DataWorks provides the data query and analysis control feature. This feature allows you to grant a role or member in a workspace the permissions to query a specified data source in a DataWorks service. This feature also allows you to manage the permissions on query results, such as the permissions to display, copy, download, and share query results, to ensure data security. This topic describes how to use the data query and analysis control feature.
Background information
The data query and analysis control feature allows you to manage the permissions to query a data source and manage the permissions on query results, such as the permissions to display, copy, download, and share query results.
Manage the permissions to query a data source
The feature allows you to manage the permissions to query a data source.
You can authorize other users or roles to query a data source. Take note of the following items during authorization:
After you authorize a member or role to query a data source, the member or role has the same permissions as the access identity of the data source. To ensure data security, especially the security of data in the production environment, we recommend that you grant permissions to users after thorough planning.
You must add data sources separately for the development and production environments of a workspace in standard mode. In this case, you must go to the corresponding environment to obtain the access identity of the data source.
NoteFor more information, see the Appendix: View the access identity of a data source section in this topic, Differences between workspaces in basic mode and workspaces in standard mode, and Isolate a data source in the development and production environments.
The data query and analysis control feature can be used to manage only the query permissions on data sources. For information about how to manage the read and write permissions on data sources, see the "Processing procedure for permissions on Data Integration nodes" section in the Overview topic.
Manage the permissions on query results
DataWorks allows you to perform various operations on query results of data sources. For example, you can display, copy, download, and share query results. DataWorks also allows you to configure control policies for these operations that you can perform on query results in the DataAnalysis service to ensure data security. The following table describes the users who are automatically granted the permissions on query results and other users to whom you can grant the permissions on query results.
User who is automatically granted the permissions on query results
User to whom the permissions on query results are granted
All users have the permissions to display, copy, download, and share query results.
You can use the management of permissions on query results feature to configure control policies for the operations that users can perform on query results:
Specify whether to allow users to copy, download, and share query results.
Specify the upper limits for the numbers of entries that can be displayed, copied, and downloaded.
Limits
Manage the query permissions on data sources
The following table describes the limits on the functionality of permission management on data source query.
Item
Description
Service on which permission management takes effect
You can manage permissions on data sources only in the DataAnalysis service.
For a workspace in standard mode, you can grant users the query permissions only on the data source that is added to the workspace in the development environment. To query data sources in a workspace in basic mode, users must request for the query permissions on the data sources. After the request is approved, the users can query the data sources.
You cannot grant users the query permissions on a MaxCompute data source that is added to a workspace in the production environment. In the DataAnalysis service, you can query a table in the production environment by specifying the project to which the table belongs. By default, the current logon account is used to query data.
Supported data source type
You can manage the query permissions on data source types only supported by the DataAnalysis service.
NoteFor information about the data source types supported by the DataAnalysis service, see SQL query.
Role
The tenant administrator and tenant security administrator roles can grant users the permissions on data sources in all workspaces within the current tenant.
The Workspace Administrator role can grant users the permissions on data sources in the workspaces that the role manages.
Manage the permissions on query results
The following table describes the limits on the functionality of permission management on query results.
Item
Description
Service on which permission management takes effect
You can manage permissions on data sources only in the DataAnalysis service.
Operation
You can perform permission management only on displaying, copying, downloading, and sharing query results.
Number of entries that can be displayed: The maximum number of entries that the system can display is 10,000. Default value: 10000.
Number of entries that can be copied: The maximum number of entries that you can copy is 10,000. Default value: 100.
Number of entries that can be downloaded: The maximum number of entries that you can download varies based on the edition of DataWorks. For more information, see Appendix: Maximum numbers of entries that you can download in each DataWorks edition.
Region and role
Control policies for the operations that you can perform on query results take effect for the current region in which the current tenant is used, and only the tenant administrator and tenant security administrator roles can modify control policies.
NoteFor the same tenant that is used in different regions, the tenant must configure separate control policies for the operations that you can perform on query results in the regions.
If a user needs to modify a control policy for the operations that the user can perform on query results, the tenant administrator or tenant security administrator role must be assigned to the user.
Go to the Data query and analysis control page
Go to the Security Center page. |
Log on to the DataWorks console. In the top navigation bar, select the desired region. Then, choose in the left-side navigation pane. On the page that appears, click Go to Security Center.
Go to the Data query and analysis control page.
In the left-side navigation pane of the Security Center page, choose Security policy > Data query and analysis control.
On the Data query and analysis control page, you can perform the following operations:
Grant a member or role the permissions to query a specified data source in the DataAnalysis service. For more information, see Manage the query permissions on data sources.
Configure control policies for the operations that you can perform on query results, such as displaying, copying, downloading, and sharing query results. For more information, see Manage the permissions on query results.
Manage the query permissions on data sources
If no data source is added, you must add a data source. For more information, see Add and manage data sources.
You can follow the procedure shown in the following figure to grant a member or role the permissions to query the desired data source in the DataAnalysis service in a specified workspace. You must configure the parameters described in the following table.
Parameter | Description |
Workspace | You can select only workspaces in which the current account is assigned the Workspace Administrator role from the Workspace drop-down list. After you select such a workspace, all data sources in the workspace are displayed. You can grant users the permissions on the data sources. Note For information about how to assign the Workspace Administrator role to a user, see Manage permissions on workspace-level services. |
Authorization Object | The data source that you want to query. For information about the supported data source types, see Data source types. |
Authorized Space Role | The workspace-level role to which you want to grant the permissions to query the desired data source. |
Member Of Authorized Space | The workspace member to which you want to grant the permissions to query the desired data source. Note You can select members only from the selected workspace. For information about how to add a user to a workspace as a member, see Manage permissions on workspace-level services. |
Queried service | The DataWorks service on which permission management takes effect. You can grant a member or role the permissions to query a specified data source in the DataAnalysis service. |
Manage the permissions on query results
You can configure control policies for the operations that you can perform on query results in the DataAnalysis service to ensure the security and reliability of the operations. On the Query result control tab of the Data query and analysis control page, find the desired policy and click Edit in the Operation column to configure the policy for the operations that you can perform on query results. You can perform the display, copy, download, and share operations on query results.
Specify whether to allow users to copy, download, and share query results.
Specify the upper limits for the numbers of entries that can be displayed, copied, and downloaded.
For the same tenant that is used in different regions, the tenant must configure separate control policies for the operations that you can perform on query results in the regions.
Number of entries that can be displayed: The maximum number of entries that the system can display is 10,000. Default value: 10000.
Number of entries that can be copied: The maximum number of entries that you can copy is 10,000. Default value: 100.
Number of entries that can be downloaded: The maximum number of entries that you can download varies based on the edition of DataWorks. For more information, see Appendix: Maximum numbers of entries that you can download in each DataWorks edition.
After you modify the policy, you can click View in the Operation column to view the basic information about the policy.
Appendix: View the access identity of a data source
Go to the Management Center page.
Log on to the DataWorks console. In the top navigation bar, select the desired region. Then, click Management Center in the left-side navigation pane. On the page that appears, select the desired workspace from the drop-down list and click Go to Management Center.
Navigate to the corresponding path to view the access identity of a data source.
E-MapReduce (EMR), Cloudera's Distribution including Apache Hadoop (CDH), or CDP data source: In the left-side navigation pane of the SettingCenter page, click Cluster Management. On the page that appears, view the access identity of the cluster.
Other types of data sources: In the left-side navigation pane of the SettingCenter page, choose . On the page that appears, find the desired data source and click Modify in the Operation column to view the default access identity or username of the data source.
Appendix: Maximum numbers of entries that you can download in each DataWorks edition
The following table describes the maximum numbers of entries that you can download in each DataWorks edition.
DataWorks edition | Maximum number of entries that you can download |
DataWorks Basic Edition | 0 |
DataWorks Standard Edition | 200,000 |
DataWorks Professional Edition | 2000,000 |
DataWorks Enterprise Edition | 5000,000 |
If you downgrade the edition of DataWorks, the maximum number of entries that you can download changes:
If the maximum number of entries that you can download before the downgrade exceeds the maximum number of entries that you can download after the downgrade, the upper limit for the number of entries that you can download changes to the maximum number of entries that you can download after the downgrade.
If the maximum number of entries that you can download before the downgrade does not exceed the maximum number of entries that you can download after the downgrade, the upper limit for the number of entries that you can download remains unchanged.
For information about how to downgrade the edition of DataWorks, see Downgrade DataWorks editions.