DataWorks provides automatic transfer and manual transfer mechanisms that you can use to transfer the entities of modules in your workspace to a specific entity receiver. The entities include resources and functions. The two mechanisms are implemented based on the default transfer rule that is provided by DataWorks or a custom workspace-level transfer rule that you configure. This topic describes how to configure an entity transfer rule, use the rule to transfer entities, and view transfer logs.
Background information
The most common scenario where entity transfer needs to be performed is employee resignation. Entity transfer guarantees security and stability of DataWorks services when employees resign. This prevents impacts of employee resignation on your business.
After an employee resigns, the Alibaba Cloud account used by the employee may or may not be deleted. For entity transfer in the two scenarios, DataWorks provides the automatic and manual transfer mechanisms. DataWorks provides a default transfer rule. DataWorks also allows you to customize a workspace-level transfer rule on the Transfer configuration tab of the Entity transfer page and specify an entity receiver for entities in different modules in the rule.
Limits
You can use only the tenant security administrator role or tenant administrator role to configure entity transfer settings on the Entity transfer page. For more information about permission management for tenants, see Manage permissions on global-level services.
Entity transfer logic
If you configure a custom transfer rule and enable the rule, the entities that you want to transfer are preferentially transferred to the entity receiver that you specify in the rule. If the entity receiver that you specify in the rule does not exist or is removed from the workspace, the system performs the transfer based on the default transfer rule.
Trigger condition for automatic transfer: If a RAM user is removed from a workspace or is deleted, the automatic transfer mechanism is triggered. If no entity receiver is specified for the workspace, the transfer is performed based on the default transfer rule after the RAM user is removed or deleted. By default, the entities that belong to the RAM user are transferred to another RAM user to which the workspace administrator role is assigned in the workspace. If no RAM users in the workspace are assigned the workspace administrator role, the entities are transferred to the Alibaba Cloud account to which the RAM user belongs. If you configure a custom transfer rule for the workspace and specify an entity receiver that is a member of the workspace in the rule, the transfer is performed based on the rule that you configure.
Trigger condition for manual transfer: If a RAM user is not deleted and remains a member of the workspace, you can go to the Entity transfer page to perform a manual transfer. If no custom transfer rule is configured for the workspace, the transfer is performed based on the default transfer rule after the RAM user is removed from the workspace or is deleted. If you configure a custom transfer rule for the workspace and specify an entity receiver that is a member of the workspace in the rule, the transfer is performed based on the rule that you configure. For more information about custom workspace-level transfer rules, see the Configure an entity transfer rule section of this topic.
If the entity receiver that you specify in a custom transfer rule is the access identity of a MaxCompute compute engine, the access identity of the MaxCompute compute engine is changed to the entity receiver after the transfer is performed based on the rule. For information about the identities that can be used to access a MaxCompute compute engine, see Create and manage workspaces.
DataWorks allows you to configure a custom workspace-level transfer rule.
Go to the Entity transfer page
Log on to the DataWorks console. In the top navigation bar, select the desired region. In the left-side navigation pane, choose . On the page that appears, click Go to Security Center.
In the left-side navigation pane of the Security Center page, choose Security policy > Entity transfer to go to the Entity transfer page.
View the entities that can be transferred
In the Instructions for use section, view the entities that can be transferred, and the trigger condition and precautions for automatic transfer.
More entities that can be transferred will be available in the future. The entities that can be transferred in the DataWorks console prevail.
Configure an entity transfer rule
In the Transfer rule configuration section, search for the desired workspace.
Configure an entity receiver.
In the Transfer rule configuration section, customize a transfer rule. Transfer rules are classified into the default transfer rule and custom transfer rules. Find the workspace that you want to manage and click Revised in the Transfer entity receiver column. In the Select Transfer Entity Recipient dialog box, select an entity receiver from the Please Select A Space Member drop-down list and click OK. When the transfer condition is triggered, the system performs the transfer based on the custom transfer rule that you configure. If the rule is disabled for the workspace, or the entity receiver that you specify does not exist or is removed from the workspace, the system performs the transfer based on the default transfer rule.
Default transfer rule: The default transfer rule is enabled by default and cannot be disabled. The default transfer rule takes effect if no entity receiver is specified for the workspace whose entities you want to transfer or the entity receiver specified for the workspace is invalid.
NoteIf the entity receiver is removed from the workspace before the transfer, the entity receiver is considered invalid.
Custom workspace-level transfer rule: Custom workspace-level transfer rules are disabled by default. If you need to specify an entity receiver, you can select a member in a workspace as the entity receiver. You can also enable or disable a custom transfer rule based on your business requirements. If you enable a custom transfer rule, the rule takes effect when entities are transferred.
NoteIf you enable a custom transfer rule, the entities that you want to transfer are preferentially transferred to the entity receiver that you specify in the rule. If the entity receiver that you specify in the rule does not exist or is removed from the workspace, the system performs the transfer based on the default transfer rule.
Turn on or off the switch in the Operation column that corresponds to the workspace to enable or disable the custom transfer rule.
If you turn on the switch, the entities that you want to transfer are transferred to the entity receiver that you specify.
NoteIf the entity receiver that you specify does not exist or is removed from the workspace, the entities are transferred to the entity receiver specified in the default transfer rule.
If you turn off the switch, the entities that you want to transfer are transferred to the entity receiver specified in the default transfer rule.
Perform a transfer
If a RAM user is not deleted and remains a member of the workspace, go to the Transfer configuration tab of the Entity transfer page and click Immediate execution of referral to transfer the entities that belong to the RAM user.
In the Immediate execution of referral dialog box, select the original owner of the entities from the drop-down list and click Confirm referral. If the entity receiver that you specify is a member of the workspace, the entities are transferred to the entity receiver. Otherwise, the entities are transferred to the entity receiver specified in the default transfer rule.
View transfer logs
On the Entity transfer page, click the Transfer log tab. On the Transfer log tab, view transfer records, transfer status, the transfer operator, and the original owner of the entities.