Manage permissions on the DataWorks services and the entities in the DataWorks console by using RAM policies - DataWorks

DataWorks allows you to manage permissions on the DataWorks services and the entities in the DataWorks console by using Resource Access Management (RAM) policies. You can attach a policy to a RAM user or RAM role. This way, the permissions that are defined in the policy are granted to the RAM user or the RAM role. This topic describes the policies that can be used to manage permissions on the DataWorks services and the entities in the DataWorks console. This topic also describes how to use an Alibaba Cloud account to attach a policy to a RAM user and how to create a custom policy.

Use system policies and custom policies to manage permissions on the DataWorks services

By default, only an Alibaba Cloud account has management permissions on the DataWorks services. If you want to manage the DataWorks services as a RAM user, you can attach the system policies described in the following table to the RAM user. This way, the RAM user is granted the management permissions of an Alibaba Cloud account.


Permission type	Effective scope	Policy	Description	References
Allow (system policies)	Manage the DataWorks services	AliyunDataWorksFullAccess	After you attach this system policy to a RAM user, the RAM user can manage the DataWorks services in the same way as the Alibaba Cloud account, but the RAM user cannot purchase services.	For more information about how to grant permissions to a RAM user, see the Grant permissions to a RAM user section in this topic.
Allow (system policies)	Purchase resources	AliyunBSSOrderAccess	After you attach this system policy to a RAM user, the RAM user can view, pay for, and cancel orders in Billing Management. In addition, the RAM user can perform operations such as purchasing and renewing resources in the DataWorks console.
Deny (custom policies)	Perform operations in DataWorks (fine-grained permission management)	Custom policies	After you attach a custom policy in which the related permissions are denied to a RAM user, the RAM user cannot log on to the DataWorks console, access DataWorks services, or call API operations.	For information about how to create a custom policy, see Custom policies used to manage permissions on the DataWorks services. For more information about how to attach a custom policy to the RAM user, see the (Optional) Create a custom policy section in this topic.
	Call API operations (fine-grained permission management)		By default, RAM users that are granted the permissions on a DataWorks service can be used to call API operations of the service. If you want to prohibit a RAM user from calling all API operations, you must create a custom policy in which the permissions to call API operations are denied and attach the custom policy to the RAM user.
	Access DataWorks services (fine-grained permission management)		By default, all RAM users within an Alibaba Cloud account are members in a DataWorks tenant. The RAM users can be used to access the workspace-level services of the workspace to which the RAM users are added as members and all global-level services. You can deny the permissions to access DataWorks services for a RAM user based on your business requirements.

Use custom policies to manage permissions on the entities in the DataWorks console in a fine-grained manner

DataWorks allows you to manage permissions on the operations that are related to different types of entities in the DataWorks console in a fine-grained manner. The following table provides the details.


Entity type	Operation	References
Workspace	Create a workspace Modify a workspace Delete a workspace Disable a workspace Enable a workspace	To grant a RAM user fine-grained permissions to perform the operations that are related to different types of entities in the DataWorks console, you must create a custom policy by referring to Custom policies used to manage permissions on the entities in the DataWorks console and attach the custom policy to the RAM user by referring to the (Optional) Create a custom policy section in this topic.
Resource group	Show exclusive resource groups View the details of a specific resource group Create an exclusive resource group Modify an exclusive resource group
Alert information	List alert contacts Modify the information of an alert contact List alert resources Specify an upper limit for the number of alerts that can be reported

Grant permissions to a RAM user

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.
In the Add Permissions panel, grant permissions to the RAM user.
You can attach a system policy or a custom policy to the RAM user. If you want to attach a custom policy to the RAM user, you must first create a custom policy. For information about the system policies and custom policies that you can attach to a RAM user, see the Use system policies and custom policies to manage permissions on the DataWorks services section in this topic.
Note For information about the parameters that you must configure when you grant permissions to a RAM user, see Grant permissions to the RAM user.

(Optional) Create a custom policy

To perform fine-grained permission management, you must first create a custom policy based on your business requirements. If you want to attach system policies to a RAM user or RAM role to grant coarse-grained permissions, you do not need to perform operations described in this section.

You can use your Alibaba Cloud account to create a custom policy in the RAM console. For more information, see Create a custom policy.

You can create a custom policy that is used to manage permissions on the DataWorks services and configure the policy document by referring to Custom policies used to manage permissions on the DataWorks services.

You can create a custom policy that is used to manage permissions on the entities in the DataWorks console by referring to the following figure and table.


Element	Description
Action	You can configure the Action element in the custom policy by referring to the configuration of the Action element for the related entity in the Custom policies used to manage permissions on the entities in the DataWorks console section in the Create a custom policy topic. You can configure the Action element by referring to the preceding figure.
Resource	You can configure the Resource element in the custom policy by referring to the configuration of the Resource element for the related entity in the Custom policies used to manage permissions on the entities in the DataWorks console section in the Create a custom policy topic. You can configure the Resource element by referring to the preceding figure. Note When you configure the Resource element, take note of the following items: When you create a custom policy, replace the content that starts with the placeholder `$` in the Resource element in the preceding figure with a specific ID. For example, you must replace `$regionid` with the ID of a region and `$accountid` with the UID of an Alibaba Cloud account. The asterisk (``) is a wildcard. You can replace the asterisk with specific values to scale down the scope of permission management. For example, if you replace `workspace/` with `workspace/workspaceid`, the policy takes effect in the specified workspace.