All Products
Search
Document Center

DataWorks:Manage permissions on DLF

Last Updated:Nov 13, 2024

DataWorks allows you to manage permissions on Data Lake Formation (DLF) in a visualized manner. For example, you can request permissions, process permission requests, and audit permissions. This helps you manage permissions on fully managed data lakes in a centralized manner. This topic describes how to manage permissions on DLF.

Background information

The first time you use DataWorks to manage permissions on DLF, DataWorks prompts you to authorize DataWorks to access DLF. During the authorization, the system creates a service-linked role named AliyunServiceRoleForDataWorksAccessDLF for DataWorks. For more information about the AliyunServiceRoleForDataWorksAccessDLF service-linked role, see Appendix: Service-linked role used by DataWorks to access DLF.

Process for managing permissions on DLF

DLF permission management process

Role

Description

Requester

A requester can request permissions on tables on the Request permissions tab. The requester can also view the permission request records of the current Alibaba Cloud account on the Permission Application Records tab.

Approver

An approver can view the table permission requests that are pending to be processed on the Process permission requests tab. The approver can also view the request processing records of the current Alibaba Cloud account on the Permission Application Processing Record tab.

Auditor

An auditor can go to the Permission Audit tab with an Alibaba Cloud account or as a RAM user who is assigned the Workspace Manager role and audit permissions of workspace members on tables. The auditor can also revoke permissions from a specific workspace member.

Go to the Data access control page

Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose Data Development and Governance > Security Center. On the page that appears, click Go to Security Center.

Request permissions

  1. Go to the Permission Application tab.

  2. Select tables on which you want to request permissions.

    1. In the Application Content section, set Engine Type to DLF. Configure the Catalog and Authorization Granularity parameters.

      The valid values of the Authorization Granularity parameter are Field-level permissions, Table-level permissions, and Metabase-level permissions.

      • If you select Field-level permissions or Table-level permissions, you can select the tables on which you want to request permissions in the Tables to Be Added section. After you select the tables, the information about the tables is displayed on the right side. You can click the Show icon on the left side of a table name to view all fields in the table. You can request permissions on specific or all fields.

      • If you select Metabase-level permissions, you can select the names of the metadatabases on which you want to request permissions in the Metabase Name column, and select the permissions that you want to request in the Metabase permissions column.

  3. In the Application Information section, configure the parameters.

    Parameter

    Description

    User

    The account or user for which you want to request the permissions.

    • Current login account: indicates that you want to request permissions for the Alibaba Cloud account that is used to access the current workspace.

    • Apply on Behalf of others: indicates that you want to request permissions for an Alibaba Cloud account that is not used to access the current workspace. If you select this option, you must configure the Username parameter.

    Workspace

    The workspace in which you want to use the tables.

    Application duration

    The validity period of the requested permissions on tables. The permissions are automatically revoked after the validity period elapses.

    Reason for application

    The reason why you want to request the permissions.

  4. Click Apply for permission to submit the request.

    You can view the processing details and record of the current request on the Permission Application Records tab.

Process permission requests

  1. View the information about pending permission requests.

    On the Permission Application Processing tab, set Engine Type to DLF and configure the other parameters to search for the pending permission requests within the current Alibaba Cloud account.

    Note

    If permissions on multiple tables that belong to different owners are requested, the system splits the request into multiple requests based on the table owners.

  2. View the details about a permission request.

    Find the permission request and click Approval in the Operation column. You can view the details and processing record of the permission request in the Approval details dialog box.

  3. Process permission requests.

    To process a single permission request, enter your comments and click Agree or Rejection based on your business requirements.

    To process multiple permission requests at the same time, select the permission requests that you want to process on the Permission Application Processing tab, click Bulk consent or Batch rejection, and then enter your comments.

View historical permission requests and their processing records

  • View permission request records. You can specify filter conditions such as Approval Status, Application Time, and Workspace to view the permission request records of the current Alibaba Cloud account.

    To view the details about a permission request, click View details in the Operation column of the request. You can continue to process requests whose processing status is In approval.

  • View request processing records. You can specify filter conditions such as Application Account Number, Approval Results, and Workspace to view the request processing records of the current Alibaba Cloud account.

    To view the details about a permission request, click View details in the Operation column of the request.