Built-in workspace-level roles and permissions of these roles - DataWorks

DataWorks provides the following built-in workspace-level roles: Workspace Owner, Workspace Administrator, Data Analyst, Develop, O&M, Deploy, Visitor, Security Administrator, Model Designer, and Data Governance Administrator. This topic describes the permissions of these roles.

By default, the built-in workspace-level roles provided by DataWorks have read permissions on all workspace-level services. The management and operation permissions of different built-in workspace-level roles on workspace-level services vary. The following table describes the built-in workspace-level roles and the permissions of each built-in workspace-level role on workspace-level services.

Role	Description
Workspace Owner	This role has all permissions on a workspace. The owner of a workspace is an Alibaba Cloud account. For example, the Workspace Owner role can be used to assign a role to a RAM user and remove a member that is not the owner of a workspace from the workspace.
Workspace Administrator	This role has permissions that are second only to the permissions of the Workspace Administrator role. The Workspace Administrator role can also be used to perform operations such as adding a user to a workspace as a member, removing a member from a workspace, or assigning a role to a member.
Data Analyst	This role has permissions only on DataAnalysis.
Develop	This role has permissions to perform data development and maintenance operations on the DataStudio page of a workspace. Note If you want to perform data development operations as a RAM user, you must assign the Develop or Workspace Administrator role to the RAM user. If you want to perform the deploy operation as a RAM user, you must assign the O&M or Workspace Administrator role to the RAM user.
O&M	This role has permissions to deploy tasks to the production environment on the Create Deploy Task page and perform O&M operations on all tasks in a workspace in Operation Center.
Deploy	This role has permissions to review the code of a task and determine whether to commit the task to Operation Center in a workspace in standard mode.
Visitor	This role has read-only permissions on workflows and code on the DataStudio page of a workspace.
Security Administrator	This role has permissions only on Data Security Guard.
Model Designer	This role has permissions to view models in Data Modeling and modify parameter configurations in Data Warehouse Planning, Data Standard, Dimensional Modeling, and Data Metric. This role does not have permissions to publish models.
Data Governance Administrator	This role has permissions to view and manage data governance content of the workspace to which this role belongs in Data Governance Center. Note This role does not have permissions to view data governance situations of all workspaces in a region from the global perspective or manage global governance operations, such as enabling check items at the global level. If you want to allow a RAM user to perform global governance operations, assign the Data Governance Administrator role at the tenant level to the RAM user. For more information, see Data Governance Administrator role at the tenant level. For more information about the features that are supported by the Data Governance Administrator role at the workspace level, see Data Governance.

The tables in the following sections describe the permissions of different built-in workspace-level roles on workspace-level services. In the tables, Yes indicates that a role has the specified permission, and No indicates that a role does not have the specified permission.

Data management
Deployment management
Button control
Code development
Function development
Node type selection
Resource management
Workflow development
Data Integration
Data Modeling
DataAnalysis
Data Governance

The built-in workspace-level roles also have specified permissions on the data of a MaxCompute compute engine. For more information, see Manage permissions on data in a MaxCompute compute engine instance.

Note

You can execute the related statement to query permissions on data of a MaxCompute compute engine. For more information, see Query permissions by using MaxCompute SQL. For example, you can execute the describe role Role_Project_Dev statement to query whether the Develop role of DataWorks has the Create Table permission on a MaxCompute compute engine.
For information about mappings between built-in workspace-level roles of DataWorks and roles of a MaxCompute compute engine, see Appendix: Mappings between the built-in workspace-level roles of DataWorks and the roles of MaxCompute.

Data management

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
Delete a self-created table	Yes	Yes	No	Yes	No	No	No	No	No	No
Configure a category for a self-created table	Yes	Yes	No	Yes	No	No	No	No	No	No
View a favorite table	Yes	Yes	No	Yes	No	No	No	No	No	No
Create a table in visualized mode	Yes	Yes	No	Yes	No	No	No	No	No	No
Show a self-created table	Yes	Yes	No	Yes	No	No	No	No	No	No
Modify the schema of a self-created table	Yes	Yes	No	Yes	No	No	No	No	No	No
View a self-created table	Yes	Yes	No	Yes	No	No	No	No	No	No
View the content of a self-submitted permission request	Yes	Yes	No	Yes	No	No	No	No	No	No
Hide a self-created table	Yes	Yes	No	Yes	No	No	No	No	No	No
Configure the time to live (TTL) for a self-created table	Yes	Yes	No	Yes	No	No	No	No	No	No
Request permissions on a table created by other users	Yes	Yes	No	Yes	No	No	No	No	No	No
Update a table in the development environment	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Delete a table in the development environment	Yes	Yes	No	Yes	No	No	No	No	No	No
Preview data	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	No	No

