Updated on 2024-10-23 GMT+08:00

Applying for Permissions and Reviewing Permission Requests

During access permission management, you can grant permissions to users through permission sets or roles, or apply for permissions and approve permission applications.

This section describes how an applicant applies for permissions (Applying for Permissions) and how a reviewer reviews permission requests (Reviewing Permission Requests) and revokes permissions (Revoking Permissions).

Prerequisites

Constraints

  • You can only apply for the SELECT permission for querying data in tables. Before applying for the permission, ensure that the SELECT permission for all columns in the target table has been configured in the workspace permission set.
  • Only the DAYU Administrator, Tenant Administrator, data security administrator, and workspace administrator can revoke permissions from other users.
  • If you apply for the permission of multiple tables at a time, multiple requests are generated.
  • You can only view your permission requests and approval records, and cannot audit permissions.
  • You can apply for DLI permissions for users but not for user groups.
  • During permission synchronization, you need to configure required permissions for the dlg_agency. For details, see Authorizing dlg_agency.
  • The current data permission control uses the allowlist mechanism, which adds operation conditions to the users to be authorized without affecting the permissions the users already have. If you only want to make the permissions granted by the data permission control take effect, you need to revoke the original permissions of the users to be authorized. For details, see Data Permission Management.
  • During script execution and job testing in DataArts Factory, the MRS or GaussDB(DWS) data source uses the account of the data connection for authentication by default. Therefore, permission management still does not take effect during data development. You need to enable fine-grained authentication so that the current user is used for authentication during script execution and job testing in DataArts Factory. In this way, different users have different data permissions, and permission management for roles and permission sets takes effect.

Applying for Permissions

  1. On the DataArts Studio console, locate a workspace and click DataArts Security.
  2. In the left navigation pane, choose Permission Review.
  3. On the Data permission request page, click Create to create a service ticket for applying for permissions.

    Figure 1 Creating a permission request

  4. On the displayed Data permission request page, fill in the service ticket by referring to Table 1.

    Figure 2 Filling in the service ticket

    Table 1 Parameters for the permission request

    Item

    Description

    Basic information

    *Workspace

    Select a workspace for which a workspace permission set has been configured.

    *Workspace Permission Sets

    Select a workspace permission set that contains the required resource permissions.

    *Data Source

    Select MRS Hive, DLI, or DWS.

    *Cluster Name

    Select the cluster of the requested resource permissions.

    *Data Connection

    Select the data connection of the requested resource permissions.

    Resource selection

    *Available Resources

    After selecting a database in the navigation tree, select the required data tables. You can select tables in different databases.

    NOTE:

    You can only apply for the SELECT permission for querying data in tables. Before applying for the permission, ensure that the SELECT permission for all columns in the selected table has been configured in the workspace permission set.

    If Fast mode is enabled, metadata of databases, tables, and columns is obtained from DataArts Catalog. Otherwise, metadata is obtained from the data source. You are advised to enable Fast mode.

    *Selected Resources

    In the list of selected resources, you can view the selected tables, permissions, and reviewers.

    NOTE:

    The reviewers are the administrators of permission sets or roles by default. For example, if the SELECT permission for all columns in the selected table is defined in the workspace permission set, permission set A, and role B, the reviewer can be the administrator of permission set A or role B. If the SELECT permission for all columns in the selected table is only defined in the workspace permission set, the reviewer is the administrator of the workspace permission set.

    Request information

    For myself

    If you select this option, you can apply for the selected resource permissions for yourself.

    Workspace Account

    If a public IAM account for scheduling has been configured in DataArts Factory, you can apply for the selected resource permissions for the workspace account.

    For others

    Select members in the workspace and apply for the selected resource permissions for them.

    *Request Reason

    Enter the reason for applying for the permissions so that the reviewer can determine whether to approve your request.

  5. After filling in the service ticket, click Submit to generate a service ticket to be reviewed. In the service ticket list, you can view the service ticket ID, summary, and status. You can click the service ticket ID to view the ticket details. You can also withdraw service tickets that have not been approved.

    Figure 3 Service ticket list

Reviewing Permission Requests

  1. On the DataArts Studio console, locate a workspace and click DataArts Security.
  2. In the left navigation pane, choose Permission Review.
  3. Click the Permission Review tab.

    Figure 4 Permission Review

  4. The Permission Review page displays the service tickets to be reviewed. You can view the service ticket ID, summary, and status, and click the service ticket ID to view the ticket details. Review the service ticket based on service rationality and data security, and click Approve or Reject. You can also select service tickets and click Batch Review above the list to approve or reject service tickets in batches.
  5. Click the Reviewed tab to view the service tickets that have been approved.

    Figure 5 List of approved service tickets

Revoking Permissions

  1. On the DataArts Studio console, locate a workspace and click DataArts Security.
  2. In the left navigation pane, choose Permission Review.
  3. Click the Revoking permissions tab.

    Figure 6 Revoking permissions tab

  4. The Revoking permissions page displays the data permissions you have obtained. You can filter permissions by Workspace, Member Name, Database Name, or Table Name (fuzzy match is supported). Locate a permission and click Reclaim in the Operation column to delete the permission.

    Only the DAYU Administrator, Tenant Administrator, workspace administrator, and data security administrator can revoke data permissions of users in the corresponding workspace.
    Figure 7 Revoking permissions