Help Center/ DataArts Studio/ Service Overview/ Permission Management
Updated on 2024-11-05 GMT+08:00

Permission Management

If you need to assign different permissions to employees in your enterprise to access your DataArts Studio resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your Huawei Cloud resources.

With IAM, you can use your Huawei Cloud account to create IAM users for your employees, and assign permissions to the users to control their access to specific resource types. For example, if you want to allow some software developers in your enterprise to use DataArts Studio resources but disallow them to delete workspaces or perform any high-risk operations, you can create IAM users for the software developers and grant them only the permissions required for using DataArts Studio resources.

IAM is a free service. You only pay for the resources in your account. For more information about IAM, see IAM Service Overview.

DataArts Studio Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. After authorization, the users can perform specified operations.

DataArts Studio is a project-level service deployed in specific physical regions. To assign permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing DataArts Studio, users need to switch to a region where they are authorized to use cloud services.

DataArts Studio supports only system role-based authorization and does not support policy-based authorization. To implement fine-grained permission control, DataArts Studio provides the capability of granting permissions to system roles and workspace roles. Specific operation permissions are granted to workspace roles, and workspace roles with different permissions can be customized.

IAM provides the following two authorization mechanisms: Note that DataArts Studio supports only the IAM role-based authorization and does not support the IAM policy-based authorization.
  • IAM Roles: IAM initially provides a coarse-grained authorization mechanism to define permissions based on users' job responsibilities. Only a limited number of service-level roles are available. However, traditional IAM roles are not an ideal choice for fine-grained authorization and secure access control.
  • IAM Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access.
As shown in Figure 1 and Table 1, the system-defined roles supported by DataArts Studio include DAYU Administrator and DAYU User. Workspace roles are based on the DAYU User. Permissions lists the common operations supported by DataArts Studio and the permissions granted to each role. You can select roles as required.
Figure 1 Permission system
Table 1 DataArts Studio system-defined roles

Role

Description

Type

DAYU Administrator

Instance administrator who has all management permissions on a DataArts Studio instance and its workspaces, permissions of dependent services, and service operation permissions in all workspaces.

NOTE:

Users assigned the Tenant Administrator role have all permissions for all services except IAM. In other words, users with the Tenant Administrator role can perform all operations in DataArts Studio.

System-defined role

DAYU User

Common user who has permissions to view a DataArts Studio instance and its workspaces, and the permissions of dependent services. After assigned a role, a common user has permissions of the role to perform service operations.

Workspace roles include the preset admin, developer, deployer, operator, and viewer. For details about the operation permissions of each role, see Permissions.
  • Admin: This role has all operation permissions in a workspace. You are advised to assign the admin role to the project owner, development owner, and O&M administrator.
  • Developer: This role has permissions to create and manage resources in a workspace. You are advised to assign this role to users who develop and process tasks.
  • Operator: This role has the operation permissions of services such as O&M and scheduling in a workspace, but cannot modify resources or configurations. You are advised to assign this role to users responsible for O&M management and status monitoring.
  • Viewer: This role can view data in a workspace but cannot perform any other operation. You are advised to assign this role to users who only need to view data in a workspace but do not need to perform operations.
  • Deployer: This role is unique to the enterprise mode and has permissions to release task packages in a workspace. In enterprise mode, when a developer submits a script or job version, the system generates a release task. After the developer confirms the release and the deployer approves the release request, the modified job is synchronized to the production environment.

System-defined role

Roles or Policies for DataArts Studio Console

Table 2 lists the permissions for the services on which DataArts Studio components depend. You are advised to configure the minimum DataArts Studio-level permissions of dependent services for developers. (For details, see Authorizing IAM Users to Use DataArts Studio by Complying with the Principle of Least Privilege.) Table 3 lists the minimum permissions for developers on the services on which DataArts Studio depends.