Deployment management

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
Create a deployment package	Yes	Yes	No	Yes	Yes	No	No	No	No	No
View the list of deployment packages	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Delete a deployment package	Yes	Yes	No	Yes	Yes	No	No	No	No	No
Deploy tasks in a deployment package	Yes	Yes	No	No	Yes	Yes	No	No	No	No
View the content of a deployment package	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No

Button control

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
Stop	Yes	Yes	No	Yes	No	No	No	No	No	No
Format	Yes	Yes	No	Yes	No	No	No	No	No	No
Edit	Yes	Yes	No	Yes	No	No	No	No	No	No
Run	Yes	Yes	No	Yes	No	No	No	No	No	No
Zoom in	Yes	Yes	No	Yes	No	No	No	No	No	No
Save	Yes	Yes	No	Yes	No	No	No	No	No	No
Show/Hide	Yes	Yes	No	Yes	No	No	No	No	No	No
Delete	Yes	Yes	No	Yes	No	No	No	No	No	No

Code development

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
Save and commit the code of a task	Yes	Yes	No	Yes	No	No	No	No	No	No
View the code of a task	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Write the code of a task	Yes	Yes	No	Yes	No	No	No	No	No	No
Delete the code of a task	Yes	Yes	No	Yes	No	No	No	No	No	No
View the code of tasks	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Run the code of a task	Yes	Yes	No	Yes	No	No	No	No	No	No
Modify the code of a task	Yes	Yes	No	Yes	No	No	No	No	No	No
Download a file	Yes	Yes	No	No	No	No	No	No	No	No
Upload a file	Yes	Yes	No	Yes	No	No	No	No	No	No

Function development

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
View details of a function	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Create a function	Yes	Yes	No	Yes	No	No	No	No	No	No
Query a function	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Delete a function	Yes	Yes	No	Yes	No	No	No	No	No	No

Node type selection

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
PAI	Yes	Yes	No	Yes	No	No	No	No	No	No
MR	Yes	Yes	No	Yes	No	No	No	No	No	No
CDP	Yes	Yes	No	Yes	No	No	No	No	No	No
SQL	Yes	Yes	No	Yes	No	No	No	No	No	No
XLIB	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Shell	Yes	Yes	No	Yes	No	No	No	No	No	No
Zero load	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
script_seahawks	Yes	Yes	No	Yes	No	No	No	No	No	No
dtboost_analytic	Yes	Yes	No	Yes	No	No	No	No	No	No
dtboost_recommend	Yes	Yes	No	Yes	No	No	No	No	No	No
PyODPS	Yes	Yes	No	Yes	No	No	No	No	No	No
AnalyticDB for PostgreSQL	Yes	Yes	No	Yes	No	No	No	No	No	No
AnalyticDB for MySQL	Yes	Yes	No	Yes	No	No	No	No	No	No
HTTP Trigger	Yes	Yes	No	Yes	No	No	No	No	No	No

Resource management

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
View the list of resources	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Delete a resource	Yes	Yes	No	Yes	No	No	No	No	No	No
Create a resource	Yes	Yes	No	Yes	No	No	No	No	No	No
Upload a JAR file	Yes	Yes	No	Yes	No	No	No	No	No	No
Upload a text file	Yes	Yes	No	Yes	No	No	No	No	No	No
Upload an archive file	Yes	Yes	No	Yes	No	No	No	No	No	No

Workflow development

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
Run or stop a workflow	Yes	Yes	No	Yes	No	No	No	No	No	No
Save a workflow	Yes	Yes	No	Yes	No	No	No	No	No	No
View a workflow	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Commit the code of a node	Yes	Yes	No	Yes	No	No	No	No	No	No
Modify a workflow	Yes	Yes	No	Yes	No	No	No	No	No	No
View the list of workflows	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Change the owner of a workflow	Yes	Yes	No	No	No	No	No	No	No	No
View the code of a node	Yes	Yes	No	Yes	No	No	No	No	No	No
Delete a workflow	Yes	Yes	No	Yes	No	No	No	No	No	No
Create a workflow	Yes	Yes	No	Yes	No	No	No	No	No	No
Create a folder	Yes	Yes	No	Yes	No	No	No	No	No	No
Delete a folder	Yes	Yes	No	Yes	No	No	No	No	No	No
Modify a folder	Yes	Yes	No	Yes	No	No	No	No	No	No

