An Introduction to Data Guard – Alibaba Cloud DataWorks

Data Guard provides flexible permission management features and allows users to request permissions and handle requests visually.

Data Guard provides flexible permission management features and allows users to request permissions and handle requests visually. Data Guard not only improves data security but also facilitates data permission management.

Data Guard consists of the following modules: My Permissions, Authorizations, and Approval Center. Currently, Data Guard provides the following features:

  • Self-service permission request: Users can select the required tables to quickly initiate a permission request online. This request mode features high efficiency, compared with the original mode in which users need to contact administrators offline.
  • Permission revocation: Administrators can view the users who have permissions on database tables and revoke unnecessary permissions as required. Users can also revoke permissions themselves.
  • Request approval: Administrators approve permission requests of users instead of directly granting permissions to users. This provides a visual and process-based permission management mechanism, and supports post-event backtracking on the approval process.

By using Data Guard, you can view permissions on all the tables in an organization, request and revoke table permissions, and approve or reject permission requests.

Each operation in Data Guard applies to all the workspaces of a tenant in standard mode (including the development and production environments) and basic mode.

Prerequisites

Before using Data Guard, note the following:

  • You can request permissions on fields only in a workspace with LabelSecurity enabled. If LabelSecurity is disabled for a workspace, you can request permissions only on tables in this workspace.
  • To ensure that field permissions are valid in the specified validity period, ensure that the security level of each field is higher than the security level of your account.

    After permissions on a table are granted to you, you automatically obtain permissions on the fields whose security level is 0 or not higher than the security level of your account. The permissions on these fields are permanently valid and cannot be separately revoked.

  • For more information about LabelSecurity, see Column-level access control.

Example

This example includes the following operations:

  1. Request permissions on tables A and B by using a RAM account.
  2. Approve the request by using an Alibaba Cloud account.
  3. Revoke the permissions on some fields in table A by using the RAM account.
  4. Revoke the permissions on table A by using the RAM account.
  5. Revoke the permissions of the RAM account on table B by using the Alibaba Cloud account.

Request permissions on tables A and B by using a RAM account

  1. Log on to Data Guard by using the RAM account. In the left-side navigation pane, click My Permissions. The Table tab appears.
  2. Select the fields in tables A and B on which you want to request permissions and click Request Approval.
  3. Set the parameters in the Table Permission Request dialog box.
  4. Click Submit.

Approve the request by using an Alibaba Cloud account

  1. Log on to Data Guard by using the Alibaba cloud. In the left-side navigation pane, click Approval Center. Click Pending Approval tab.
  2. Click Handle in the Actions column for the request submitted by the RAM account. On the Request Details page that appears, view the progress and objects requested.
  3. Enter your comment and click Approve to approve the request.

Revoke the permissions on some fields in table A by using the RAM account

  1. Log on to Data Guard by using the RAM account. In the left-side navigation pane, click My Permissions. The Table tab appears.
  2. Choose More > Revoke Field Permission in the Actions column for table A.
  3. In the Revoke Field Permission dialog box, select the fields on which you want to revoke permissions and click OK.

Revoke the permissions on table A by using the RAM account

  1. Log on to Data Guard by using the RAM account. In the left-side navigation pane, click My Permissions. The Table tab appears.
  2. Choose More > Revoke Permission in the Actions column for table A.
  3. In the Revoke Permission dialog box, select the permissions you want to revoke and click OK.

Revoke the permissions of the RAM account on table B by using the Alibaba Cloud account

  1. Log on to Data Guard by using the Alibaba Cloud account and click Authorizations in the left-side navigation pane. The Table tab appears.
  2. Click the plus sign (+) in front of table B to view all the accounts that have permissions on the table.
  3. Click Revoke Permission in the Actions column for the RAM account.
  4. In the Revoke Permission dialog box, select the permissions you want to revoke and click OK. The selected permissions of the RAM account on the table are revoked.

My Permissions

On the My Permissions page, you can view your table and field permissions in a workspace, and request or revoke table and field permissions.

View table and field permissions

  1. Log on to Data Guard. In the left-side navigation pane, click My Permissions. The Table tab appears.
  2. On this tab, you can select a workspace and specify the environment (for a workspace in standard mode) to view all the tables of the workspace in the specified environment. You can also enter a table name in the search box to search for required tables in fuzzy match mode.

    You can view the names and owners of tables in a workspace, view your permissions on the tables, and request or revoke table and field permissions.

Request table and field permissions

  1. Select the tables and fields on which you want to request permissions.
    • Request permissions on a single table or some fields in the table

      Select the required fields on which you have no permissions in a table and choose More > Request Approval in the Actions column.

