Access control for task orchestration - Data Management - Alibaba Cloud Documentation Center

Data Management (DMS) allows you to use custom policies to control access to task orchestration features. You can control operations such as publishing and deploying, updating, and creating task flows. This topic shows how an administrator can grant a user other than the owner permission to publish a task flow.

Notes

The policy feature is in canary release. For more information, see Policies.

Prerequisites

You have the permissions to use the policy feature. If you do not have the permissions to use this feature, contact an administrator to add the administrator system role. For more information, see Edit User Information.

Note

By default, the administrator role includes the permissions required for policies.

Test environment

An administrator has created a task flow named Task Orchestration Access Control Test. For instructions on how to create a task flow, see Step 1: Create a task flow.

Procedure

Step 1: Add a stakeholder to the task flow

Log in to DMS 5.0.
Move the pointer over the icon in the upper-left corner and choose All Features > Data+AI > Data Development > Task Orchestration.

Note
If you use the DMS console in normal mode, choose Data+AI > Data Development > Task Orchestration in the top navigation bar.
Click the name of the target task flow.
On the task flow editing page, click Task flow information at the bottom of the page.
In the Properties section, add the user as a stakeholder. In this example, the user is dmsuser_test.

Step 2: Create a policy

In the upper-left corner of the console, click the icon and choose All Features > Security and Specifications > Permission Center > Policy.
Note
- If you are using the console in normal mode, choose Security and Specifications > Permission Center > Policy from the top navigation bar.
- This feature is in canary release.
Click Create Policy. On the Create Policy page, specify the Basic information and Remarks. In this example, the policy name is Allow publishing a task flow.
Configure the policy.

In the visual policy editor, set Effect to Allow, Service to Task flow, and Action to Specify actions. Then, select the Publish and deploy task flow (taskFlow:PublishAndDeployTaskFlow) write action. Set Resource to Specify resources and add the task flow ARN acs:dms:*:*:taskFlow/96030.

The following list describes the available actions.
- Publish and deploy task flow: Publish a task flow and deploy its nodes.
- Unpublish task flow: Unpublish a task flow.
- Freeze task flow: Freeze a task flow to prevent its scheduled triggers from running.
- Unfreeze task flow: Unfreeze a task flow so it can be scheduled.
- Update task flow configurations: Update task flow settings, such as scheduling and variable configurations.
- Update task flow: Update the nodes and edges of a task flow.
- Create task in task flow: Create task nodes in a task flow.
- Delete task from task flow: Delete task nodes from a task flow.
For more information about how to configure a policy, see Step 1: Create and configure a policy.
In the lower-left corner of the page, click Confirm to create the policy.

Step 3: Grant the policy to a user

On the Policies page, click Authorize to the right of the target policy name.
In the Add Authorization dialog box, select the Users or Role to authorize. You can select multiple items.

The policy applies to all users who are assigned this role.

In the Principal field, enter the name of the target user or role, and then click Confirm.
Click Confirm.
After you grant the policy to the user dmsuser_test, they can publish the task flow. For instructions on how to publish a task flow, see Publish or unpublish a task flow.