DataWorks allows you to manage permissions on the DataWorks services and the entities in the DataWorks console by using Resource Access Management (RAM) policies. You can attach a policy to a RAM user or RAM role. This way, the permissions that are defined in the policy are granted to the RAM user or the RAM role. This topic describes the policies that can be used to manage permissions on the DataWorks services and the entities in the DataWorks console. This topic also describes how to use an Alibaba Cloud account to attach a policy to a RAM user and how to create a custom policy.
Use system policies and custom policies to manage permissions on the DataWorks services
Permission type | Effective scope | Policy | Description | References |
---|---|---|---|---|
Allow (system policies) | Manage the DataWorks services | AliyunDataWorksFullAccess | After you attach this system policy to a RAM user, the RAM user can manage the DataWorks services in the same way as the Alibaba Cloud account, but the RAM user cannot purchase services. | For more information about how to grant permissions to a RAM user, see the Grant permissions to a RAM user section in this topic. |
Purchase resources | AliyunBSSOrderAccess | After you attach this system policy to a RAM user, the RAM user can view, pay for, and cancel orders in Billing Management. In addition, the RAM user can perform operations such as purchasing and renewing resources in the DataWorks console. | ||
Deny (custom policies) | Perform operations in DataWorks (fine-grained permission management) | Custom policies | After you attach a custom policy in which the related permissions are denied to a RAM user, the RAM user cannot log on to the DataWorks console, access DataWorks services, or call API operations. | For information about how to create a custom policy, see Custom policies used to manage permissions on the DataWorks services. For more information about how to attach a custom policy to the RAM user, see the (Optional) Create a custom policy section in this topic. |
Call API operations (fine-grained permission management) | By default, RAM users that are granted the permissions on a DataWorks service can be used to call API operations of the service. If you want to prohibit a RAM user from calling all API operations, you must create a custom policy in which the permissions to call API operations are denied and attach the custom policy to the RAM user. | |||
Access DataWorks services (fine-grained permission management) | By default, all RAM users within an Alibaba Cloud account are members in a DataWorks tenant. The RAM users can be used to access the workspace-level services of the workspace to which the RAM users are added as members and all global-level services. You can deny the permissions to access DataWorks services for a RAM user based on your business requirements. |
Use custom policies to manage permissions on the entities in the DataWorks console in a fine-grained manner
Entity type | Operation | References |
---|---|---|
Workspace |
| To grant a RAM user fine-grained permissions to perform the operations that are related to different types of entities in the DataWorks console, you must create a custom policy by referring to Custom policies used to manage permissions on the entities in the DataWorks console and attach the custom policy to the RAM user by referring to the (Optional) Create a custom policy section in this topic. |
Resource group |
| |
Alert information |
|
Grant permissions to a RAM user
- Log on to the RAM console with an Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
- In the Add Permissions panel, grant permissions to the RAM user. You can attach a system policy or a custom policy to the RAM user. If you want to attach a custom policy to the RAM user, you must first create a custom policy. For information about the system policies and custom policies that you can attach to a RAM user, see the Use system policies and custom policies to manage permissions on the DataWorks services section in this topic.Note For information about the parameters that you must configure when you grant permissions to a RAM user, see Grant permissions to the RAM user.
(Optional) Create a custom policy
To perform fine-grained permission management, you must first create a custom policy based on your business requirements. If you want to attach system policies to a RAM user or RAM role to grant coarse-grained permissions, you do not need to perform operations described in this section.
- You can create a custom policy that is used to manage permissions on the DataWorks services and configure the policy document by referring to Custom policies used to manage permissions on the DataWorks services.
- You can create a custom policy that is used to manage permissions on the entities in the DataWorks console by referring to the following figure and table.
Element Description Action You can configure the Action element in the custom policy by referring to the configuration of the Action element for the related entity in the Custom policies used to manage permissions on the entities in the DataWorks console section in the Create a custom policy topic. You can configure the Action element by referring to the preceding figure. Resource You can configure the Resource element in the custom policy by referring to the configuration of the Resource element for the related entity in the Custom policies used to manage permissions on the entities in the DataWorks console section in the Create a custom policy topic. You can configure the Resource element by referring to the preceding figure. NoteWhen you configure the Resource element, take note of the following items:
- When you create a custom policy, replace the content that starts with the placeholder
$
in the Resource element in the preceding figure with a specific ID. For example, you must replace$regionid
with the ID of a region and$accountid
with the UID of an Alibaba Cloud account. - The asterisk (
*
) is a wildcard. You can replace the asterisk with specific values to scale down the scope of permission management. For example, if you replaceworkspace/*
withworkspace/workspaceid
, the policy takes effect in the specified workspace.
- When you create a custom policy, replace the content that starts with the placeholder