The WeData Data Development and Governance Platform leverages the Tencent Cloud CAM user management system. It supports user login via the Tencent Cloud official website console using a master account or sub-account, and also supports SSO (Single Sign-On) based On SAML 2.0 and OIDC. Internally, WeData maintains an independent RBAC-based user role and permission control system. A Tencent Cloud account must be granted both CAM policies and WeData member roles.
WeData user management is divided into three layers: Tencent Cloud account, WeData project-level member, and WeData platform-level member. User access permission control is performed through Tencent Cloud CAM policies, project-level roles, and platform-level roles, respectively. As shown in the table below:
Account Type
Permission Management
Access Control Scope
Policy/Role Name
Permission Description
Tencent Cloud Account
Tencent Cloud CAM policy
WeData Console menu, including project management, execution resource group management, user management.
QcloudWeDataFullAccess
Have full read-write access to the WeData Console menu.
QcloudWeDataReadOnlyAccess
Have read-only access permission to the WeData Console menu.
Custom Policy
Perform API-level access control based on policy details.
Project members in WeData
WeData project-level role
WeData project-level menus, including Data Integration, offline development, and so on
Project Admin
Have full read-write access to the belonging project, and be responsible for operations such as project public configuration and project member management.
Data Engineer
Have data development and operation and maintenance related permissions in the belonging project.
Ops engineers
Have data operation and maintenance related permissions in the belonging project.
Ordinary member
Have read-only access permission to the belonging project.
Custom role
Perform access control according to the custom permission list.
WeData platform-level member
WeData platform-level role
WeData global-level menus, including data assets, data security, and so on
asset administrator
Full read-write access to the data asset module and read-only access permission to other global menus.
Security Administrator
Responsible for platform data security management.
Tencent Cloud Account
Before using the WeData Data Development and Governance Platform, you must manage your organization members through CAM or TCO.
Master account: In CAM, the master account serves as the fundamental entity for the ownership, usage metering, and billing of all cloud resources by default. It is responsible for creating, authorizing, and managing sub-accounts within the organization, and by default, it owns all Tencent Cloud resources under the account.
Sub-account: A sub-account is created, centrally managed, and billed by the master account. In CAM, a sub-account owns no resources by default and must be authorized by its master account. After authorization, the sub-account can manage resources under the master account within the scope of the granted permissions.
Role: A CAM role can be understood as a type of virtual user, which differs from entity users such as sub-users, collaborators, or message recipients. Roles can also be granted policies. A role can be assumed by any Tencent Cloud account and is not uniquely bound to a specific account. A role has no associated persistent credentials (passwords or access keys). The master account only needs to use persistent credentials when applying for a role. When a role is assumed, the master account dynamically creates temporary credentials and provides them to the user for the corresponding access. The user can then use the role through both the console and APIs.
Users can log in via the Tencent Cloud console or through SSO for single sign-on.
To grant WeData access permissions, you must associate the QcloudWeDataFullAccess or QcloudWeDataReadOnlyAccess policy with a sub-account or role in CAM.
WeData users are categorized into project-level members and platform-level members. For both types of members, the system supports accounts logged in via the Tencent Cloud console, including master accounts, sub-accounts, and roles assumed by sub-accounts. It also supports accounts logged in via role-based SSO (user-based SSO login scenarios are not yet supported).
1. When a login is performed with a standard CAM master account or sub-account, the WeData page displays the specific master or sub-account.
2. When a login is performed via CAM role assumption, the specific role name is displayed on the WeData page.
3. When a login is performed via role-based SSO, the specific role name is displayed on the WeData page.
4. When a login is performed via Microsoft EntraID role-based SSO, the WeData page displays the role name normally and can also show the specific EntraID (requires allowlist configuration). For details, see How to Log In via EntraID.
The above scenarios support hybrid login. For example, you can log in via EntraID role-based SSO and use WeData through the console, while also calling OpenAPI and Terraform APIs through a CAM sub-account.
Notes:
1. In scenarios involving sub-account role assumption or role-based SSO login, email, phone, and SMS information cannot be obtained, and these alarm methods are not supported.
2. If a master account has enabled the EntraID allowlist, only the DLC storage-compute engine can be bound currently.
WeData Project-Level Member
To enter a WeData project with a Tencent Cloud account, it needs to be added as a WeData project-level user and associated with a project-level role.
Tencent Cloud root account, by default the project administrator of all projects in WeData, requires no manual user operation.
Tencent Cloud sub-account, by default not a member within a WeData project, needs to create a project or be manually added to an existing project by the project administrator.
WeData Platform-Level Member
User creates a project or joins an existing one, will automatically become a WeData platform-level user, with the default role being "None".
To grant access permission to the platform-level menu, you can manually add roles such as "Asset Administrator".
User and Permission Management Operation Process
Signing up for a Tencent Cloud account
Create a Tencent Cloud Main Account
Registration: If you haven't registered a Tencent Cloud root account yet, go to the homepage of the Tencent Cloud official website, click free registration in the top right corner of the page. For more details, see registration guide.
Real-name authentication: The Tencent Cloud root account needs to complete real-name verification before purchasing and using Tencent Cloud products. For more details, see Authentication Guide.
Create a Tencent Cloud Sub-Account
1. Using your master account, log in to the Tencent Cloud CAM console. In the left navigation pane, choose Users > User List.
2. On the "User List" page, click Create User to create a sub-account, including Sub-users and Collaborators.
3. After successful creation, CAM will generate login information for the sub-account. You can click View User Details, then select Security and reset the password.
Notes:
If you require collaborative development with multiple users, create CAM sub-accounts for other team members.
Authorize Sub-Account to Access WeData Product
1. Using your master account, log in to the Tencent Cloud CAM console. In the left navigation pane, choose Users > User List.