      Alternatively, choose More > Request Approval in the Actions column for a table without selecting any fields to request permissions on all the fields in the table.

      Note You can request permissions on fields only in a workspace with LabelSecurity enabled. If LabelSecurity is disabled for a workspace, you can request permissions only on tables in this workspace.
    • Request permissions on multiple tables and fields

      Select all the required tables and fields and click Request Approval.

      Note You can also click Request Approval without selecting any tables or fields and then select the required tables and fields in the Table Permission Request dialog box.
  2. Set the parameters in the Table Permission Request dialog box.
     
    ParameterDescription
    WorkspaceThe workspace, which is automatically set based on the information you specified on the My Permissions page. You can change the workspace as required.
    EnvironmentThe environment of the workspace.
    MaxCompute ProjectThe MaxCompute project name.
    Grant ToThe account for which you request the permissions. You can request permissions for the current account or a production account of another workspace you joined.
    Valid UntilValidity period of the permissions. The options include 1 Month3 Months6 Months12 MonthsPermanent, and Others.
    Reason for RequestThe reason why you request the permissions.
    Objects RequestedThe tables on which you request permissions. The tables that you select on the previous page are displayed. You can add tables or delete existing tables as required.
  3. Click Submit to submit the request. If you do not want to request the permissions, click Cancel.

Revoke permissions

You can revoke table and field permissions.

  • Revoke field permissions

    Note

    • You can revoke permissions on fields only in a workspace with LabelSecurity enabled.
    • To revoke permissions on all the fields in a table, revoke the permissions on the table directly.
    1. Choose More > Revoke Field Permission in the Actions column for the table on which you want to revoke permissions.
    2. In the Revoke Field Permission dialog box, select the fields on which you want to revoke permissions.
    3. Click OK.
  • Revoke table permissions
    1. Choose More > Revoke Permission in the Actions column for the table on which you want to revoke permissions.
    2. In the Revoke Permission dialog box, select the permissions you want to revoke.
    3. Click OK.

Authorizations

On the Authorizations page, a project administrator can view the accounts that have permissions on tables and fields in each workspace, and revoke unnecessary table and field permissions.

Log on to Data Guard. In the left-side navigation pane, click Authorizations. The Table tab appears.

On this tab, you can select a workspace and specify the environment (for a workspace in standard mode) to view all the tables of the workspace in the specified environment. You can also enter a table name in the search box to search for required tables in fuzzy match mode.

View accounts that have permissions on a table

Click the plus sign (+) in front of a table to view all the accounts that have permissions on the table.

Revoke table permissions

Click Revoke Permission in the Actions column for an account to revoke the permissions of the account on the current table.

View field permissions

Click View Field Permissions in the Actions column for an account to view the permissions of the account on the fields in the current table.

Revoke field permissions

If LabelSecurity is enabled for the workspace, select fields and click Revoke Field Permission on the Field Permissions page to revoke the permissions on the fields.

 

Approval Center

On the Approval Center page, you can view your requests and their status, view and handle the requests pending your approval, and view the requests that you have handled.

My Requests

  1. Log on to Data Guard. In the left-side navigation pane, click Approval Center. The My Requests tab appears.

    On this tab, you can view the following information about each of your requests: object type, workspace, MaxCompute project, tables, request time, and status.

    Note If a request contains permissions on tables that belong to different owners, Data Guard automatically splits the request into multiple requests by table owner.
  2. Click Details in the Actions column to view details about a request.

Pending Approval

  1. Log on to Data Guard. In the left-side navigation pane, click Approval Center. Click the Pending Approval tab.

    On this tab, you can view the requests pending your approval. If a request is pending your approval, a red dot appears next to Approval Center and Pending Approval to remind you.

    You can view the following information about each request pending your approval: object type, grant-to account, workspace, MaxCompute project, tables, and request time.

  2. Click Handle in the Actions column to view details about a request and handle it on the Request Details page. The request details include the progress and objects requested.
  3. Enter your comment and click Approve or Reject as required.

Handled by Me

  1. Log on to Data Guard. In the left-side navigation pane, click Approval Center. Click the Handled by Me tab.

    On this tab, you can view the following information about each request that you have handled: object type, grant-to account, workspace, MaxCompute project, tables, and request time.

  2. Click Details in the Actions column to view details about a request. The request details include the progress and objects requested.

 

Subscribe to our newsletter
Sign up here to get the latest news, updates and special offers delivered directly to your inbox.
You can unsubscribe at any time

Leave A Reply

Your email address will not be published.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More