All Products
Search

This Product

    DataWorks:Data query and analysis management

    Document Center

    DataWorks:Data query and analysis management

    Last Updated:Mar 27, 2026

    DataWorks lets you control who can query data sources in DataAnalysis and what they can do with the results. This topic covers both types of permission control: query permissions for data sources and operation permissions for query results.

    What you can control

    The data query and analysis control feature manages two types of permissions:

    Control type Scope Who can configure
    Query permissions for data sources Per workspace, per environment Tenant administrator, tenant security administrator, workspace administrator
    Operation permissions for query results Tenant-wide, per region Tenant administrator, tenant security administrator
    Note

    Both control types apply only to the DataAnalysis module.

    Operation permissions cover four actions on query results:

    Action Default row limit Maximum row limit
    View 10,000 rows 10,000 rows
    Copy 100 rows 10,000 rows
    Download Varies by edition Varies by edition
    Share Enabled

    Prerequisites

    Before you begin, make sure that:

    • The data sources you want to manage already exist. If not, create them on the Data Source Management page.

    • Your account has the workspace administrator role or higher.

    Go to data query and analysis control

    1. Log on to the DataWorks console. In the top navigation bar, select the target region.

    2. In the left-side navigation pane, choose Data Governance > Security Center, then click Go to Security Center.

    3. In the left-side navigation pane of Security Center, choose Security policy > Data query and analysis control.

    The Data Query and Analysis Management page has two tabs:

    • Data source query permissions — grant members or roles access to query specific data sources

    • Query result control — set operation restrictions for query results

    Grant query permissions for data sources

    Note

    This permission management applies only to the DataAnalysis module. To manage read/write permissions for data sources used in data integration tasks, see Approval process for data integration tasks.

    Who can grant permissions:

    Role Scope
    Tenant administrator All workspaces under the current tenant
    Tenant security administrator All workspaces under the current tenant
    Workspace administrator Workspaces they manage only

    Follow the steps shown in the diagram to grant a member or role query permissions for a data source.管控数据源

    Configure the following parameters:

    Parameter Description
    Workspace Select a workspace where your account has the workspace administrator role. All data sources in that workspace are then available for authorization. To make a user a workspace administrator, see Manage permissions for workspace-level modules.
    Authorization Object The target data source to grant query permissions for. For supported data source types, see SQL queries supported data sources.
    Authorized space role The workspace role that gets query access to the target data source.
    Member of authorized space The workspace member that gets query access. Only members of the selected workspace are available. To add a user as a workspace member, see Manage permissions for workspace-level modules.
    Query module The module where the authorization takes effect. Currently, only DataAnalysis is supported.

    Before granting permissions, note the following:

    • Security Center authorization is only required when users access data sources using a specified identity (such as a username and password, a RAM user, or a RAM role). If users access the data source with their logon identity, authorization from the Security Center is not required.

    • Once a member or role is granted query permissions, they can access the data source using the specified Resource Access Management (RAM) user or RAM role. Plan carefully before granting access to production data sources.

    • In a standard mode workspace, manage query permissions separately for the development environment and the production environment.

    For background on workspace modes, see Differences between workspace modes. For background on data source environments, see Introduction to data source environments.

    Configure query result control

    Important

    This control policy takes effect tenant-wide for the current region. Configure a separate policy for each region under the same tenant. Only users with the tenant administrator or tenant security administrator role can edit this policy.

    On the Data query and analysis control page, go to the Query result control tab and click Edit to configure restrictions on query result operations.

    What you can restrict:

    • Enable or disable copying, downloading, and sharing of result data.

    • Set the maximum number of rows that can be viewed, copied, and downloaded.

    Row limits:

    Action Default Maximum
    View 10,000 rows 10,000 rows
    Copy 100 rows 10,000 rows
    Download Varies by edition See Appendix: Maximum rows to download by edition

    After editing a control policy, you can click Operation in the View column to view its basic information.

    Appendix: View the access identity of a data source

    To check which identity a data source uses when accessed:

    1. Log on to the DataWorks console. In the top navigation bar, select the target region.

    2. Go to the SettingCenter page. In the left-side navigation pane, choose More > Management Center. Select the target workspace from the drop-down list and click Go to Management Center.

    3. Locate the data source:

      • EMR or CDH/CDP cluster: In the left-side navigation pane, click Cluster Management and find the Default Access Identity of the cluster.

      • Other data sources: In the left-side navigation pane, choose Data source > Data Source List. Find the target data source, click Edit in the Actions column, and check the Default Access Identity or Username field.

    Appendix: Maximum rows to download by edition

    Important

    These limits represent the maximum that DataWorks supports. Your actual download limit depends on your DataWorks edition and the internal limits of the data source. Only data from MaxCompute and E-MapReduce (EMR) DPI engines can be downloaded and exported to a local file.

    DataWorks edition Maximum rows to download Maximum data volume
    Basic Edition 0
    Standard Edition 200,000 1 GB
    Professional Edition 2,000,000
    Enterprise Edition 5,000,000

    Standard Edition note: If data volume exceeds 1 GB, the system automatically truncates the data. For example, if 180,000 rows reach 1 GB, only data up to 1 GB is downloaded even though the row limit is 200,000. For more information, see SQL Query (Old Version).

    Edition downgrades: When you downgrade your edition, the download limit changes as follows:

    • If your current download limit exceeds the maximum for the new edition, the limit decreases to the new edition's maximum.

    • If your current download limit is at or below the new edition's maximum, the limit stays unchanged.