This topic describes the mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute, and the permissions of each role in the development environment and production environment. The table in this topic provides the details. For more information about MaxCompute permissions, see MaxCompute permissions and Manage permissions on data in a MaxCompute compute engine.
You cannot perform permission management on DataWorks workspaces that are in basic mode. The descriptions in the Permission on data in the DataWorks development environment and the associated MaxCompute project and Permission on data in the DataWorks production environment and the associated MaxCompute project columns in the following table are suitable only for workspaces that are in standard mode. For information about DataWorks workspace modes, see Differences between workspaces in basic mode and workspaces in standard mode.
Mapping | Permission description | |||
DataWorks role or identity | MaxCompute role | Permission on data in the DataWorks development environment and the associated MaxCompute project | Permission on data in the DataWorks production environment and the associated MaxCompute project | Description of permissions in DataWorks |
Workspace Administrator | Role_Project_Admin |
| No permissions by default. You must request the required permissions in Security Center. | A user with the Workspace Administrator role is the administrator of a workspace. The administrator has permissions to manage the basic properties, data sources, compute engine configurations, and members of the workspace and can assign the Workspace Administrator, Development, O&M, Deploy, or Visitor role to workspace members. |
Development | Role_Project_Dev |
| No permissions by default. You must request the required permissions in Security Center. | A user with the Development role has permissions to create workflows, script files, resources, user-defined functions (UDFs), tables, and deployment tasks, and delete tables, but does not have permissions to perform deployment operations. |
O&M | Role_Project_Pe | This role has all permissions on the project and the functions, resources, instances, and jobs in the project, Read permissions on the packages in the project, and Read and Describe permissions on the tables in the project. Note The O&M role has permissions on the MaxCompute compute engine but does not have permissions to run nodes in the DataWorks console. | No permissions by default. You must request the required permissions in Security Center. | The O&M role has deployment and online O&M permissions that are granted by the Workspace Administrator role but does not have permissions to perform data development operations. |
Deploy | Role_Project_Deploy | No permissions by default. | No permissions by default. You must request the required permissions in Security Center. | The Deploy role has similar permissions to the O&M role, except for online O&M permissions. |
Visitor | Role_Project_Guest | No permissions by default. | No permissions by default. You must request the required permissions in Security Center. | A user with the Visitor role has permissions to view data but does not have permissions to modify workflows or code. |
Security Manager | Role_Project_Security | No permissions by default. | No permissions by default. You must request the required permissions in Security Center. | The Security Manager role can be used only in Data Security Guard and has permissions to configure sensitive data identification rules and audit data risks in Data Security Guard. |
Data Analyst | Role_Project_Data_Analyst |
| No permissions by default. You must request the required permissions in Security Center. | This role has permissions only on DataAnalysis. |
Model Designer | Pole_Project_Erd | No permissions by default. | No permissions by default. You must request the required permissions in Security Center. | This role has permissions to view models in Data Modeling and modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. This role does not have permissions to publish models. |
Data Governance Administrator | Role_Project_Data_Governance | No permissions by default. | No permissions by default. You must request the required permissions in Security Center. | This role has permissions only on Data Governance Center. This role can be used to view and manage detected data governance issues, configure data governance plans, and enable check items. This role does not have permissions on operations such as data development and O&M. |
Workspace owner (Alibaba Cloud account) | Project Owner | This identity is the owner of the project and has all permissions on the project. | The same permissions as in the development environment. | None. |
None | Super_Administrator | This role is the super administrator of the project and has management permissions on the project and all permissions on all types of resources in the project. | The same permissions as in the development environment. | None. |
None | Admin | When you create a project, the system creates an Admin role for this project and grants the role permissions to access all objects in the project, manage users or roles, and grant permissions to users or roles. Compared with the Project Owner role, the Admin role does not have permissions to perform the following operations: assign the Admin role to users, configure security policies for the project, modify the authentication model for the project, and modify the permissions of the Admin role. The Project Owner role can assign the Admin role to a user and authorize the user to manage security configurations. | The same permissions as in the development environment. | None. |
None | Role_Project_Scheduler | No permissions by default. |
| The identity is used to schedule and run MaxCompute tasks in the production environment. |