During the utilization of Data Lake Compute (DLC), if you need to establish varying access permissions for employees within your organization to achieve isolation of authority among them, you can employ the permissions management feature for meticulous management of user and workgroup permissions.
Note:
1. The policy of permissions is highly correlated with the usage of the product. It is recommended that administrators configure the policies for roles such as workgroups and sub-users in advance before officially utilizing the product features.
2. In different regions, administrators are required to reconfigure the member management and permissions management for DLC in that specific region.
CAM Authorization
Data Lake Compute (DLC) possesses a comprehensive data access permission mechanism. If you have sub-account management requirements, please grant the corresponding sub-account with the QcloudDLCFullAccess (Full read-write access to Data Lake Compute (DLC)) policy in the Access Management Console. For specific steps on creating sub-accounts and authorizing policies. For detailed steps on creating sub-accounts and authorizing policies, please refer to Creating and Authorizing Sub-account.
Data Lake Compute (DLC) offers permissions refined to the granularity of row and column levels in data tables, ensuring that you need not worry about overstepping authority with this operation.
Users and Workgroups
DLC manages user permissions through two methods: user authorization and workgroup binding authorization.
User: Refers to users in CAM, including administrators, sub-accounts, and collaborator accounts.
Workgroup: DLC allows a group of users to be bound to a workgroup, granting the group access to data, engines, and other resources. This enables batch management of user permissions, ensuring that all users within the same workgroup have the same level of access.
Note:
When a user’s individual permissions differ from the permissions of the workgroup they belong to, the combined permissions will be the union of both sets.
By default, regular users created by an administrator do not have any permissions. To grant permissions, users should be added to a workgroup, and appropriate permission policies should be assigned to the workgroup, allowing the users within it to acquire the necessary permissions.
Adding a User
Data Lake Compute utilizes the Tencent Cloud account ID as the default user ID. It distinguishes between two user types: administrators and ordinary users. Administrators inherently possess all resource permissions, while ordinary users must be granted specific permissions or be associated with a work group to acquire permissions.
1. Incorporate a user and associate them with a work group.
Log into the DLC console, select User and Permission Management, and click on Users > Add User to incorporate a new user.
2. Enter the basic information: Provide the user ID, user name, and description, and select the user type.
Note:
When selecting the user type as "Ordinary User", permissions can be obtained through individual authorization or by acquiring all permissions of a specified work group. When selecting "Administrator" as the user type, there is no need to associate with a work group to gain all permissions.
3. Associate with a work group: Select a work group for association (optional).
User Authorization
In the user list, authorize each user individually. The authorization includes "Data Permissions" and "Engine Permissions", and the permission policy is consistent with the work group's permission policy.
Important Note:
In User and Permission Management > Engine Management in the DLC console, permission management is only supported for the earlier launched SuperSQL engine. The permission management for the standard engine is under unified control by Tencent Cloud CAM. The standard engine can be used as a cloud resource to enable highly flexible resource-level authentication settings through CAM, thereby meeting enterprise-level security management needs.
Add Work Group
1. In the Data Lake Compute DLC, select User and Permission Management from the left sidebar, and click on Work Group > Add Work Group to create a work group for the user. When creating a work group, you can choose to bind it to a user or create an empty work group. For detailed operations, refer to Users and User Groups.
2. Enter the basic information: Provide the work group name and description.
3. Associate a user: The associated user will acquire all permissions under the respective work group.
Granting permissions to a work group
After creating the work group, click on the Authorize operation in the list to add permissions to the work group, including Data Permissions and Engine Permissions.
Data permission
Data permissions include:
Data Catalog Permissions: These include two types of permissions under the data catalog, namely, the ability to Create Database and Create Data Catalog.
Database Table Permissions: Fine-grained permissions at the database table level can be granted, including query and edit permissions for databases, tables, views, and functions.
Row-level permissions: Add row-level filtering expressions on the basis of database and table permissions to restrict the access scope.
Data Engine Permission
DLC data engines are divided into SuperSQL engines and standard engines. For detailed differences and application scenarios, please refer to Data Engines. The permissions of the earlier launched SuperSQL engines are managed by the DLC console. You can quickly manage the permissions of the SuperSQL engine in DLC Console-User and Permission Management. The permission management of the standard engine is uniformly controlled by Tencent Cloud Access Management CAM. The standard engine can be used as a cloud resource through CAM to perform highly flexible resource-level authentication settings to meet enterprise-level security management needs. For more information about resource-level authentication, please refer to the document Resource-Level Authentication Guide.
SuperSQL Engine Permission Management
The SuperSQL data engine operation permissions of DLC include the use, modification, operation, monitoring and deletion permissions of the data engine. The specific permissions are as follows:
Usage: Select the permission to use this engine for tasks.
Modification: Allows modifying the basic information and configuration information of the engine (modification of configuration information requires CAM financial permission as well).
Operation: The permission to suspend or restart the engine.
Monitoring: The permission to view the running tasks and monitoring information of the engine.
Deletion: Permission to process refunds for the engine.
Engine operation permissions are granted automatically (Only For SuperSQL Engine)
DLC supports default enablement of SuperSQL engine operation class permissions. Once enabled, all users will by default have the following permissions for that engine:
Utilize: Execute tasks using this engine.
Operation: Initiation of engine suspension or standby.
Monitoring: Administration of engine usage monitoring.
Note:
1. Upon termination, administrators inherently maintain all engine privileges. Ordinary users require an administrator to add permissions on the permission management page.
Access 2: Go to the SuperSQL Engine page and click Edit Auto-granting of engine permissions. After setting engine permissions, click Confirm.
Standard Engine Permission Management
The permission management for the standard engine is under unified control by Tencent Cloud CAM. The standard engine can be used as a cloud resource to enable highly flexible resource-level authentication settings through CAM, thereby meeting enterprise-level security management needs. For permission management of the standard engine, refer to the DLC Permission Overview section on Standard Engine Permission Management.
