How to manage permissions for data query and analysis - DataWorks

DataWorks allows workspace roles or members to access data sources using specified identities. It also manages permissions for operations on query results, such as viewing, copying, downloading, and sharing, to ensure data security. This topic describes how to manage data queries and analysis.

Background information

When users of DataAnalysis in DataWorks execute tasks using a specified identity, such as a username and password, a specified Resource Access Management (RAM) user, or a RAM role, they must be granted access to the data source through the Security Center. If users access the data source with their logon identity, authorization from the Security Center is not required.

Data query and analysis management supports permission control for data source queries and for operations on query results, such as viewing, copying, downloading, and sharing. The details are as follows:

Permission management for data source queries
This feature is used to manage query permissions for data sources.
You can use the Manage query permissions for data sources feature to grant permissions to other users or roles. When you grant permissions, note the following:
- After a member or role is granted query permissions for a data source, they can access the data source using the specified RAM user or RAM role. To ensure data security, especially for production data, plan carefully before you assign permissions.
- In a standard mode workspace, you must manage query permissions for data sources separately for the development environment and the production environment.
Note
- For more information, see Appendix: View the access identity of a data source, Differences between workspace modes, and Introduction to data source environments.
- This feature only manages query permissions for data sources. To manage read and write permissions for data sources, see Approval process for data integration tasks.

Permission management for operations on data source query results

DataAnalysis in DataWorks supports operations on query results, such as viewing, copying, downloading, and sharing. You must set control policies to ensure the security of these data operations.

Default permissions

Management of operations on DataAnalysis query results

All users have permissions to view, copy, download, and share query results.

You can use the Manage operations on DataAnalysis query results feature to set permission control policies:

Set restrictions on copying, downloading, and sharing of result data.
Limit the number of data rows that can be viewed, copied, and downloaded.

Limits

Permission management for data source queries

The following limits apply to permission management for data source queries.

Limit type	Description
Applicable module	This permission management applies only to the DataAnalysis module.
Supported data source types	Permission management is available only for data source types supported by DataAnalysis. Note For more information about the data source types supported by DataAnalysis, see SQL queries supported data sources.
Role limits	Users with tenant administrator or tenant security administrator roles can grant permissions for data sources in all workspaces under the current tenant. Users with the workspace administrator role can only grant permissions for data sources in the workspaces they manage.

Permission management for operations on data source query results

The following limits apply to permission management for operations on data source query results.

Limit type	Restrictions
Applicable module	This permission management applies only to the DataAnalysis module.
Operation limits	Only view, copy, download, and share operations can be managed. The limits are: Rows to view: Maximum of 10,000 rows. Default is 10,000 rows. Rows to copy: Maximum of 10,000 rows. Default is 100 rows. Rows to download: The maximum number of rows that can be downloaded varies by DataWorks edition. For more information, see Appendix: Maximum number of rows that can be downloaded for each DataWorks edition.
Region and role limits	The control policy for query results takes effect globally for the current region under the tenant. Only users with Tenant Administrator or tenant security administrator roles can edit the control policy. Note For the same tenant, you must configure a separate control policy for query results in each region. To edit the control policy, grant users the tenant administrator or tenant security administrator role.

Go to data query and analysis management

Go to the Security Center.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Governance > Security Center. On the page that appears, click Go to Security Center.
In the navigation pane on the left, choose Security policy > Data query and analysis control.
On the Data Query and Analysis Management page, you can perform the following operations:
- Grant a member or role query permissions for a specified data source in the DataAnalysis module. For more information, see Manage query permissions for data sources.
- Create a control policy for operations on query results, such as viewing, copying, downloading, and sharing. For more information, see Manage operations on DataAnalysis query results.

Manage query permissions for data sources

Note

If you have not created a data source, go to the Data Source Management page to create one.

Follow the steps in the figure to grant a member or role query permissions for a target data source in the DataAnalysis module of a specified workspace. The key configuration points are as follows. 管控数据源

Parameter	Description
Workspace	You can only select workspaces where the current account is a workspace administrator. After you select a workspace, all its data sources are displayed. You can then grant permissions for the data sources. Note To make a user a workspace administrator, see Manage permissions for workspace-level modules.
Authorization Object	The target data source to be queried. For information about supported data sources, see Data source types.
Authorized space role	Select the workspace role that can query the target data source.
Member of authorized space	Select the workspace member who can query the target data source. Note You can only select members from the chosen workspace. To add a user as a workspace member, see Manage permissions for workspace-level modules.
Query module	The functional module where this authorization takes effect. Currently, you can only grant a member or role query permissions for a specified data source in the DataAnalysis module.

Manage operations on DataAnalysis query results

You can configure a control policy for query results in the DataAnalysis module to ensure secure and reliable data operations. On the Data query and analysis control > Query result control tab, click Edit to customize the control policy for operations on DataAnalysis query results, such as viewing, copying, downloading, and sharing.

Set restrictions on copying, downloading, and sharing of result data.
Limit the number of data rows that can be viewed, copied, and downloaded.

Note

For the same tenant, you must configure a separate control policy for query results in each region.
Rows to view: Maximum of 10,000 rows. Default is 10,000 rows.
Rows to copy: Maximum of 10,000 rows. Default is 100 rows.
Rows to download: The maximum number of rows that can be downloaded varies by DataWorks edition. For more information, see Appendix: Maximum number of rows that can be downloaded for each DataWorks edition.

After editing a control policy, you can click Operation in the View column to view its basic information.

Appendix: View the access identity of a data source

Go to the SettingCenter page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose More > Management Center. On the page that appears, select the desired workspace from the drop-down list and click Go to Management Center.
The path varies depending on the data source type.
- If the data source is an EMR or CDH/CDP cluster: In the navigation pane on the left, click Cluster Management and view the Default Access Identity of the corresponding cluster.
- Other data sources: In the navigation pane on the left, choose Data source > Data Source List. Find the target data source, click Edit in the Actions column, and view the Default Access Identity or Username.

Appendix: Maximum number of rows that can be downloaded for each DataWorks edition

Important

This is the maximum number of rows that DataWorks supports for download. Your actual download limit may be lower and depends on your DataWorks edition and the internal limits of the data source.

Currently, only data from MaxCompute and EMR DPI engines can be downloaded and exported to a local file.
For example, if you are using DataWorks Standard Edition with a limit of 200,000 rows, but the size of 180,000 rows reaches the data volume limit of 1 GB, you can only download data up to 1 GB in size. For more information, see SQL Query (Old Version).

DataWorks edition	Maximum number of rows to download (rows)	Maximum data volume for download
Basic Edition	0	/
Standard Edition	`200,000`	`1` GB Important If the data volume exceeds `1 GB`, the system automatically truncates the data.
Professional Edition	`2,000,000`
Enterprise Edition	`5,000,000`

When you downgrade your edition, the maximum number of rows that you can download changes as follows:

If the download limit before the downgrade is higher than the maximum limit of the new edition, the download limit changes to the maximum limit of the new edition.
If the download limit before the downgrade is not higher than the maximum limit of the new edition, the download limit remains unchanged.