This topic provides answers to some frequently asked questions about operation permission management.
How do I grant users in a workspace the permissions on service modules?
You can assign built-in roles to RAM users to control their permissions on service modules based on your business scenarios. You can also assign custom workspace-level roles to the RAM users to control their read/write permissions on service modules. For more information about the permissions of each built-in role, see Permissions of built-in workspace-level roles. For more information about custom workspace-level roles, see Manage permissions on workspace-level services.
How do I grant users in a workspace the operation permissions on compute engines?
After you assign a workspace-level role to a user, the operation permissions granted to the user are based on the compute engine type and compute engine configurations.
Logic of operation permissions on a MaxCompute compute engine:
The DataWorks built-in roles and the roles in a MaxCompute project in the development environment have a permission mapping. By default, a DataWorks built-in role has all the permissions its mapped MaxCompute project role has on the MaxCompute compute engine in the development environment.
The DataWorks built-in roles and the roles in a MaxCompute project in the production environment do not have a permission mapping. A DataWorks built-in role cannot directly manage resources of a MaxCompute project in the production environment.
Note
For example, a user that is assigned the administrator or development role has permissions on most service modules and all the permissions on a workspace in the development environment (a MaxCompute project in the development environment). By default, the user that is assigned the administrator or development role does not have the permissions on the same workspace in the production environment (the same MaxCompute project in the production environment). If a RAM user wants to access a table in the production environment from the development environment, you must apply for the operation permissions on the table for the RAM user in Data Map. For more information, see the Request permissions section of the "Manage permissions on MaxCompute" topic.
Node running environment | Scenario |
Node running environment | Scenario |
The node is run in DataStudio (in the development environment). | Scenario 1: Use an Alibaba Cloud account or a RAM user to run the select col1 from tablename command to access a table in the development environment. Specify the table name in the following format: projectname_dev.tablename. Scenario 2: Use an Alibaba Cloud account or a RAM user to run the select col1 from projectname.tablename command to access a table in the production environment. Specify the table name in the following format: projectname.tablename. Note By default, a RAM user that is not selected when you associate a MaxCompute data source with a workspace does not have permissions to access data in the production environment. If you want to use the RAM user to access data in the production environment, you must apply for permissions in Data Map.
|
The node is run in Operation Center (in the production environment). | Scenario: Use the account that is selected when you associate a MaxCompute data source with a workspace to run the select col1 from tablename command to access a table in the production environment. Specify the table name in the following format: projectname.tablename. |
Logic and description of operation permissions on an E-MapReduce (EMR) compute engine:
Logic: If your workspace is associated with an EMR data source, the permissions of a built-in role on DataWorks service modules depend on the permissions of the role. The permissions of the built-in role on the data source are the same as the permissions of the account that is selected when the data source is associated with the workspace.
Mode | Environment | Account in use | How it works |
Mode | Environment | Account in use | How it works |
Shortcut mode | The node is run in DataStudio (in the development environment). | Hadoop user |
The node is run in Operation Center (in the production environment). |
Security mode | The node is run in DataStudio (in the development environment). | The account that you selected for the development environment when you configure the compute engine | You can configure the Lightweight Directory Access Protocol (LDAP) permission mapping for members in a DataWorks workspace to manage the permissions of a RAM user on EMR features when the RAM user uses DataWorks. When you use an Alibaba Cloud account or a RAM user to commit code in DataWorks, the user that has the same name in EMR will run the node. |
The node is run in Operation Center (in the production environment). | The account that you selected for the production environment when you configure the compute engine |
Permission control: You can use EMR Ranger to manage the permissions of each user in an EMR compute engine. This ensures that Alibaba Cloud accounts, node owners, or RAM users have different data permissions when they run EMR nodes in DataWorks.
Logic of operation permissions on other compute engines:
If you associate a workspace with a data source other than a MaxCompute or EMR data source, whether the node that you want to run in DataStudio can use the resources of the data source is determined by the account that is selected when you associate the data source with the workspace.
How do I allow access to the DataWorks console only from the internal network of an enterprise?
If you want to allow access to the DataWorks console only from the internal network of an enterprise, log on to the RAM console and configure a security policy to allow access only from the public IP addresses that are mapped to the private IP addresses of the enterprise.
For more information, see Manage security settings of RAM users.
Elastic Compute Service (ECS)
Lingma