The DAYU Administrator and DAYU User already have the administrator permissions of dependent services. If the DAYU User role is assigned to a common user or user group, the common user or user group may have more permissions of dependent services than required. To prevent this risk, you can manually delete the permissions of dependent services from the user group after assigning the DAYU User role to the user group, and then assign the minimum permissions of dependent services to the user group.

Table 2 Roles or policies for the services on which the DataArts Studio console depends on

Console Function

Dependent Service

Role/Policy Required

Function

Management Center

BSS

bss:coupon:view

bss:renewal:update

bss:discount:view

bss:order:view

bss:order:pay

bss:order:update

Create incremental packages or DataArts Studio instances.

KMS

kms:cmk:get

kms:cmk:list

kms:cmk:create

kms:cmk:decrypt

kms:cmk:encrypt

kms:dek:create

kms:dek:encrypt

kms:dek:decrypt

Encrypt and decrypt data during data connection creation.

DWS

dws:cluster:list

dws:cluster:getDetail

dws:openAPICluster:getDetail

Create DWS connections.

MRS

mrs:cluster:get

mrs:cluster:list

Create MRS connections.

VPC

vpc:publicIps:get

vpc:publicIps:list

vpc:vpcs:get

vpc:subnets:get

Create MRS connections.

RDS

rds:*:get

rds:*:list

Create RDS connections.

DataArts Migration

VPC

vpc:publicIps:get

vpc:publicIps:list

vpc:vpcs:get

vpc:vpcs:list

vpc:subnets:get

vpc:securityGroups:get

vpc:firewalls:list

vpc:routeTables:list

vpc:subNetworkInterfaces:list

Create CDM clusters or DataArts Studio instances.

ECS

ecs:flavors:get

ecs:cloudServerFlavors:get

ecs:availabilityZones:list

Create CDM clusters or DataArts Studio instances.

CDM

cdm:cluster:create

Create CDM clusters.

KMS

kms:cmk:get

kms:cmk:list

kms:cmk:create

kms:cmk:decrypt

kms:cmk:encrypt

kms:dek:create

kms:dek:encrypt

kms:dek:decrypt

Encrypt and decrypt data during data connection creation.

MRS

mrs:cluster:get

mrs:cluster:list

mrs:job:get

mrs:job:list

Create MRS connections.

DWS

dws:cluster:list

dws:cluster:getDetail

dws:openAPICluster:getDetail

Create DWS connections.

CDM

cdm:cluster:get

cdm:cluster:list

cdm:link:operate

cdm:job:operate

Perform operations on the CDM console.

CES

ces:*:get

ces:*:list

View monitoring data in Cloud Eye.

CSS

css:*:get

css:*:list

Create CSS connections.

CloudTable

cloudtable:*:get

cloudtable:*:list

Create CloudTable connections.

RDS

rds:*:get

rds:*:list

Create RDS connections.

Config

rms:resources:list

Create CDM clusters.

DataArts Factory

OBS

obs:object:GetObject

obs:object:PutObject

obs:bucket:GetBucketLocation

obs:bucket:ListAllMyBuckets

obs:bucket:ListBucket

obs:bucket:CreateBucket

Run scripts, run jobs, and back up jobs.

SMN

smn:topic:publish

smn:topic:list

Send job notifications.

KMS

kms:cmk:get

kms:cmk:list

kms:cmk:create

kms:cmk:decrypt

kms:cmk:encrypt

kms:dek:create

kms:dek:encrypt

kms:dek:decrypt

Encrypt and decrypt data during data connection creation.

