DataWorks provides the data query and analysis control feature. This feature allows you to grant a role or member in a workspace the permissions to query a specified data source. This feature also allows you to manage the permissions on query results, such as the permissions to display, copy, download, and share query results, to ensure data security. This topic describes how to use the data query and analysis control feature.
Background information
When a user of DataWorks DataAnalysis runs a task by using a specified identity, the user must be granted the required permissions by Security Center before the user can access the related data source. For example, the user may need to use a username and a password, or a specified RAM user or role to access a data source. If the user accesses a data source as a logon user, the user does not need to be authorized by Security Center.
The data query and analysis control feature allows you to manage the permissions to query a data source and manage the permissions on query results, such as the permissions to display, copy, download, and share query results.
Manage the permissions to query a data source
The feature allows you to manage the permissions to query a data source.
You can authorize other users or roles to query a data source. Take note of the following items during authorization:
After you authorize a member or role to query a data source, the member or role accesses the data source by using the RAM user or RAM role specified by the access identity of the data source. To ensure data security, especially the security of data in the production environment, we recommend that you grant permissions to users after thorough planning.
The permissions to query data sources in the development environment and production environment need to be separately managed.
NoteFor more information, see the Appendix: View the access identity of a data source section in this topic, Differences between workspaces in basic mode and workspaces in standard mode, and Isolate a data source in the development and production environments.
The data query and analysis control feature can be used to manage only the query permissions on data sources. For information about how to manage the read and write permissions on data sources, see the "Processing procedure for permissions on Data Integration nodes" section in the Overview topic.
Manage the permissions on query results
DataWorks DataAnalysis allows you to perform various operations on query results of data sources. For example, you can display, copy, download, and share query results. DataWorks DataAnalysis also allows you to configure control policies for these operations that you can perform on query results to ensure data security.
User who is automatically granted the permissions on query results
Operation that a user can perform on query results
All users have the permissions to display, copy, download, and share query results.
You can use the feature of managing permissions on query results in DataAnalysis to configure control policies for the operations that users can perform on query results:
Specify whether to allow users to copy, download, and share query results.
Specify the upper limits for the numbers of entries that can be displayed, copied, and downloaded.
Limits
Manage the permissions to query a data source
The following table describes the limits on the functionality of permission management on data source queries.
Item
Description
Service on which permission management takes effect
You can manage permissions on data sources only in the DataAnalysis service.
Supported data source type
You can manage the query permissions only on data source types that are supported by the DataAnalysis service.
NoteFor information about the data source types supported by the DataAnalysis service, see SQL query.
Role
The Tenant Administrator and Security Administrator roles can grant users the permissions on data sources in all workspaces within the current tenant.
The Workspace Administrator role can grant users the permissions on data sources in the workspaces that the role manages.
Manage the permissions on query results
The following table describes the limits on the functionality of permission management on query results.
Item
Description
Service on which permission management takes effect
You can manage permissions on data sources only in the DataAnalysis service.
Description
You can perform permission management only on displaying, copying, downloading, and sharing query results.
Number of entries that can be displayed: The maximum number of entries that the system can display is 10,000. Default value: 10000.
Number of entries that can be copied: The maximum number of entries that you can copy is 10,000. Default value: 100.
Number of entries that can be downloaded: The maximum number of entries that you can download varies based on the edition of DataWorks. For more information, see Appendix: Maximum numbers of entries that you can download in each DataWorks edition.
Region and role
Control policies for the operations that you can perform on query results take effect in the current region within the current tenant, and only the Tenant Administrator and Security Administrator roles can modify control policies.
NoteFor different regions within the same tenant, the tenant must configure separate control policies for the operations that you can perform on query results in the regions.
If a user needs to modify a control policy for the operations that the user can perform on query results, the Tenant Administrator or Security Administrator role must be assigned to the user.
Go to the Data query and analysis control page
Go to the Security Center page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, click Go to Security Center.
In the left-side navigation pane of the Security Center page, choose .
On the Data query and analysis control page, you can perform the following operations:
Grant a member or role the permissions to query a specified data source in the DataAnalysis service. For more information, see Manage the query permissions on data sources.
Configure control policies for the operations that you can perform on query results, such as displaying, copying, downloading, and sharing query results. For more information, see Manage the permissions on query results in DataAnalysis.
