Overview
Scenario
When using DLI on public cloud, enterprise users need to manage DLI resources (queues) used by employees in different departments, including creating, deleting, using, and isolating resources. In addition, data of different departments needs to be managed, including data isolation and sharing.
DLI works with the Identity and Access Management (IAM) service to implement enterprise-class fine-grained permissions for employees. IAM provides identity authentication, permissions management, and access control, helping you securely access to your public cloud resources.
With IAM, you can use your public cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, some software developers in your enterprise need to use DLI resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using DLI resources.
For a new user, you need to log in for the system to record the metadata before using DLI.
IAM can be used free of charge. You pay only for the resources in your account. For more information about IAM, see the IAM Service Overview.
If your public cloud account does not need individual IAM users for permissions management, skip this chapter.
DLI Permissions
Table 1 lists all the system-defined roles and policies supported by DLI.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. This mechanism provides only a limited number of service-level roles for authorization. When using roles to grant permissions, you need to also assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization, meeting requirements for secure access control. For example, you can grant DLI users only the permissions for managing a certain type of ECSs.
For details about the system policies you need to perform common SQL operations, see Common Operations Supported by DLI System Policy.
| Role/Policy Name | Description | Category | Authorization Method |
|---|---|---|---|
| DLI FullAccess | Full permissions for DLI. | System-defined policy | For details, see Creating a User and Granting Permissions, Creating a Sub-user, and Modifying a User Policy. |
| DLI ReadOnlyAccess | Read-only permissions for DLI. | System-defined policy | |
| Tenant Administrator | Tenant administrator
| System-defined role | |
| DLI Service Admin | DLI administrator
| System-defined role |
Permission types
| Permission Category | Subtype | Console Operations | SQL Syntax | API Definition |
|---|---|---|---|---|
| Queue Permissions | Queue management permissions | For details, see Queue Permission Management. | None | For details, see Granting Users with the Queue Usage Permission in the Data Lake Insight API Reference. |
| Queue usage permission | ||||
| Data Permissions | Database permissions | For details, see Database Permission Management and Table Permission Management. | For details, see Permission List in the Data Lake Insight SQL Syntax Reference. | For details, see Granting Users with the Data Usage Permission in the Data Lake Insight API Reference. |
| Table permissions | ||||
| Column permissions | ||||
| Job Permissions | Flink job permissions | For details, see Managing Flink Job Permissions. | None | For details, see Granting Users with the Data Usage Permission in the Data Lake Insight API Reference. |
| Package Permissions | Package group permissions | For details, see Managing Permissions on Packages and Package Groups. | None | For details, see Granting Users with the Data Usage Permission in the Data Lake Insight API Reference. |
| Package permissions | ||||
| Datasource Connection Permissions | Datasource connection permissions | For details, see Managing Datasource Connection Permissions. | None | For details, see Granting Users with the Data Usage Permission in the Data Lake Insight API Reference. |
Examples
An Internet company mainly provides game and music services. DLI is used to analyze user behaviors and assist decision making.
As shown in Figure 1, the Leader of the Basic Platform Team has applied for a Tenant Administrator account to manage and use public cloud services. Since the Big Data Platform Team needs DLI for data analysis, the Leader of the Basic Platform Team adds a subaccount with the permission of DLI Service Admin to manage and use DLI. The Leader of the Basic Platform Team creates a Queue A and assigns it to Data Engineer A to analyze the gaming data. He also assigns a Queue B to Data Engineer B to analyze the music data. Besides granting the queue usage permission, the Leader of the Basic Platform Team grants data (except the database) management and usage permissions to the two engineers.
The Data Engineer A creates a table named gameTable for storing game prop data and a table named userTable for storing game user data. The music service is a new service. To explore potential music users among existing game users, the Data Engineer A assigns the query permission on the userTable to the Data Engineer B. In addition, Data Engineer B creates a table named musicTable for storing music copyrights information.
Table 3 describes the queue and data permissions of Data Engineer A and Data Engineer B.
| User | Data Engineer A (game data analysis) | Data Engineer B (music data analysis) |
|---|---|---|
| Queues | Queue A (queue usage permission) | Queue B (queue usage permission) |
| Data (Table) | gameTable (table management and usage permission) | musicTable (table management and usage permission) |
| userTable (table management and usage permission) | userTable (table query permission) |
The queue usage permission includes job submitting and terminating permissions.
Last Article: Permissions Management
Next Article: Creating a User and Granting Permissions
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.