Permission Management
If you need to assign different permissions to employees in your enterprise to access your LakeFormation resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permission management, and access control, helping you secure access to your Huawei Cloud resources.
With IAM, you can create IAM users for your employees, and assign permissions to these users to control their access to specific resource types. For example, if you want them to use LakeFormation but must not delete the databases or perform any high-risk operations, you can create IAM users and grant them only the permissions to query LakeFormation instances but not to delete them.
If your HUAWEI CLOUD account does not need individual IAM users for permission management, you may skip this section.
IAM is a free service. You only pay for the resources in your account. For more information about IAM, see What Is IAM?.
LakeFormation Service Permission
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.
LakeFormation permissions are assigned to users in the global project, and users do not need to switch regions when accessing OBS.
You can grant permissions by using roles and policies.
- Roles: A coarse-grained authorization mechanism provided by IAM to define permissions based on job responsibilities. Only a limited number of service-level roles are available for authorization. If one role has a dependency role required for accessing SA, assign both roles to the users. Roles are not ideal for fine-grained authorization and least privilege access.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for secure access control. For example, you can grant users only permission to manage cloud servers of a certain type.
Operation Type |
Item |
Description |
|---|---|---|
Read-only |
lakeformation:instance:describe |
Permission to query LakeFormation instances. |
lakeformation:catalog:describe |
Permission to query the data catalogs of LakeFormation metadata. |
|
lakeformation:database:describe |
Permission to query the databases of LakeFormation metadata. |
|
lakeformation:table:describe |
Permission to query the data tables of LakeFormation metadata. |
|
lakeformation:function:describe |
Permission to query the functions of LakeFormation metadata. |
|
lakeformation:policy:describe |
Permission to query LakeFormation permission policies. |
|
lakeformation:policy:export |
Permission to query LakeFormation permission policies in batches. |
|
lakeformation:agency:describe |
Permission to query LakeFormation agencies. |
|
lakeformation:credential:describe |
Permission to obtain the authentication information for accessing LakeFormation. |
|
lakeformation:group:describe |
Permission to obtain the relationship between a LakeFormation user group and its associated roles. |
|
lakeformation:user:describe |
Permission to obtain the relationship between a LakeFormation user and its associated roles. |
|
lakeformation:role:describe |
Permission to query LakeFormation roles. |
|
lakeformation:configuration:describe |
Permission to query user configurations. |
|
lakeformation:access:describe |
Permission to query the client access permission. |
|
lakeformation:job:describe |
Permission to query LakeFormation tasks. |
|
Write |
lakeformation:instance:create |
Permission to create LakeFormation instances. |
lakeformation:role:create |
Permission to create LakeFormation roles. |
|
lakeformation:policy:create |
Permission to create LakeFormation permission policies. |
|
lakeformation:function:create |
Permission to create the functions of LakeFormation metadata. |
|
lakeformation:catalog:create |
Permission to create the data catalogs of LakeFormation metadata. |
|
lakeformation:database:create |
Permission to create the databases of LakeFormation metadata. |
|
lakeformation:table:create |
Permission to create the tables of LakeFormation metadata. |
|
lakeformation:access:create |
Permission to create the client access permission. |
|
lakeformation:agency:create |
Permission to create LakeFormation agencies. |
|
lakeformation:job:create |
Permission to create LakeFormation tasks. |
|
lakeformation:instance:alter |
Permission to modify LakeFormation instances. |
|
lakeformation:catalog:alter |
Permission to modify the data catalogs of LakeFormation metadata. |
|
lakeformation:database:alter |
Permission to modify the databases of LakeFormation metadata. |
|
lakeformation:table:alter |
Permission to modify the tables of LakeFormation metadata. |
|
lakeformation:function:alter |
Permission to modify the functions of LakeFormation metadata. |
|
lakeformation:role:alter |
Permission to modify the relationship between a LakeFormation role and its associated user groups. |
|
lakeformation:group:alter |
Permission to modify the relationship between a LakeFormation user group and its associated roles. |
|
lakeformation:user:alter |
Permission to modify the relationship between a LakeFormation user and its associated roles. |
|
lakeformation:job:alter |
Permission to modify LakeFormation tasks. |
|
lakeformation:instance:drop |
Permission to delete LakeFormation instances. |
|
lakeformation:role:drop |
Permission to delete LakeFormation roles. |
|
lakeformation:policy:drop |
Permission to delete LakeFormation permission policies. |
|
lakeformation:function:drop |
Permission to delete the functions of LakeFormation metadata. |
|
lakeformation:catalog:drop |
Permission to delete the data catalogs of LakeFormation metadata. |
|
lakeformation:database:drop |
Permission to delete the databases of LakeFormation metadata. |
|
lakeformation:table:drop |
Permission to delete the tables of LakeFormation metadata. |
|
lakeformation:access:delete |
Permission to delete the client access permission. |
|
lakeformation:agency:drop |
Permission to delete LakeFormation agencies. |
|
lakeformation:job:drop |
Permission to delete LakeFormation tasks. |
|
lakeformation:transaction:operate |
Permission to operate LakeFormation transactions. |
|
lakeformation:instance:access |
Permission to query a LakeFormation instance or apply for the access to it. |
|
lakeformation:job:exec |
Permission to execute LakeFormation tasks. |
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
LakeFormation FullAccess |
Administrator permissions for LakeFormation. Users granted these permissions can use all LakeFormation functions. |
System policy |
N/A |
LakeFormation ReadOnlyAccess |
Read-only permissions for LakeFormation. Users granted these permissions can query LakeFormation data. |
System policy |
N/A |
LakeFormation CommonAccess |
Basic permissions for LakeFormation, including viewing, authorizing, and canceling the LakeFormation service agreement and basic permissions for dependent services such as OBS and TMS. |
System policy |
N/A |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
