Updated on 2024-02-02 GMT+08:00

Data Permissions

Permissions Policies

On the Instances page of the LakeFormation console, you can grant fine-grained data access permissions to user groups for all data resources such as catalogs, databases, and tables in an instance.

After the preceding authorization operations, one or more permission policies are generated.

A permission policy contains the authorization entity, authorization object, permissions, and authorization permissions. You can cancel a permission policy.

Authorization Entities

You can specify any user, user group, or role to be the authorization entity.

You can select GROUP, ROLE, and USER in the Entity Type.

  • USER: Huawei Cloud IAM user
  • GROUP: Huawei Cloud IAM user group
  • ROLE: LakeFormation role

Authorization Objects

Metadata objects managed in LakeFormation, including data resources such as catalogs, databases, and tables. For instance, you can authorize permissions on the columns of a database a data table. The values of Resource Type include CATALOG, DATABASE, TABLE, COLUMN, and FUNC.

  • CATALOG: A data catalog stores multiple databases.
  • DATABASE: A database contains multiple data tables or functions.
  • TABLE: A data table contains multiple columns.
  • COLUMN: Columns in a LakeFormation table.
  • FUNC: Functions managed by LakeFormation.

Permissions

You can grant different access and operation permissions on a data resource to an authorization entity, such as ALTER, DROP, and ALL. The permissions that can be granted to each authorization object are as follows:

  • CATALOG: ALL, ALTER, CREATE_DATABASE, and DROP
  • DATABASE: ALL, ALTER, DROP, DESCRIBE, LIST_TABLE, LIST_FUNC, CREATE_TABLE, CREATE_FUNC
  • TABLE: ALL, ALTER, DROP, DESCRIBE, UPDATE, INSERT, SELECT, and DELETE
  • COLUMN: SELECT
  • FUNC: ALL, ALTER, DROP, DESCRIBE, and EXEC

Authorization Permission

You can select Grant Authorization Permission to enable a user to grant the permissions that he or she has to others.