All Products
Search

This Product

    DataWorks:User permission control

    Document Center

    DataWorks:User permission control

    Last Updated:Jun 23, 2026

    This topic answers frequently asked questions about user permission control.

    Why a RAM user cannot see workspaces

    The DataWorks console displays only the workspaces to which the current account has been added. A RAM user must be added to a DataWorks workspace to view it in the console's list of workspaces.

    Add a RAM user to a workspace

    A workspace administrator can add a RAM user to a workspace on the workspace management page. For more information, see Add members to a workspace.

    Grant permission to create a workspace

    The Alibaba Cloud account must grant the AliyunDataWorksFullAccess permission to the RAM user in the RAM console.

    Grant AliyunDataWorksFullAccess permission

    Sign in to the RAM console. In the left-side navigation pane, choose Identities > Users. Find the target RAM user in the user list and click Add Permissions in the Actions column. On the Add Permissions panel, click the System Policies tab. Select the AliyunDataWorksFullAccess policy from the list of permission policies, and then click OK.

    Grant permission to purchase services

    The Alibaba Cloud account must grant the AliyunBSSOrderAccess permission to the RAM user in the RAM console.

    Grant permission to associate or disassociate a resource group with a workspace

    The RAM user must have the workspace administrator role for the workspace.

    Create a custom MaxCompute role with only query permissions

    For more information, see Query permissions.

    Set the mobile phone number and email address for a RAM user

    If a RAM user needs to receive alerts, the Alibaba Cloud account must set the mobile phone number and email address for the RAM user in the alert configuration of the DataWorks console. For more information, see View and configure alert contacts.

    Considerations for user offboarding

    Before a user leaves the company, transfer the ownership of related tasks in DataWorks before removing the RAM user from RAM. Directly removing the user from RAM may cause errors on the DataWorks side.

    To transfer nodes in bulk: Go to the Operation Center > Scheduled Tasks page. Use the Owner drop-down list at the top to filter nodes owned by the departing user. Select the nodes to transfer, and then click Change Owner in the action bar at the bottom to transfer task ownership in bulk. If there are many nodes, increase the Page Size value to select all nodes at once.

    Note

    Update monitoring rules and check the duty roster configuration in a timely manner.

    On the Operation Center > Intelligent Monitor > Rule Management page, when you edit a monitoring rule, the Recipients section provides three options: Task Owner, Duty Roster (you need to select the corresponding duty roster), and Other (you can specify recipients). Make sure that the departing user has been removed from the recipient configuration of all related rules.

    Assign a DataWorks seat (for example, for Data Agent) to a RAM user

    Some DataWorks features (such as Data Agent) require a separately purchased seat for each RAM user. If a RAM user needs to use these features, the Alibaba Cloud account must first purchase the corresponding edition (such as the Team edition) and then assign the seat to the RAM user.

    To grant a RAM user access to DataWorks, perform the following steps:

    1. Sign in to the RAM console with the Alibaba Cloud account and grant DataWorks-related permission policies (such as AliyunDataWorksFullAccess) to the RAM user. For more information, see Manage permissions of a RAM user.

    2. Assign the corresponding feature seat to the RAM user in the DataWorks console. The method for assigning seats varies depending on the feature module. For more information, see the documentation for each feature.