MRS

mrs:cluster:get

mrs:cluster:list

mrs:job:submit

mrs:job:delete

mrs:job:stop

mrs:sql:execute

mrs:sql:cancel

mrs:job:get

mrs:job:list

Run the following MRS job nodes:

MRS Presto SQL, MRS Spark, MRS Spark Python, MRS Flink Job, and MRS MapReduce

MRS Spark SQL and MRS Hive SQL

DLI

dli:queue:submitJob

dli:jobs:create

dli:jobs:update

dli:jobs:get

dli:jobs:list

dli:jobs:listAll

Run the following DLI job nodes:

DLI SQL and DLI Spark

OBS

obs:object:GetObject

obs:object:PutObject

obs:object:DeleteObject

obs:bucket:GetBucketLocation

obs:bucket:ListAllMyBuckets

obs:bucket:ListBucket

obs:bucket:ListBucketVersions

obs:bucket:CreateBucket

obs:bucket:DeleteBucket

Run the following OBS job nodes:

Create OBS, Delete OBS, and OBS Manager

DWS

dws:cluster:list

dws:cluster:getDetail

dws:openAPICluster:getDetail

Create DWS connections.

CDM

cdm:cluster:get

cdm:cluster:list

cdm:job:operate

Run the Agent-related scripts and jobs required by data connections and run CDM jobs:

RDS SQL, DWS SQL, Hive SQL, SPARK SQL, Shell, and Python

CES

ces:metricData:list

Query the CPU usage of the DLI queue on the Overview page.

GES

ges:graph:access

ges:graph:operate

ges:graph:list

ges:graph:getDetail

ges:metadata:create

ges:metadata:operate

ges:metadata:delete

ges:metadata:list

ges:metadata:getDetail

ges:jobs:list

ges:jobs:getDetail

Run the Import GES job node.

ECS

ecs:servers:list

ecs:servers:get

ecs:servers:stop

ecs:servers:start

ecs:cloudServers:list

Run the Open/Close Resource job node and create host connections.

DLI

dli:queue:submitJob

dli:queue:cancelJob

dli:group:useGroup

dli:group:getGroup

dli:group:updateGroup

dli:group:deleteGroup

dli:group:listAllGroup

dli:database:createDatabase

dli:database:dropDatabase

dli:database:displayDatabase

dli:database:displayAllDatabases

dli:database:explain

dli:database:createView

dli:database:createTable

dli:database:displayAllTables

dli:database:createFunction

dli:database:describeFunction

dli:database:showFunctions

dli:database:dropFunction

dli:table:select

dli:table:update

dli:table:delete

dli:table:dropTable

dli:table:describeTable

dli:table:showCreateTable

dli:table:showPartitions

dli:table:showSegments

dli:table:showTableProperties

dli:table:insertOverwriteTable

dli:table:insertIntoTable

dli:table:compaction

dli:table:truncateTable

dli:table:alterView

dli:table:alterTableRename

dli:table:alterTableAddColumns

dli:table:alterTableDropColumns

dli:table:alterTableChangeColumn

dli:table:alterTableSetLocation

dli:table:alterTableAddPartition

dli:table:alterTableRenamePartition

dli:table:alterTableSetProperties

dli:table:alterTableRecoverPartition

dli:table:alterTableDropPartition

dli:column:select

dli:jobs:create

dli:jobs:delete

dli:jobs:start

dli:jobs:stop

dli:jobs:update

dli:jobs:export

dli:jobs:get

dli:jobs:list

dli:jobs:listAll

dli:resource:useResource

dli:resource:updateResource

dli:resource:deleteResource

dli:resource:getResource

dli:resource:listAllResource

dli:variable:update

dli:variable:delete

Run DLI jobs/scripts.

IAM

iam:agencies:listAgencies

Obtain job agencies.

DIS

DIS Operator

DIS User

Run the following DIS job nodes:

DIS Stream, DIS Dump, and DIS Client

SWR

SWR Admin

The image read permission in SWR is required only when a custom image is selected for a DLI Spark node of a job in DataArts Factory.

You are advised to add the read permission of the image by referring to User Permissions. You are not advised to directly assign the SWR Admin system role to users because this may result in excessive permissions.

DataArts Catalog

OBS

obs:object:GetObject

obs:bucket:GetBucketStorage

obs:bucket:GetBucketLocation

obs:bucket:ListAllMyBuckets

obs:bucket:ListBucket

Collect OBS metadata.

