A workspace is the basic unit for collaboration in EMR Serverless Spark. All development work happens within a workspace, and you control who can do what by assigning workspace roles to Resource Access Management (RAM) users and RAM roles.
Built-in roles
EMR Serverless Spark provides four built-in workspace roles:
| Role | Who it's for | What they can do |
|---|---|---|
| Guest | Auditors, stakeholders | Read-only access. Can view resources but cannot create, edit, or delete anything. |
| DataScience | Data scientists, analysts | Can view all resources and submit jobs to the development queue (dev_queue). Cannot manage workflows, sessions, or infrastructure. |
| DataEngineering | Data engineers | Full development access. Can create and manage workflows, sessions, gateways, and ciphertexts, and submit jobs to any queue. |
| Owner | Workspace administrators | Full access, including queue management and user/role administration. |
If none of these roles fit your needs, you can create a custom role. See Manage roles.
Role permissions
The following tables show what each role can do, grouped by resource type.
Workflow permissions
| Permission | Guest | DataScience | DataEngineering | Owner |
|---|---|---|---|---|
| View workflow lists, statuses, versions, topologies, details, and configurations | ✓ | ✓ | ✓ | ✓ |
| View logs, outputs, and the SparkUI of workflow instance nodes | ✓ | ✓ | ✓ | ✓ |
| Create workflows (associate topologies, nodes, and tasks; publish workflows) | - | - | ✓ | ✓ |
| Delete workflows | - | - | ✓ | ✓ |
| Create workflow nodes | - | - | ✓ | ✓ |
| Edit workflow instance configurations | - | - | ✓ | ✓ |
| Enable workflow scheduling | - | - | ✓ | ✓ |
| Disable workflow scheduling | - | - | ✓ | ✓ |
| Trigger workflows | - | - | ✓ | ✓ |
| Node operations (rerun, set to success, stop) | - | - | ✓ | ✓ |
Queue permissions
| Permission | Guest | DataScience | DataEngineering | Owner |
|---|---|---|---|---|
| View queues | ✓ | ✓ | ✓ | ✓ |
| Submit jobs to a queue | - | ✓ (Scope: dev_queue) | ✓ (Scope: *) | ✓ (Scope: *) |
| Add queues | - | - | - | ✓ |
| Edit queues (adjust resources) | - | - | - | ✓ |
| Delete queues | - | - | - | ✓ |
SQL session permissions
| Permission | Guest | DataScience | DataEngineering | Owner |
|---|---|---|---|---|
| View SQL sessions | ✓ | ✓ | ✓ | ✓ |
| Create SQL sessions | - | - | ✓ | ✓ |
| Edit SQL sessions | - | - | ✓ | ✓ |
| Delete SQL sessions | - | - | ✓ | ✓ |
Notebook session permissions
| Permission | Guest | DataScience | DataEngineering | Owner |
|---|---|---|---|---|
| View Notebook sessions | ✓ | ✓ | ✓ | ✓ |
| Create Notebook sessions | - | - | ✓ | ✓ |
| Edit Notebook sessions | - | - | ✓ | ✓ |
| Delete Notebook sessions | - | - | ✓ | ✓ |
Gateway permissions
| Permission | Guest | DataScience | DataEngineering | Owner |
|---|---|---|---|---|
| View gateways | ✓ | ✓ | ✓ | ✓ |
| Create gateways | - | - | ✓ | ✓ |
| Edit gateways | - | - | ✓ | ✓ |
| Delete gateways | - | - | ✓ | ✓ |
| Manage access tokens for Livy Gateway (create, delete, and update) | - | - | ✓ | ✓ |
Ciphertext permissions
| Permission | Guest | DataScience | DataEngineering | Owner |
|---|---|---|---|---|
| View ciphertexts | - | ✓ | ✓ | ✓ |
| Create ciphertexts | - | - | ✓ | ✓ |
| Delete ciphertexts | - | - | ✓ | ✓ |
Prerequisites
Before you begin, make sure you have:
A workspace. See Manage workspaces.
A RAM user granted one of the following permissions:
AliyunEmrServerlessSparkReadOnlyAccess,AliyunEMRServerlessSparkDeveloperAccess, orAliyunEMRServerlessSparkFullAccess. See Grant permissions to a RAM user.
Manage users
Add a user
Go to the Access Control page.
Log on to the E-MapReduce console.
In the left navigation pane, choose EMR Serverless > Spark.
On the Spark page, click the name of the workspace.
In the left navigation pane, choose Security > Access Control.
On the User tab, click Add User.
In the Add User dialog box, select the RAM users and RAM roles to add, then click OK. You can select one or more RAM users and RAM roles.
Remove a user
On the User tab of the Access Control page, click Delete in the Actions column for the target user.
In the Remove User dialog box, click Remove.
Manage roles
If the built-in roles don't meet your requirements, create a custom role and configure its permissions.
Create a role and assign permissions
On the Role tab of the Access Control page, click Create Role.
In the dialog box, enter a Role Name and a Display Name, then click OK.
Click the name of the role you created.
Click Add Authorization.
Select the required permissions and click OK.
Add users to a role
On the Role tab of the Access Control page, click Add User in the Actions column of the target role.
In the Add User dialog box, select the users to add, then click OK.
Remove users from a role
On the Role tab of the Access Control page, click Remove User in the Actions column of the target role.
In the Remove User dialog box, select the users to remove, then click OK.