All Products
Search

This Product

    DataWorks:DataWorks user permission management FAQ

    Document Center

    DataWorks:DataWorks user permission management FAQ

    Last Updated:Mar 27, 2026

    This is a FAQ document for DataWorks administrators and Alibaba Cloud account owners. It addresses the most common questions about managing user access in DataWorks. It covers RAM-level policy grants, workspace membership, alert contact configuration, and safe employee offboarding.

    Quick reference: who can do what

    Use this table to find the required role and console for each action before looking up the FAQ entry below.

    Action Required role Where FAQ entry
    Add a RAM user to a workspace Workspace administrator DataWorks console How do I add a RAM user to a workspace?
    Assign a workspace role Workspace administrator DataWorks console How do I add a RAM user to a workspace?
    Grant AliyunDataWorksFullAccess Alibaba Cloud account (owner) RAM console How does an Alibaba Cloud account grant AliyunDataWorksFullAccess to a RAM user?
    Grant AliyunBSSOrderAccess Alibaba Cloud account (owner) RAM console How do I grant a RAM user permission to purchase related services?
    Attach or detach resource groups Workspace administrator DataWorks console How do I grant a RAM user permission to attach and detach resource groups?
    Set alert contact details for a RAM user Alibaba Cloud account (owner) DataWorks console How do I set the mobile phone number and email address for a RAM user?
    Remove a RAM user Alibaba Cloud account (owner) DataWorks console + RAM console What should I do when an employee leaves the company?

    For details on each action, see the relevant FAQ entry below.

    Why can't a RAM user see any workspaces after logging on to the DataWorks console?

    Performed by: Workspace administrator

    DataWorks workspace visibility is based on workspace membership, not RAM policies. A RAM user who has not been added to any workspace cannot see any workspaces in the DataWorks console, even if their RAM-level permissions are correctly configured.

    To make a workspace visible to the RAM user, a workspace administrator must add the RAM user to the workspace and assign a workspace role. See How do I add a RAM user to a workspace? for steps.

    How do I add a RAM user to a workspace?

    Performed by: Workspace administrator

    A workspace administrator can add RAM users to a workspace and assign workspace roles (such as developer or O&M engineer) directly in the DataWorks console. No additional RAM-level policy is required for this action.

    For the full procedure, see Add members to a workspace.

    How do I grant a RAM user permission to create DataWorks workspaces?

    Performed by: Alibaba Cloud account (owner)

    By default, RAM users cannot create DataWorks workspaces. To allow a RAM user to create workspaces, the Alibaba Cloud account (owner) must attach the AliyunDataWorksFullAccess policy in the RAM console.

    See How does an Alibaba Cloud account grant AliyunDataWorksFullAccess to a RAM user? for the step-by-step procedure.

    How does an Alibaba Cloud account grant AliyunDataWorksFullAccess to a RAM user?

    Performed by: Alibaba Cloud account (owner)

    The Alibaba Cloud account (owner) grants workspace-creation permission to a RAM user by attaching the AliyunDataWorksFullAccess policy in the RAM console.

    1. Log on to the RAM console with the Alibaba Cloud account (owner).

    2. Locate the target RAM user.

    3. Attach the AliyunDataWorksFullAccess policy.

    Attach AliyunDataWorksFullAccess policy to a RAM userAliyunDataWorksFullAccess policy attached successfully

    After attaching this policy, the RAM user can create and manage DataWorks workspaces.

    How do I grant a RAM user permission to purchase related services?

    Performed by: Alibaba Cloud account (owner)

    RAM users cannot purchase Alibaba Cloud services by default. To allow a RAM user to purchase services related to DataWorks (such as MaxCompute), the Alibaba Cloud account (owner) must attach the AliyunBSSOrderAccess policy in the RAM console.

    For the complete procedure, see How does an Alibaba Cloud account grant AliyunDataWorksFullAccess to a RAM user? and follow the same steps, substituting AliyunBSSOrderAccess for AliyunDataWorksFullAccess. After attaching this policy, the RAM user can purchase DataWorks-related services.

    How do I grant a RAM user permission to attach and detach resource groups?

    Performed by: Workspace administrator

    No additional RAM-level policy is required to attach or detach resource groups. The RAM user only needs the workspace administrator role within the workspace.

    A workspace administrator can attach and detach resource groups from the Workspace Management section of the DataWorks console. To assign the workspace administrator role, see Add members to a workspace.

    How do I create a custom MaxCompute role with query-only permissions?

    Performed by: Alibaba Cloud account (owner) or MaxCompute project administrator

    MaxCompute supports custom roles with scoped permissions. To create a role that allows only SELECT operations, define the role with the appropriate privileges in MaxCompute.

    For the complete procedure, including required commands and configuration steps, see Query permissions.

    How do I set the mobile phone number and email address for a RAM user?

    Performed by: Alibaba Cloud account (owner)

    RAM users cannot set their own alert contact details. If a RAM user needs to receive DataWorks alerts, the Alibaba Cloud account (owner) must configure the user's mobile phone number and email address through alerting settings in the DataWorks console.

    For more information, see View and set alert contacts.

    What should I do when an employee leaves the company?

    Performed by: Workspace administrator (Steps 1-2), then Alibaba Cloud account (owner) (Step 3)

    Complete all three steps in order before removing the RAM user from the RAM console.

    Warning

    Do not delete the RAM user from the RAM console before completing Steps 1 and 2.

    Risk: If you delete the RAM user first, errors may occur in DataWorks because task ownership cannot be transferred from an account that no longer exists.

    Action: Complete Steps 1 and 2 in DataWorks before proceeding to Step 3.

    Step 1: Transfer task ownership in DataWorks

    Transfer all DataWorks nodes owned by the departing employee to another user. Batch transfer is supported.

    Transfer node ownership in batches

    Step 2: Update alert rules and shift schedule configuration

    Review all alert rules and the shift schedule configuration to remove the departing employee from alert routing.

    Update alert rules

    Step 3: Remove the RAM user

    Log on to the RAM console with the Alibaba Cloud account (owner) and delete the RAM user.