DIS

dis:streams:list

dis:transferTasks:list

Collect DIS metadata.

CSS

css:cluster:list

Collect CSS metadata.

GES

ges:graph:list

ges:graph:getDetail

ges:metadata:list

ges:metadata:getDetail

Collect GES metadata.

DLI

dli:database:displayDatabase

dli:database:displayAllDatabases

dli:table:select

dli:table:describeTable

dli:table:showPartitions

dli:table:showTableProperties

dli:jobs:create

dli:jobs:get

Collect DLI metadata and analyze data in summary.

CDM

cdm:cluster:list

Collect CSS metadata.

DataArts Quality

SMN

smn:topic:publish

smn:topic:list

Configure job notifications.

OBS

obs:object:GetObject

obs:object:PutObject

obs:bucket:GetBucketLocation

obs:bucket:ListAllMyBuckets

obs:bucket:ListBucket

obs:bucket:CreateBucket

Export quality reports.

MRS

mrs:job:submit

mrs:sql:execute

mrs:sql:cancel

mrs:job:get

Run MRS quality jobs.

DLI

dli:queue:submitJob

dli:jobs:get

dli:jobs:listAll

Run DLI quality jobs.

DataArts Security

DLI

dli:queue:submitJob

dli:queue:cancelJob

dli:database:displayDatabase

dli:database:displayAllDatabases

dli:database:displayAllTables

dli:table:describeTable

dli:jobs:create

dli:jobs:stop

dli:jobs:get

dli:resource:deleteResource

dli:resource:getResource

dli:resource:listAllResource

Manage DLI permissions.

DWS

dws:cluster:list

dws:cluster:getDetail

dws:openAPICluster:getDetail

Manage DWS permissions.

MRS

mrs:cluster:list

mrs:job:submit

mrs:job:stop

Manage MRS permissions.

KMS

kms:cmk:list

kms:cmk:encrypt

kms:cmk:decrypt

Encrypt and decrypt data using KMS.

CDM

Any CDM permission, for example, cdm:cluster:get

Manage DWS and MRS permissions.

Table 3 Minimum permissions for developers on the services on which DataArts Studio depends

Permission Type

Role/Policy-based permissions–system role

Role/Policy-based permissions–custom policy

Role/Policy-based permissions–custom policy

Mandatory

Mandatory

Mandatory

Mandatory

Permission

  • DIS Operator
  • DIS User
  • (Optional and not recommended) SWR Admin
    NOTE:

    The image read permission in SWR is required only when a custom image is selected for a DLI Spark node of a job in DataArts Factory.

    You are advised to add the read permission of the image by referring to User Permissions. You are not advised to directly assign the SWR Admin system role to users because this may result in excessive permissions.

