Help Center/ DataArts Lake Formation/ Service Overview/ Permission Management/ LakeFormation Permission Overview
Updated on 2024-11-27 GMT+08:00
View PDF
Share

LakeFormation Permission Overview

LakeFormation uses a combination of coarse-grained Identity and Access Management (IAM) permissions and fine-grained LakeFormation permissions to manage metadata and data permissions for fine-grained access control.

  • Coarse-grained IAM permissions are broad permissions on various operations. For instance, it is recommended to use lakeformation:*:create (permission to create all LakeFormation metadata) instead of lakeformation:table:create (permission to create LakeFormation data tables) to control users' ability to create tables. Additionally, use the fine-grained LakeFormation permission CREATE_TABLE to determine whether a user can create table metadata within a database.
  • Fine-grained LakeFormation permissions grant access to metadata, OBS paths, and the data within them to entities, including users, user groups, and roles.

The IAM permission model consists of IAM policies. The LakeFormation permission model uses the permission entities, authorization objects, and permission composition defined by LakeFormation. For details, see Basic Concepts.

When a user requests access to metadata or data, the request must pass the permission checks of both IAM and LakeFormation.

Parent topic: Permission Management