tencent cloud

Feedback

Quick Start with Permission Management in Data Lake Compute

Last updated: 2024-09-18 18:02:02
    During the utilization of Data Lake Compute (DLC), if you need to establish varying access permissions for employees within your organization to achieve isolation of authority among them, you can employ the permissions management feature for meticulous management of user and workgroup permissions.
    Note:
    1. The policy of permissions is highly correlated with the usage of the product. It is recommended that administrators configure the policies for roles such as workgroups and sub-users in advance before officially utilizing the product features.
    2. In different regions, administrators are required to reconfigure the member management and permissions management for DLC in that specific region.

    CAM Authorization

    Data Lake Compute (DLC) possesses a comprehensive data access permission mechanism. If you have sub-account management requirements, please grant the corresponding sub-account with the QcloudDLCFullAccess (Full read-write access to Data Lake Compute (DLC)) policy in the Access Management Console. For specific steps on creating sub-accounts and authorizing policies.
    Data Lake Compute (DLC) offers permissions refined to the granularity of row and column levels in data tables, ensuring that you need not worry about overstepping authority with this operation.
    
    
    

    Users and Workgroups

    DLC manages user permissions through two methods: user authorization and workgroup binding authorization.
    User: Refers to users in CAM, including administrators, sub-accounts, and collaborator accounts.
    Workgroup: DLC allows a group of users to be bound to a workgroup, granting the group access to data, engines, and other resources. This enables batch management of user permissions, ensuring that all users within the same workgroup have the same level of access.
    Note:
    When a user’s individual permissions differ from the permissions of the workgroup they belong to, the combined permissions will be the union of both sets.
    By default, regular users created by an administrator do not have any permissions. To grant permissions, users should be added to a workgroup, and appropriate permission policies should be assigned to the workgroup, allowing the users within it to acquire the necessary permissions.

    Adding a User

    Data Lake Compute utilizes the Tencent Cloud account ID as the default user ID. It distinguishes between two user types: administrators and ordinary users. Administrators inherently possess all resource permissions, while ordinary users must be granted specific permissions or be associated with a work group to acquire permissions.
    1. Incorporate a user and associate them with a work group.
    Log into the DLC console, select Permission Management, and click on Users > Add User to incorporate a new user.
    
    
    
    2. Enter the basic information: Provide the user ID, user name, and description, and select the user type.
    Note:
    When selecting the user type as "Ordinary User", permissions can be obtained through individual authorization or by acquiring all permissions of a specified work group. When selecting "Administrator" as the user type, there is no need to associate with a work group to gain all permissions.
    
    
    
    3. Associate with a work group: Select a work group for association (optional).
    

    User authorization

    In the user list, authorize each user individually. The authorization includes "Data Permissions" and "Engine Permissions", and the permission policy is consistent with the work group's permission policy.
    
    
    

    Add Work Group

    1. In the Data Lake Compute DLC, select Permission Management from the left sidebar, and click on Work Group > Add Work Group to create a work group for the user. When creating a work group, you can choose to bind it to a user or create an empty work group. For detailed operations, refer to Users and User Groups.
    
    2. Enter the basic information: Provide the work group name and description.
    
    3. Associate a user: The associated user will acquire all permissions under the respective work group.
    

    Granting permissions to a work group

    After creating the work group, click on the Authorize operation in the list to add permissions to the work group, including Data Permissions and Engine Permissions.
    
    
    

    Data permission

    Data permissions include:
    Data Catalog Permissions: These include two types of permissions under the data catalog, namely, the ability to Create Database and Create Data Catalog.
    
    
    
    Database Table Permissions: Fine-grained permissions at the database table level can be granted, including query and edit permissions for databases, tables, views, and functions.
    
    
    

    Engine permission

    Select a data engine and grant the permissions to use, modify, or delete it.
    
    
    

    Engine operation permissions are granted automatically

    DLC supports default enablement of engine operation class permissions. Once enabled, all users will by default have the following permissions for that engine:
    Utilize: Execute tasks using this engine.
    Operation: Initiation of engine suspension or standby.
    Monitoring: Administration of engine usage monitoring.
    Note:
    1. Upon termination, administrators inherently maintain all engine privileges. Ordinary users require an administrator to add permissions on the permission management page.
    2. Existing ordinary user permissions will remain intact and can be deleted on the Permission Management page.
    3. Subsequent newly created ordinary users have no usage rights, which should be manually added on the Permission Management page.

    How do I enable or disable the self-delivery authorization engine

    By default, the engine enables/disables two operation permission entries:
    
    
    
    Access 2: Go to the SuperSQL engine page and click Edit Auto-granting of engine permissions.
    
    
    
    After setting engine permissions, click Confirm.
    
    
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support