DataArtsStudio_PermissionsOfDependentServices_global: custom policy for a global dependent cloud service
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "obs:object:GetObject",
                "obs:object:PutObject",
                "obs:object:DeleteObject",
                "obs:bucket:GetBucketStorage",
                "obs:bucket:GetBucketLocation",
                "obs:bucket:ListAllMyBuckets",
                "obs:bucket:ListBucket",
                "obs:bucket:ListBucketVersions",
                "obs:bucket:CreateBucket",
                "obs:bucket:DeleteBucket",
                "rms:resources:list",
                "iam:agencies:listAgencies"
            ]
        }
    ]
}
DataArtsStudio_PermissionsOfDependentServices_region: custom policy for a regional dependent cloud service
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cdm:cluster:get",
                "cdm:cluster:list",
                "cdm:cluster:create",
                "cdm:link:operate",
                "cdm:job:operate",
                "ces:*:get",
                "ces:*:list",
                "cloudtable:*:get",
                "cloudtable:*:list",
		"css:*:get",
                "css:*:list",
                "dis:streams:list",
                "dis:transferTasks:list",
                "dli:queue:submitJob",
                "dli:queue:cancelJob",
                "dli:table:insertOverwriteTable",
                "dli:table:insertIntoTable",
                "dli:table:alterView",
                "dli:table:alterTableRename",
                "dli:table:compaction",
                "dli:table:truncateTable",
                "dli:table:alterTableDropColumns",
                "dli:table:alterTableSetProperties",
                "dli:table:alterTableChangeColumn",
                "dli:table:showSegments",
                "dli:table:alterTableRecoverPartition",
                "dli:table:dropTable",
                "dli:table:update",
                "dli:table:alterTableDropPartition",
                "dli:table:alterTableAddPartition",
                "dli:table:alterTableAddColumns",
                "dli:table:alterTableRenamePartition",
                "dli:table:delete",
                "dli:table:alterTableSetLocation",
                "dli:table:describeTable",
                "dli:table:showPartitions",
                "dli:table:showCreateTable",
                "dli:table:showTableProperties",
                "dli:table:select",
                "dli:resource:updateResource",
                "dli:resource:useResource",
                "dli:resource:getResource",
                "dli:resource:listAllResource",
                "dli:resource:deleteResource",
                "dli:database:explain",
                "dli:database:createDatabase",
                "dli:database:dropFunction",
                "dli:database:createFunction",
                "dli:database:displayAllDatabases",
		"dli:database:displayAllTables",
                "dli:database:displayDatabase",
                "dli:database:describeFunction",
                "dli:database:createView",
                "dli:database:createTable",
                "dli:database:showFunctions",
                "dli:database:dropDatabase",
                "dli:group:useGroup",
                "dli:group:updateGroup",
                "dli:group:listAllGroup",
                "dli:group:getGroup",
                "dli:group:deleteGroup",
                "dli:column:select",
                "dli:jobs:start",
                "dli:jobs:export",
                "dli:jobs:update",
                "dli:jobs:list",
                "dli:jobs:listAll",
                "dli:jobs:get",
                "dli:jobs:delete",
                "dli:jobs:create",
                "dli:jobs:stop",
		"dli:variable:update",
		"dli:variable:delete",
                "dws:cluster:list",
                "dws:cluster:getDetail",
                "dws:openAPICluster:getDetail",
                "ecs:servers:get",
		"ecs:servers:list",	
                "ecs:servers:stop",
                "ecs:servers:start",
		"ecs:flavors:get",
                "ecs:cloudServerFlavors:get",
                "ecs:cloudServers:list",
                "ecs:availabilityZones:list", 
                "ges:graph:access",
                "ges:metadata:create",
                "ges:jobs:list",
                "ges:graph:operate",
                "ges:jobs:getDetail",
                "ges:graph:getDetail",
                "ges:graph:list",
                "ges:metadata:list",
                "ges:metadata:getDetail",
                "ges:metadata:delete",
                "ges:metadata:operate",
                "kms:cmk:get",
                "kms:cmk:list",
                "kms:cmk:create",
                "kms:cmk:decrypt",
                "kms:cmk:encrypt",
                "kms:dek:create",
                "kms:dek:encrypt",
                "kms:dek:decrypt",
                "mrs:cluster:get",
                "mrs:cluster:list",
                "mrs:job:get",
                "mrs:job:list",
                "mrs:job:submit",
                "mrs:job:stop",
                "mrs:job:delete",
                "mrs:sql:execute",
                "mrs:sql:cancel",
                "rds:*:get",
                "rds:*:list",
                "smn:topic:publish",
                "smn:topic:list",
		"vpc:publicIps:list",
                "vpc:publicIps:get",
                "vpc:vpcs:get",
                "vpc:vpcs:list",
                "vpc:subnets:get",
                "vpc:securityGroups:get",
                "vpc:firewalls:list",
                "vpc:routeTables:list",
                "vpc:subNetworkInterfaces:list"
            ]
        }
    ]
}