Applying for Permissions and Reviewing Permission Requests
During access permission management, you can grant permissions to users through permission sets or roles, or apply for permissions and approve permission applications.
This section describes how an applicant applies for permissions (Applying for Permissions) and how a reviewer reviews permission requests (Reviewing Permission Requests) and revokes permissions (Revoking Permissions).
Prerequisites
- Before applying for permissions, you have configured a workspace permission set. For details, see Configuring Workspace Permission Sets.
- Before applying for permissions, you have collected the metadata of the data connection in DataArts Catalog. For details, see Metadata Collection Task.
Constraints
- You can only apply for the SELECT permission for querying data in tables. Before applying for the permission, ensure that the SELECT permission for all columns in the target table has been configured in the workspace permission set.
- Only the DAYU Administrator, Tenant Administrator, data security administrator, and workspace administrator can revoke permissions from other users.
- If you apply for the permission of multiple tables at a time, multiple requests are generated.
- You can only view your permission requests and approval records, and cannot audit permissions.
- You can apply for DLI permissions for users but not for user groups.
- During permission synchronization, you need to configure required permissions for the dlg_agency. For details, see Preparation 1: Authorizing dlg_agency.
- The current data permission control uses the allowlist mechanism, which adds operation conditions to the users to be authorized without affecting the permissions the users already have. If you only want to make the permissions granted by the data permission control take effect, you need to revoke the original permissions of the users to be authorized. For details, see Data Permission Management.
- During script execution and job testing in DataArts Factory, the MRS or GaussDB(DWS) data source uses the account of the data connection for authentication by default. Therefore, permission management still does not take effect during data development. You need to enable a permission application so that the current user is used for authentication during script execution and job testing in DataArts Factory. In this way, different users have different data permissions, and permission management for roles and permission sets takes effect.
Applying for Permissions
- On the DataArts Studio console, locate an instance and click Access. On the displayed page, locate a workspace and click DataArts Security.
Figure 1 DataArts Security
- In the left navigation pane, choose .
- On the Data permission request page, click Create to create a service ticket for applying for permissions.
Figure 2 Creating a permission request
- On the displayed Data permission request page, fill in the service ticket by referring to Table 1.
Figure 3 Filling in the service ticket
Table 1 Parameters for the permission request Item
Description
Basic information
*Workspace
Select a workspace for which a workspace permission set has been configured.
*Workspace Permission Sets
Select a workspace permission set that contains the required resource permissions.
*Data Source
Select MRS Hive, DLI, or DWS.
*Cluster Name
Select the cluster of the requested resource permissions.
*Data Connection
Select the data connection of the requested resource permissions.
Resource selection
*Available Resources
After selecting a database in the navigation tree, select the required data tables. You can select tables in different databases.
NOTE:You can only apply for the SELECT permission for querying data in tables. Before applying for the permission, ensure that the SELECT permission for all columns in the selected table has been configured in the workspace permission set.
If Fast mode is enabled, metadata of databases, tables, and columns is obtained from DataArts Catalog. Otherwise, metadata is obtained from the data source. You are advised to enable Fast mode.
*Selected Resources
In the list of selected resources, you can view the selected tables, permissions, and reviewers.
NOTE:The reviewers are the administrators of permission sets or roles. For example, if the SELECT permission for all columns in the selected table is defined in the workspace permission set, permission set A, and role B, the reviewer can be the administrator of permission set A or role B. If the SELECT permission for all columns in the selected table is only defined in the workspace permission set, the reviewer is the administrator of the workspace permission set.
Request information
For myself
If you select this option, you can apply for the selected resource permissions for yourself.
Workspace Account
If a public IAM account for scheduling has been configured in DataArts Factory, you can apply for the selected resource permissions for the workspace account.
For others
Select members in the workspace and apply for the selected resource permissions for them.
*Request Reason
Enter the reason for applying for the permissions so that the reviewer can determine whether to approve your request.
- After filling in the service ticket, click Submit to generate a service ticket to be reviewed. In the service ticket list, you can view the service ticket ID, summary, and status. You can click the service ticket ID to view the ticket details. You can also withdraw service tickets that have not been approved.
Figure 4 Service ticket list
Reviewing Permission Requests
- On the DataArts Studio console, locate an instance and click Access. On the displayed page, locate a workspace and click DataArts Security.
Figure 5 DataArts Security
- In the left navigation pane, choose .
- Click the Permission Review tab.
Figure 6 Permission Review
- The Permission Review page displays the service tickets to be reviewed. You can view the service ticket ID, summary, and status, and click the service ticket ID to view the ticket details. Review the service ticket based on service rationality and data security, and click Approve or Reject. You can also select service tickets and click Batch Review above the list to approve or reject service tickets in batches.
- Click the Reviewed tab to view the service tickets that have been approved.
Figure 7 List of approved service tickets
Revoking Permissions
- On the DataArts Studio console, locate an instance and click Access. On the displayed page, locate a workspace and click DataArts Security.
Figure 8 DataArts Security
- In the left navigation pane, choose .
- Click the Revoking permissions tab.
Figure 9 Revoking permissions tab
- The Revoking permissions page displays the data permissions you have obtained. You can filter permissions by Workspace, Member Name, Database Name, or Table Name (fuzzy match is supported). Locate a permission and click Reclaim in the Operation column to delete the permission.
Only the DAYU Administrator, Tenant Administrator, workspace administrator, and data security administrator can revoke data permissions of users in the corresponding workspace.Figure 10 Revoking permissions
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