Data Integration

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
Edit a node	Yes	Yes	No	Yes	No	No	No	No	No	No
View a node	Yes	Yes	No	Yes	No	No	No	No	No	No
Delete a node	Yes	Yes	No	Yes	No	No	No	No	No	No
Access the menu for managing data synchronization resources	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
View the list of resource groups for data synchronization	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Create a resource group for data synchronization	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
View the list of Elastic Compute Service (ECS) instances in a resource group for data synchronization	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Add an ECS instance to a resource group for data synchronization	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Remove an ECS instance from a resource group for data synchronization	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Modify an ECS instance in a resource group for data synchronization	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Obtain the AccessKey pair for accessing a resource group for data synchronization	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Delete a resource group for data synchronization	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Monitor resource consumption	Yes	Yes	No	No	No	No	No	No	No	No
Change the resource group for tasks in Operation Center	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Access the menu for managing synchronization tasks	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Switch to the code editor	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Obtain the list of members in a workspace	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Call the API operation for writing the code of a task	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Call the API operation for saving or updating the code of a task	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Call the API operation for obtaining the code of a task based on the file ID	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Obtain the list of Data Integration nodes	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Call the API operation for querying a table	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Call the API operation for querying a field	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Call the API operation for querying data sources	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No	No
Call the API operation for adding a data source	Yes	Yes	No	No	Yes	No	No	No	No	No
Call the API operation for querying the details of a data source	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Call the API operation for updating a data source	Yes	Yes	No	No	Yes	No	No	No	No	No
Call the API operation for deleting a data source	Yes	Yes	No	No	Yes	No	No	No	No	No
Test network connectivity	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Preview data	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Check whether the Stream feature is enabled for a Tablestore table	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Activate Tablestore	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Query the statement used to create a MaxCompute table	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Create a MaxCompute table	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Query the creation status of a MaxCompute table	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
Migrate database tables	Yes	Yes	No	No	No	No	No	No	No	No

Data Modeling

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
View a model	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
Edit a model	Yes	Yes	No	Yes	Yes	No	No	No	Yes	No
Publish a model	Yes	Yes	No	No	Yes	No	No	No	No	No

DataAnalysis

Permission	Workspace Owner	Workspace Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer	Data Governance Administrator
Access pages in DataAnalysis	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	No
Use DataAnalysis	Yes	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	No

Note

By default, a custom role does not have the permissions of the Data Analyst role. If you want to use DataAnalysis by assuming a custom role, you can ask a user with the Workspace Administrator role to assign the Data Analyst role to you. For more information about how to assign a role to a workspace member, see Manage permissions on workspace-level services. For more information about custom roles, see Permissions of workspace-level roles.

