Updated on 2024-10-23 GMT+08:00

Configuring Permission Sets

In data access permission management, permissions are usually classified into multiple levels of permissions, such as those for level-1, level-2, and level-3 departments. DataArts Security provides a top-down hierarchical mode for data permission management. You can configure the maximum permissions in the workspace through a workspace permission set. Then, you can split the workspace permission set into permission sets for refined permission management.

A permission set directly associates users and permissions. A workspace permission set is special as it has no parent permission set. It defines the permissions for the entire workspace. Each child permission set defined in the workspace permission set has a parent permission set, and the permissions of a child permission set are a subset of its parent permission set's permissions.

Both a workspace permission set and a permission set directly associate users with permissions, but they differ in the following aspects:
  • A workspace permission set is a top-level permission set that has no parent permission set. Generally, you only need to create one workspace permission set for each workspace. However, a permission set must be associated with a parent permission set, which can be a workspace permission set or another permission set. You can create multiple permission sets to associate users with different permissions in different scenarios.
  • A workspace permission set mainly determines the permissions of a workspace, while a permission set is mainly used to manage permissions. A workspace permission set does not require permission synchronization and cannot be associated with roles. A permission set supports permission synchronization, which can be used for permission management, though associating a permission set with roles for permission management is more recommended.

This section describes how to manage permissions through Creating a Permission Set and Configuring the Permission Set. In practice, you are advised to manage permissions based on Configuring Roles.

Prerequisites

  • You have configured a workspace permission set. For details, see Configuring Workspace Permission Sets.
  • Metadata of tables has been collected in DataArts Catalog through a metadata collection task if you want to view the metadata of databases, tables, and fields in data connections during permission configuration.

Constraints

  • Only the DAYU Administrator, Tenant Administrator, data security administrator, and the administrator of the parent permission set can create, modify, and synchronize permission sets. The permission set administrator can synchronize workspace permission sets. Other common users cannot perform these operations.
  • Permission sets can only be used to manage permissions for MRS Hive, DLI, and GaussDB(DWS).
  • In some cases, a child permission set may contain more permissions than its parent permission set. For example, this may occur if a permission record is configured for a child permission set and then deleted from the parent permission set, because cascading deletion of permissions is not supported.
  • After a permission set is configured, permission management does not take effect immediately. Instead, you need to synchronize the permission set to the data source for permission management to take effect.
    Role management provides more intuitive and powerful permission management capabilities based on permission sets. Generally, you do not need to synchronize permission sets except for DLI data sources. You are advised to manage permissions based on Configuring Roles. If you need to synchronize workspace permission sets, pay attention to the following restrictions:
    • During authorization, the name of the object to be authorized (database, table, or column name) can contain only digits, letters, underscores (_), hyphens (-), and wildcards (*).
    • During DLI permission set synchronization, the custom policies created in IAM are associated with users or user groups. A maximum of 200 custom policies can be created in IAM. Before synchronization, ensure that the quotas are sufficient.
    • During permission synchronization, you need to configure required permissions for the dlg_agency. For details, see Authorizing dlg_agency.
  • The current data permission control uses the allowlist mechanism, which adds operation conditions to the users to be authorized without affecting the permissions the users already have. If you only want to make the permissions granted by the data permission control take effect, you need to revoke the original permissions of the users to be authorized. For details, see Data Permission Management.
  • During script execution and job testing in DataArts Factory, the MRS or GaussDB(DWS) data source uses the account of the data connection for authentication by default. Therefore, permission management still does not take effect during data development. You need to enable fine-grained authentication so that the current user is used for authentication during script execution and job testing in DataArts Factory. In this way, different users have different data permissions, and permission management for roles and permission sets takes effect.

Creating a Permission Set

  1. On the DataArts Studio console, locate a workspace and click DataArts Security.
  2. In the left navigation pane, choose Permission Sets.
  3. On the displayed page, click Create.

    Figure 1 Creating a permission set

  4. Configure parameters based on Table 1 and click OK.

    Table 1 Parameters

    Parameter

    Description

    *Name

    Permission set name, which is unique in the instance.

    You should include the meaning of the permission set and avoid meaningless descriptions in the name so that the permission set can be quickly identified.

    *Parent Permission Set

    Select a parent permission set, which can be a workspace permission set or another permission set. After you select a parent permission set, the permissions of the current permission set are a subset of the parent permission set's permissions.

    *Administrator

    The administrators are the owners of the permission set and can configure the permissions in the permission set. The administrators can perform the following operations:
    • Permission configuration: Assign data source permissions to the workspace permission set.
    • User configuration: Assign permissions in the workspace permission set to users, user groups, or workspace roles.
    • Permission set creation: Create permission sets and roles based on the workspace permission set. The created permission sets do not contain more permissions than the workspace permission set.

    Description

    Information to make the permission set easier to be identified

    Figure 2 Parameters for creating a permission set

Configuring the Permission Set

  1. On the DataArts Studio console, locate a workspace and click DataArts Security.
  2. In the left navigation pane, choose Permission Sets.
  3. Locate a permission set and click its name to go to the details page.