Manage the query permissions on data sources
If no data source is added to DataWorks, you must add a data source first. For more information, see Add and manage data sources.
You can follow the procedure shown in the following figure to grant a member or role the permissions to query the desired data source in the DataAnalysis service in a specified workspace. You must configure the parameters described in the following table.
Parameter | Description |
Workspace | You can select only workspaces in which the current account is assigned the Workspace Administrator role from the Workspace drop-down list. After you select such a workspace, all data sources in the workspace are displayed. You can grant users the permissions on the data sources. Note For information about how to assign the Workspace Administrator role to a user, see Manage permissions on workspace-level services. |
Authorization Object | The data source that you want to query. For information about the supported data source types, see Data source types. |
Authorized Space Role | The workspace-level role to which you want to grant the permissions to query the desired data source. |
Member Of Authorized Space | The workspace member to which you want to grant the permissions to query the desired data source. Note You can select members only from the selected workspace. For information about how to add a user to a workspace as a member, see Manage permissions on workspace-level services. |
Query Module | The DataWorks service on which permission management takes effect. You can grant a member or role the permissions to query a specified data source in the DataAnalysis service. |
Manage the permissions on query results in DataAnalysis
You can configure control policies for the operations that you can perform on query results in the DataAnalysis service to ensure the security and reliability of the operations. On the Query result control tab of the Data query and analysis control page, find the desired policy and click Edit in the Operation column to configure the policy for the operations that you can perform on query results in the DataAnalysis service. You can perform the display, copy, download, and share operations on query results.
Specify whether to allow users to copy, download, and share query results.
Specify the upper limits for the numbers of entries that can be displayed, copied, and downloaded.
For different regions within the same tenant, the tenant must configure separate control policies for the operations that you can perform on query results in the regions.
Number of entries that can be displayed: The maximum number of entries that the system can display is 10,000. Default value: 10000.
Number of entries that can be copied: The maximum number of entries that you can copy is 10,000. Default value: 100.
Number of entries that can be downloaded: The maximum number of entries that you can download varies based on the edition of DataWorks. For more information, see Appendix: Maximum numbers of entries that you can download in each DataWorks edition.
After you modify the policy, you can click View in the Operation column to view the basic information about the policy.
Appendix: View the access identity of a data source
Go to the SettingCenter page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, select the desired workspace from the drop-down list and click Go to Management Center.
Go to the corresponding path to view the access identity of a data source based on the data source type.
E-MapReduce (EMR), Cloudera's Distribution including Apache Hadoop (CDH), or CDP data source: In the left-side navigation pane of the SettingCenter page, click Computing Resource. On the Computing Resource page, view the default access identity of the related computing resource.
Other types of data sources: In the left-side navigation pane of the SettingCenter page, click Data Sources. On the Data Sources page, find the desired data source and click Modify in the Operation column to view the default access identity or username of the data source.
Appendix: Maximum numbers of entries that you can download in each DataWorks edition
The following table lists the maximum numbers and sizes of entries that you can download in each DataWorks edition, which may differ from the number of data records that you can actually download. The number of data records that you can actually download is determined by your DataWorks edition and the internal limits of your data source.
Only the MaxCompute and EMR compute engines allow you to export query results to your on-premises machine.
For example, if you use DataWorks Standard Edition, the maximum number of data records that you can download is
200,000. However, if the size of 180,000 data records reaches the upper data size limit of1 GB, you can actually download1 GBof data. For more information, see Export query results as an on-premises file.
DataWorks edition | Maximum number of entries that you can download | Maximum size of entries that you can download |
DataWorks Basic Edition | 0 | / |
DataWorks Standard Edition |
|
Important If the size of the data that you want to download exceeds |
DataWorks Professional Edition |
| |
DataWorks Enterprise Edition |
|
If you downgrade the edition of DataWorks, the maximum number of entries that you can download changes:
If the maximum number of entries that you can download before the downgrade exceeds the maximum number of entries that you can download after the downgrade, the upper limit for the number of entries that you can download changes to the maximum number of entries that you can download after the downgrade.
If the maximum number of entries that you can download before the downgrade does not exceed the maximum number of entries that you can download after the downgrade, the upper limit for the number of entries that you can download remains unchanged.