By default, a tenant member is granted the permissions to access Data Map and view the metadata of all projects in Data Map. This topic describes permission management on metadata at different granularities.
Introduction to permission management in Data Map
The following figure shows an overview of permission management policies on metadata at the service module, project, and table levels in Data Map. 
The following sections describe the permission management policies that are supported at each level and how to use the policies to manage permissions at each level:
Module-level permission management
You can manage the permissions to access Data Map.
Permission management policy | Instruction |
All members of a tenant are granted the permissions to access Data Map. Note In DataWorks, all RAM users of an Alibaba Cloud account are tenant members. By default, all the RAM users are granted the permissions to access Data Map. | No operations are required because this policy is the default module-level permission management policy. |
Specific RAM users do not have the permissions to access Data Map. | Use global roles to manage permissions to access Data Map.
For more information, see Manage permissions on global-level services. After you perform the preceding operations, the RAM user does not have the permissions to access Data Map. |
A RAM user can access Data Map only after the RAM user is added to a workspace. | In the left-side navigation pane of the DataMap page, move the pointer over the |
icon and choose Project-level permission management
Only an Alibaba Cloud account, a RAM user to which the AliyunDataWorksFullAccess policy is attached, and a RAM user to which the tenant administrator or Workspace Administrator role is assigned can configure settings for permission management that are described in the following table.
You can perform the operations for project-level permission management that are described in the following table only on the MaxCompute compute engine.
If you want to query metadata of compute engines other than the MaxCompute compute engine in Data Map, you must create and configure a metadata collector for the compute engine that you want to use. If you do not want to query metadata of a specific compute engine in Data Map, you do not need to create or configure a metadata collector for the compute engine. For more information, see Collect metadata of a compute engine.
Permission management policy | Instruction |
Specifies whether to display the metadata of a project in Data Map. | By default, the metadata of all MaxCompute projects is collected and displayed in Data Map. In the left-side navigation pane of the DataMap page, move the pointer over the |
Specifies whether to allow a project member to view the metadata of another project in Data Map. | By default, all tenants of DataWorks can view the metadata of a specific MaxCompute project in Data Map. In the left-side navigation pane of the DataMap page, move the pointer over the |
Table-level permission management
Only an Alibaba Cloud account, the owner of a table, and a user to which the Workspace Administrator role is assigned can configure settings for permission management that are described in the following table.
You can perform the operations for table-level permission management that are described in the following table only on the MaxCompute compute engine.
Permission management policy | Instruction |
Specifies whether a project member other than the owner of a table and the member who is assigned the Workspace Administrator role can view the metadata of the table in Data Map. | By default, all tenants of DataWorks can view the metadata of a table in a MaxCompute project in Data Map. In the left-side navigation pane of the DataMap page, click |
Specifies whether to allow a user who is not a member of a project to view the metadata of a table in the project in Data Map. |
. In the My Data section of the page that appears, specify whether to show or hide a table. For more information, see 