- What's New
- Function Overview
- Service Overview
- Getting Started
- User Guide
- Best Practices
- Developer Guide
-
API Reference
- Before You Start
- API Overview
- API Calling
-
API
-
Console
- Instance Management
- Job Management
-
Service Authorization Management
- Granting Permissions for Accessing Other Cloud Services
- Querying Cloud Service Access Permissions
- Registering a Tenant Agreement
- Querying whether a Tenant Has Registered an Agreement
- Deleting a Tenant Agreement
- Registering a Tenant Agreement
- Querying whether a Tenant Has Registered an Agreement
- Deleting a Tenant Agreement
- Querying the Current System Agreement
- OBS Management
- Access Management
- Specification Management
- Quota Management Service
- Tag Management Service
- Agency Management
- Alarm Management
- Metadata Management
- Location
-
LakeCat
- Function Management
- Catalog Management
- Database Management
- Table Management
- Data Table Statistics
- Zone-based Management
- Partition Statistics
- Authorization Management
- User Group Management
- Metadata Statistics
-
Role Management
- Creating a Role
- Listing Roles on Different Pages by Condition
- Deleting a Role
- Obtaining a Role
- Modifying a Role
- Listing All Role Names
- Querying the Users or User groups Under a Role
- Adding One or More Users or User Groups to a Role
- Removing One or More Users or User Groups from a Role
- Updating the Entities in a Role
- Credential Management
- Configuration Management
- User
-
Console
- Application Examples
- Permissions and Supported Actions
- Appendix
- FAQs
- General Reference
Show all
Copied.
Creating a Custom Policy
Custom policies can be created for LakeFormation to supplement system-defined policies.
To create a custom policy, choose either visual editor or JSON.
- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
- JSON: Create a policy in the JSON format from scratch or based on an existing policy.
For details, see Creating a Custom Policy.
The following section contains examples of common LakeFormation custom policies.
Example Custom Policies
- Example 1: Grant the read-only permission on LakeFormation in batches to a user.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:instance:describe", "lakeformation:role:describe", "lakeformation:policy:export", "lakeformation:group:describe", "lakeformation:function:describe", "lakeformation:catalog:describe", "lakeformation:policy:describe", "lakeformation:table:describe", "lakeformation:database:describe" ] } ] }
- Example 2: Deny data deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.
The following method can be used if you need to assign permissions of the Admin policy to a user but you want to prevent the user from deleting LakeFormation catalogs, databases, and tables. Create a custom policy for denying deletion, and attach both policies to the group to which the user belongs. Then, the user can perform all operations on catalogs, databases, and tables except deleting them.
Example policy denying MRS cluster deletion:
{ "Version": "1.1", "Statement": [ { "Effect": "Deny", "Action": [ "lakeformation:database:drop", "lakeformation:table:drop", "lakeformation:catalog:drop" ] } ] }
- Example 3: Create a custom policy that contains the actions of multiple services.
{ "Version": "1.1", "Statement": [ { "Effect": "Allow", "Action": [ "obs:bucket:CreateBucket" ] }, { "Effect": "Allow", "Action": [ "lakeformation:table:create", "lakeformation:database:create", "lakeformation:catalog:create" ] } ] }
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot