DataWorks:Use the data query and analysis control feature

Limits

• Manage the query permissions on data sources

  The following table describes the limits on the functionality of permission management on data source query.

  Item	Description
  Module on which permission management takes effect	You can manage the query permissions on data sources only in the DataAnalysis module. For a workspace in standard mode, you can grant users the query permissions only on the data source that is automatically generated when you associate a compute engine with the workspace in the development environment. To query data sources in a workspace in basic mode, users must request for the query permissions on the data sources. After the request is approved, the users can query the data sources. You cannot grant users the query permissions on the data source that is automatically generated when you associate a MaxCompute compute engine with a workspace in the production environment. In the DataAnalysis module, you can query a table in the production environment by specifying the project to which the table belongs. By default, the current logon account is used to query data.
  Supported data source type	You can manage the query permissions on data source types only supported by the DataAnalysis module. Note The data source types supported by the DataAnalysis module include data sources that are automatically generated when you associate compute engines with a workspace and data sources that are added to DataWorks on the Data source page. For more information, see SQL query.
  Role	The tenant administrator and tenant security administrator roles can grant users the permissions on data sources in all workspaces within the current tenant. The Workspace Manager role can grant users the permissions on data sources in the workspaces that the role manages.

• Manage the permissions on query results

  The following table describes the limits on the functionality of permission management on query results.

  Item	Description
  Module on which permission management takes effect	You can manage the query permissions on data sources only in the DataAnalysis module.
  Operation	You can perform permission management only on displaying, copying, downloading, and sharing query results. Number of entries that can be displayed: The maximum number of entries that the system can display is 10,000. Default value: 10000. Number of entries that can be copied: The maximum number of entries that you can copy is 10,000. Default value: 100. Number of entries that can be downloaded: The maximum number of entries that you can download varies based on the edition of DataWorks. For more information, see Appendix: Maximum numbers of entries that you can download in each DataWorks edition.
  Region and role	Policies for the operations that you can perform on query results take effect for the current region in which the current tenant is used, and only the tenant administrator and tenant security administrator roles can modify policies. Note For the same tenant that is used in different regions, the tenant must configure separate policies for the operations that you can perform on query results in the regions. If a user needs to modify a policy for the operations that you can perform on query results, the tenant administrator or tenant security administrator role must be assigned to the user.

Go to the Data query and analysis control page

1. Go to the Security Center page.

   Log on to the DataWorks console. In the left-side navigation pane, choose Data Governance > Security Center. On the page that appears, click Go to Security Center.

2. Go to the Data query and analysis control page.

   1. In the top toolbar of Security Center, click Security policy.

   2. In the left-side navigation pane of the page that appears, click Data query and analysis control.

      On the Data query and analysis control page, you can perform the following operations:

      • Grant a member or role the permissions to query a specified data source in the DataAnalysis module. For more information, see Manage the query permissions on data sources.

      • Configure policies for the operations that you can perform on query results, such as displaying, copying, downloading, and sharing query results. For more information, see Manage the permissions on query results.

Manage the query permissions on data sources

You can follow the procedure shown in the following figure to grant a member or role the permissions to query the desired data source in the DataAnalysis module in a specified workspace. You must configure the following parameters.

Manage the permissions on query results

You can configure policies for the operations that you can perform on query results in the DataAnalysis module to ensure the security and reliability of the operations. On the Query result control tab of the Data query and analysis control page, find the desired policy and click Edit in the Operation column to configure the policy for the operations that you can perform on query results. You can perform the display, copy, download, and share operations on query results.

• Specify whether to allow users to copy, download, and share query results.

• Specify the upper limits for the numbers of entries that can be displayed, copied, and downloaded.

After you modify the policy, you can click View in the Operation column to view the basic information about the policy.

Appendix: View the access identity of a data source

• View the access identity of a data source that is automatically generated for a compute engine

  You can view the access identity of the desired data source that is automatically generated for a compute engine on the Computing engine information tab of the Workspace page. For information about how to access the Computing engine information tab of the Workspace page, see Go to the Compute Engine Information tab.

  Data source type	Description
  MaxCompute data source	If you grant the permissions to query the data source automatically generated for a MaxCompute compute engine that is associated with a DataWorks workspace, the account of the current node executor is used by default to query the data source in the DataAnalysis module. Sample procedure for viewing the access identity of the data source for the MaxCompute compute engine that is associated with a workspace in the development environment
  Non-MaxCompute data source	If you grant the permissions to query a data source automatically generated for a compute engine other than MaxCompute, such as E-MapReduce (EMR), that is associated with a workspace in the development or production environment, you can confirm the access identity of the data source in the development or production environment based on the type of the data source. Sample procedure for viewing the access identity of the data source for the EMR compute engine that is associated with a workspace in the development or production environment

• View the access identity of a data source that you add to DataWorks

  You can view the access identity of the desired data source that you add to DataWorks on the Data source page. The access identity is the user that you specify to access the data source when you add the data source. For information about how to add data sources on the Data source page, see Add and manage data sources.

Appendix: Maximum numbers of entries that you can download in each DataWorks edition