Overview
The permission management function of DLI itself primarily applies to the permission control of internal DLI resources, rather than relying on the unified identity authentication management of IAM.
DLI is a region- and project-level service. Therefore, DLI authorization is based on the region and project level.
|
Type |
Description |
|---|---|
|
User initiating the authorization operation |
The user initiating the authorization operation is typically an administrator or an authorizer with managerial privileges. They are tasked with deciding which permissions may be granted and granting these permissions to IAM users. The user initiating the authorization operation must possess adequate authorization permissions to ensure the execution of the authorization act. |
|
Authorized entity |
An authorized entity refers to the recipient of the granted permissions, which could be a user or a project. Once explicitly authorized within the DLI system, the authorized entity gains the ability to perform operations on specific DLI resources. |
|
Resource |
Resources refer to the DLI resources accessible through authorization, including elastic resource pools, queues, data catalogs, databases, tables, and jobs. These resources are the operational objects available to users within the DLI environment. |
|
Operation |
An operation signifies the specific actions that a user or role can perform on a principal resource. Operations are intrinsically linked to the type of entity. Distinct entity types accommodate varying sets of operations. For example, for table resources, supported operations include reading, writing, and querying. |
DLI categorizes authorization into three types based on the objects of permissions: user authorization, cross-project authorization, and cross-tenant project authorization.
- User authorization: Achieves precise allocation of user permissions by managing IAM users within the same account.
- Cross-project authorization: Enables resource sharing among sub-projects under the same account and within the same region-specific project, enhancing resource utilization.
- Cross-tenant project authorization: Facilitates resource collaboration between different accounts within the same region-specific project.
These authorization types address diverse service scenario needs through detailed configurations of the authorized entities, resources, and operations, ensuring secure and compliant data access and operations.
Table 2 outlines the applicable scope and resource types for DLI's user authorization, cross-project authorization, and cross-tenant project authorization.
Authorization Types of DLI Permissions
|
Type |
Description |
|---|---|
|
User authorization |
In DLI, the master account manages the permissions of all users under the account. Users can be created through IAM, and corresponding roles or policies can be assigned based on the users' job functions and service requirements, achieving fine-grained management of user permissions. For example, developers can be granted permission to use DLI resources but not to delete them, ensuring secure usage within the scope of resource safety. |
|
Cross-project authorization |
Cross-project authorization allows resources from one project (for example, project A) to be granted to another project (for example, project B), enabling resource sharing. This type of authorization facilitates resource sharing among sub-projects under the same account and region-specific project. Resource types supporting cross-project authorization include:
Through cross-project authorization, sub-projects (for example, project A_1) can use resources from parent projects (for example, project A), enhancing resource efficiency and fulfilling service requirements. |
|
Cross-tenant project authorization (authorization within the same region-specific project) |
Cross-tenant project authorization involves resource sharing between two different accounts (for example, account A and account B). Account A can grant resources to account B, with the condition that this authorization occurs within the same project. Resource types supporting cross-tenant project authorization include:
Through cross-tenant project authorization, users from different accounts can share resources within the same project, facilitating more flexible resource management and collaboration. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
