You can grant users the permissions on the data sources. Note For information about how to assign the Workspace Manager role to a user, see Manage permissions on workspace-level services. |
Authorization object | The data source that you want to query. You can select the data source that is automatically generated when you associate a compute engine with a workspace and the data source that you add to DataWorks on the Data source page. For information about the supported data source types, see Data source types. |
Authorized space role | The workspace-level role to which you want to grant the permissions to query the desired data source. |
Member of authorized space | The workspace member to which you want to grant the permissions to query the desired data source. Note You can select members only from the selected workspace. For information about how to add a user to a workspace as a member, see Manage permissions on workspace-level services. |
Query module | The DataWorks module on which permission management takes effect. You can grant a member or role the permissions to query a specified data source in the DataAnalysis module. |
Manage the permissions on query results
You can configure policies for the operations that you can perform on query results in the DataAnalysis module to ensure the security and reliability of the operations. On the Query result control tab of the Data query and analysis control page, find the desired policy and click Edit in the Operation column to configure the policy for the operations that you can perform on query results. You can perform the display, copy, download, and share operations on query results.
Specify whether to allow users to copy, download, and share query results.
Specify the upper limits for the numbers of entries that can be displayed, copied, and downloaded.
For the same tenant that is used in different regions, the tenant must configure separate policies for the operations that you can perform on query results in the regions.
Number of entries that can be displayed: The maximum number of entries that the system can display is 10,000. Default value: 10000.
Number of entries that can be copied: The maximum number of entries that you can copy is 10,000. Default value: 100.
Number of entries that can be downloaded: The maximum number of entries that you can download varies based on the edition of DataWorks. For more information, see Appendix: Maximum numbers of entries that you can download in each DataWorks edition.
After you modify the policy, you can click View in the Operation column to view the basic information about the policy.
Appendix: View the access identity of a data source
View the access identity of a data source that is automatically generated for a compute engine
You can view the access identity of the desired data source that is automatically generated for a compute engine on the Computing engine information tab of the Workspace page. For information about how to access the Computing engine information tab of the Workspace page, see Go to the Compute Engine Information tab.
Data source type
Description
MaxCompute data source
If you grant the permissions to query the data source automatically generated for a MaxCompute compute engine that is associated with a DataWorks workspace, the account of the current node executor is used by default to query the data source in the DataAnalysis module.
Sample procedure for viewing the access identity of the data source for the MaxCompute compute engine that is associated with a workspace in the development environment
Non-MaxCompute data source
If you grant the permissions to query a data source automatically generated for a compute engine other than MaxCompute, such as E-MapReduce (EMR), that is associated with a workspace in the development or production environment, you can confirm the access identity of the data source in the development or production environment based on the type of the data source.
Sample procedure for viewing the access identity of the data source for the EMR compute engine that is associated with a workspace in the development or production environment
View the access identity of a data source that you add to DataWorks
You can view the access identity of the desired data source that you add to DataWorks on the Data source page. The access identity is the user that you specify to access the data source when you add the data source. For information about how to add data sources on the Data source page, see Add and manage data sources.
Appendix: Maximum numbers of entries that you can download in each DataWorks edition
The following table describes the maximum numbers of entries that you can download in each DataWorks edition.
DataWorks edition | Maximum number of entries that you can download |
DataWorks Basic Edition | 0 |
DataWorks Standard Edition | 200,000 |
DataWorks Professional Edition | 2000,000 |
DataWorks Enterprise Edition | 5000,000 |
If you downgrade the edition of DataWorks, the maximum number of entries that you can download changes:
If the maximum number of entries that you can download before the downgrade exceeds the maximum number of entries that you can download after the downgrade, the upper limit for the number of entries that you can download changes to the maximum number of entries that you can download after the downgrade.
If the maximum number of entries that you can download before the downgrade does not exceed the maximum number of entries that you can download after the downgrade, the upper limit for the number of entries that you can download remains unchanged.
For information about how to downgrade the edition of DataWorks, see Downgrade DataWorks editions.