2. On the "User List" page, select a sub-account, then click Authorize in the Operation column. Search for and select the QcloudWeDataFullAccess policy or the QcloudWeDataReadOnlyAccess policy.
3. Click Confirm to authorize sub-account WeData access permissions.
4. Inform collaborators of the required information for sub-account log-in: login entry, root account ID, and username and password.
Become a WeData Project-Level Member
Creates a project.
Notes:
Only the WeData master account administrator has the permission to create projects. Upon successful creation, the administrator automatically becomes the project administrator for that project.
1. Log in to the WeData Console with a WeData Root Account Administrator account, enter the project list page, and click Create Project.
2. Configure project parameters
2.1 The ways to create a project can be either "create and configure project" or "create project only".
2.2 Configure each parameter on the creation interface. The parameter descriptions are as shown in the table below.
Category
Parameter
Description
Ways to create
Creation type
You can select two ways to create a project: "create and configure project" and "create project only".
Basic Info
project ID
Project English ID, unique within the region. Starts with a letter and can contain letters, numbers, and underscores, no more than 20 characters.
Project Name
Project Chinese display name, unique within the region. Starts with a letter or Chinese character, and can contain letters, Chinese characters, numbers, and underscores.
Description
Perform a simple description of the created space.
Select engine type
EMR
After activation, you can use EMR in WeData to develop big data processing tasks. Go to the EMR console to activate it.
Data Lake Compute (DLC)
After activation, you can use Tencent Cloud DLC in WeData. Go to the DLC console to activate it.
A fully managed, highly available data warehouse that is MySQL-compatible, offers high-throughput concurrency, and enables efficient real-time OLAP analysis. Go to the Tencent Cloud TCHouse-D console to activate it.
Setats(Oceanus)
After activation, you can use SCS in WeData. Go to the SCS console to activate it.
Configure storage and computing engine
Engine region
Select the region where the compute engine instance is located. Different types of compute engine instances in WeData must be in the same region.
EMR
Cluster Type
Support selecting two kinds of cluster types: EMR on CVM and EMR on TKE.
Cluster Name
Select an EMR cluster that is available in the selected region for the current root account. If there is no available cluster, you can purchase an instance.
Component Information
After selecting an EMR cluster, the component information contained in the EMR cluster will be automatically retrieved.
Yarn Resource Queue
Select one or more Yarn Resource Queues in the EMR cluster.
DLC
DLC Data Engine
Select one from the available DLC computational resources in the current root account's selected region. Currently supports two types of engines: standard engine and SuperSQL engine.
Database Name
When no database is specified in DLC-related tasks, use the database for data access by default.
Test Connectivity
Test whether WeData service can connect to the engine resource.
TCHouse-P
TCHouse-P version
Selectable TCHouse-P1.0 or TCHouse-P2.0 version.
Cluster Name
The names of the TCHouse-P clusters that have been purchased in the selected region under this account.
Username
Username for connecting to the TCHouse-P cluster.
Password
Password for connecting to the TCHouse-P cluster.
Test Connectivity
Test whether the username and password can connect to the cluster. If the test passes, you can create the project. If the connectivity test fails, it might be because WeData is blocked by the network firewall of the cluster. In this case, see adding the TCHouse-P cluster allowlist.
TCHouse-X
Cluster Name
The names of the TCHouse-X clusters that have been purchased in the selected region under this account.
Database Name
Specify the database name.
Username
Username for connecting to the TCHouse-X cluster.
Password
Password for connecting to the TCHouse-X cluster.
Test Connectivity
Test whether the username and password can connect to the cluster. If the test passes, you can create the project.
TCHouse-D
Cluster Name
The names of the TCHouse-D clusters that have been purchased in the selected region under this account.
Database Name
Specify the database name.
Username
Username for connecting to the TCHouse-D cluster.
Password
Password for connecting to the TCHouse-D cluster.
Test Connectivity
Test whether the username and password can connect to the cluster. If the test passes, you can create the project.
Setats(Oceanus)
Cluster Name
Select a Setats cluster.
Workspace
Select a workspace.
Execute resource configuration
scheduling resource
scheduling resource
Scheduling resources are primarily used for scheduling data development tasks (including SQL tasks, shell tasks, and so on) on a timed basis.
Associating the Resource
The scheduling resource must be located in the same region as the EMR. After association, the project exclusively uses the associated resource. This list only displays scheduling resources that are not associated with other projects. You can go to View Resources or Purchase Resources.
Integration Resource
Integration Resource
The Integration Resource Group mainly operates data integration tasks.
Associating the Resource
After association, the project exclusively uses the associated resource. This list only displays integration resources that are not associated with other projects. You can go to View Resources or Associate Resources.
3. After successful creation, the sub-account will automatically become the project administrator of the project.
Add to an Existing Project
1. Log in to the WeData Console with a project administrator account, enter the project list, select a project, and enter the Project Management module.
2. Select the Member and Role Management menu, add sub-accounts as project members, and assign project-level roles to them.
3. Click Role Management to view the permission list of WeData project-level roles.
Become a WeData Platform-Level Member
Automatic Addition
If a sub-account is created or joins a project, it will automatically become a WeData platform-level user, with the default member role being "None".
Manual Addition
1. Log in to the WeData Console using the root account or a sub-account with full read-write access to WeData. In the left sidebar, select User Management > Member Management.
2. Under the Member Management list, click Add.
3. Enter the Add User interface and add the CAM sub-user as a WeData user. The role of the successfully added user defaults to "None".
4. If you want to grant the sub-user permissions to create projects, purchase execution resource groups, manage users, etc., click the Edit button, enter the Add Role interface, and modify its member role.
5. Click Role Management to view the permission list for WeData global-level roles and create custom platform roles.