Data Governance

Permission	Workspace Owner	Workspace Administrator	Data Governance Administrator	Data Analyst	Develop	O&M	Deploy	Visitor	Security Administrator	Model Designer
View governance effectiveness from the global perspective on the Assessment tab	No	No	No	No	No	No	No	No	No	No
View governance effectiveness from the workspace perspective on the Assessment tab	Yes	Yes	Yes	No	No	No	No	No	No	No
View the governance effectiveness of each governance owner from the individual perspective on the Assessment tab	Yes	Yes	Yes	No	No	No	No	No	No	No
View the governance ranking of a workspace on the Governance Rankings page	Yes	Yes	Yes	No	No	No	No	No	No	No
View the governance ranking of user accounts in a workspace on the Governance Rankings page	Yes	Yes	Yes	No	No	No	No	No	No	No
View governance issues from the workspace perspective on the Governance Issue page	Yes	Yes	Yes	No	No	No	No	No	No	No
View governance issues from the individual perspective on the Governance Issue page	Yes	Yes	Yes	No	No	No	No	No	No	No
Change the owner of a table from the workspace perspective	Yes	Yes	No	No	No	No	No	No	No	No
Change the owner of a table from the individual perspective	Yes	Yes	No	No	No	Yes	No	No	No	No
Change the TTL of a table from the workspace perspective	Yes	Yes	No	No	No	No	No	No	No	No
Change the TTL of a table from the individual perspective	Yes	Yes	No	No	Yes	Yes	No	No	No	No
Create an undeployment plan for a table from the workspace perspective	Yes	Yes	Yes	No	No	No	No	No	No	No
Execute an undeployment plan that is created for a table from the workspace perspective	Yes	Yes	No	No	No	Yes	No	No	No	No
Create an undeployment plan for a table from the individual perspective	Yes	Yes	Yes	No	No	Yes	No	No	No	No
Execute an undeployment plan that is created for a table from the individual perspective	Yes	Yes	No	No	No	Yes	No	No	No	No
Change the owner of a task from the workspace perspective	Yes	Yes	No	No	No	Yes	No	No	No	No
Change the owner of a task from the individual perspective	Yes	Yes	No	No	No	Yes	No	No	No	No
Create an undeployment plan for a task from the workspace perspective	Yes	Yes	Yes	No	No	No	No	No	No	No
Create an undeployment plan for a task from the individual perspective	Yes	Yes	Yes	No	No	Yes	No	No	No	No
Complete missing dependencies for a task in a workspace	Yes	Yes	Yes	No	No	No	No	No	No	No
Add a table to a whitelist from the workspace perspective on the Governance Issue page	Yes	Yes	Yes	No	No	No	No	No	No	No
View all metric data for check events from the workspace perspective on the Check Event page	Yes	Yes	Yes	No	No	No	No	No	No	No
View all whitelists in a workspace on the Whitelist page	Yes	Yes	Yes	No	No	No	No	No	No	No
Disable a whitelist created in a workspace on the Whitelist page	Yes	Yes	Yes	No	No	No	No	No	No	No
Create an undeployment plan on the Graceful Shutdown page	Yes	Yes	Yes	No	No	Yes	No	No	No	No
View all undeployment plans created in the current workspace on the Graceful Shutdown page	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No
View the details of an undeployment plan on the Graceful Shutdown page	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No
Perform operations on an undeployment plan on the Graceful Shutdown page	Yes	Yes	Yes	No	No	Yes	No	No	No	No
View recommended materialized views by workspace on the Materialized View page	Yes	Yes	Yes	No	No	No	No	No	No	No
Create a materialized view in a workspace on the Materialized View page	Yes	Yes	Yes	No	No	No	No	No	No	No
View the list of recommended materialized views in a workspace on the Materialized View page	Yes	Yes	Yes	No	No	No	No	No	No	No
View the list of materialized views in a workspace on the Materialized View page	Yes	Yes	Yes	No	No	No	No	No	No	No
View the panoramic information of a table in a workspace on the Table 360 page	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No
View the panoramic information of a task in a workspace on the Task 360 page	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No
View exported data from the individual dimension on the Workbench tab	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No
Export data on the Workbench tab	Yes	Yes	Yes	No	No	No	No	No	No	No
Export data from the individual perspective on the Workbench tab	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No
Perform resource usage analysis for all workspaces on the Use Analysis tab	Yes	Yes	Yes	No	No	No	No	No	No	No
Perform resource usage analysis for a single workspace on the Use Analysis tab	Yes	Yes	Yes	No	No	No	No	No	No	No
View information about governance items and check items on the Knowledge tab	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No
Use a solution template provided on the Solution Template page	Yes	Yes	Yes	No	No	No	No	No	No	No
View the configuration of a check item on the Configure Check Item page	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No
Enable or disable all check items for a workspace on the Configure Check Item page	Yes	Yes	Yes	No	No	No	No	No	No	No
Perform operations on a check item on the Configure Check Item page	Yes	Yes	Yes	No	No	No	No	No	No	No
View governance items on the Configure Governance Item page	Yes	Yes	Yes	No	No	No	No	No	No	No
Configure an exclusion rule for governance items on the Configure Governance Item page	Yes	Yes	Yes	No	No	No	No	No	No	No
View notification settings configured for a workspace on the Notification Settings page	Yes	Yes	Yes	No	No	No	No	No	No	No
Configure notification settings from the global perspective on the Notification Settings page	No	No	No	No	No	No	No	No	No	No
Configure notification settings from the workspace perspective on the Notification Settings page	Yes	Yes	Yes	No	No	No	No	No	No	No
Configure notification settings from the individual perspective on the Notification Settings page	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	No	No