    Figure 3 Going to the permission set details page

  4. In the Basic Information area, you can view the name, ID, and administrator of the permission set. For details, see Figure 4.

    Figure 4 Basic information of the permission set

  5. On the Permission Configuration tab page, By data is selected by default. You can select By permissions. The configured permissions are the same for By data and By permissions, and the only difference lies in how the permissions are displayed. You are advised to select By permissions for batch authorization.

    • By data: The system allows you to configure permissions for data. (Currently, only MRS data sources are supported.) You can select the authorized data in the parent permission set.
      Figure 5 Configuring permissions on the By data page

      When configuring permissions, you can select Entire DB, Entire table, or Entire column, and select the corresponding levels in the data source information to perform a batch authorization. You can also click Authorization in the Operation column of a data record in the expanded navigation pane to authorize access to the data.

      Fast mode and Show data this role has no permission to are supported. If Fast mode is enabled, metadata of databases, tables, and columns is obtained from DataArts Catalog. Otherwise, metadata is obtained from the data source. If metadata has been collected, you are advised to enable Fast mode.
      • Note that the permissions of databases, tables, and columns are managed by layer. For example, a user who has been granted database permissions does not have the permissions of tables and columns. Table and column permissions must be granted separately.

        For example, if you enter a table name or an asterisk (*) as a wildcard during database authorization, you are authorizing the table. If you enter a column name or an asterisk (*) as a wildcard character, you are authorizing the column.

      • During authorization, the name of the object to be authorized (database, table, or column name) can contain only digits, letters, underscores (_), hyphens (-), and wildcards (*).
      Figure 6 Authorization on the By data page
    • By permissions: The system allows you to configure permissions. You can select the authorized data in the parent permission set.
      To configure permissions, click Add and select data levels in sequence. You cannot select multiple objects at the same level (such as database, table, and column) for batch authorization. Permission Type cannot be set to DENY.
      • Note that the permissions of databases, tables, and columns are managed by layer. For example, a user who has been granted database permissions does not have the permissions of tables and columns. Table and column permissions must be granted separately.

        For example, if you enter a table name or an asterisk (*) as a wildcard during database authorization, you are authorizing the table. If you enter a column name or an asterisk (*) as a wildcard character, you are authorizing the column.

      • During authorization, the name of the object to be authorized (database, table, or column name) can contain only digits, letters, underscores (_), hyphens (-), and wildcards (*).
      • When you select HIVE for Data Source Type, you can change Database to URL to authorize an OBS path in the storage-compute decoupling scenario. In this scenario, the following URL permissions are required for using Hive:
        • write: creating a database
        • read: creating a table, writing data, and deleting a table
      After configuring permissions, you can edit, synchronize, or delete them.
      Figure 7 Configuring permissions on the By permissions page

  6. User Configuration: On the permission set details page, click the User Configuration tab.

    On this page, you can associate the permissions configured on the Permission Configuration page with users. Click Add and select User or User group (Workspace role is unavailable currently) to add users to the permission set. You can select users or user groups that have been added to the workspace.
    Figure 8 User Configuration

  7. Child Permission Sets: On the permission set details page, click the Child Permission Sets tab.

    On this page, you can view the child permission sets of the current permission set.
    Figure 9 View child permission sets

  8. Log: On the permission set details page, click the Log tab.

    On this page, you can view the log details if permission synchronization fails. The system deletes logs generated 30 days ago at 00:00 every day.
    Figure 10 Viewing logs

  9. After the permission set is configured, it does not take effect immediately. You need to manually synchronize the permission set to the data source for permission management to take effect. For details, see Synchronizing Permission Sets.

    Role management provides more intuitive and powerful permission management capabilities based on permission sets. Generally, you do not need to synchronize workspace permission sets. In practice, you are advised to manage permissions based on Configuring Roles.

Related Operations

  • Synchronizing permission sets: Permission sets take effect only after they are synchronized to the data source. Role management provides more intuitive and powerful permission management capabilities based on permission sets. Generally, you do not need to synchronize permission sets. In practice, you are advised to manage permissions based on Configuring Roles.

    To synchronize a permission set, click Synchronize in the Operation column of the permission set on the Permission Sets page. To synchronize multiple permission sets, select them and click Synchronize above the list.

  • Editing a permission set: On the Permission Sets page, click Edit in the Operation column of a permission set. You can change the name, administrator, and description of the permission set.
  • Deleting permission sets: On the Permission Sets page, click Delete in the Operation column of a permission set. In the displayed dialog box, confirm the permission set to delete and click Yes. To delete multiple permission sets, select them and click Delete above the list.
    Permission sets for which permissions, users, or child permission sets have been configured cannot be deleted. To delete such permission sets, delete the configurations first.

    Deleted permission sets are moved to the recycle bin. You can restore them within 30 days. After 30 days, they will be deleted permanently. For details, see Managing the Recycle Bin.