Help Center/ DataArts Lake Formation/ User Guide/ Planning LakeFormation Metadata/ Configuring LakeFormation Metadata Permissions
Updated on 2025-07-31 GMT+08:00

Configuring LakeFormation Metadata Permissions

Overview

LakeFormation permissions can be configured in three dimensions: database, table, and function.

Cloud service administrators can configure permissions of different user groups for objects to centrally manage data lake resources.

For IAM users or user groups, you can associate them with fine-grained permission policies of LakeFormation to implement feature availability control. For details, see Creating a LakeFormation Custom Policy. If there are a large amount of data resources in a data lake, you are advised to use the LakeFormation console to centrally manage permissions for these resources.

The following table lists the main elements in LakeFormation permission configuration.

Table 1 LakeFormation permission elements

Element

Description

Authorization Entity

An entity to which permissions are granted. The entity can be a user group, role, IAM user, or agency.

The name of an authorization entity cannot contain hyphens (-).

Granted To

  • Resources managed in LakeFormation.
    • Catalogs
    • Databases
    • Tables
    • Columns
    • Functions
  • OBS paths.

Operation Type

Access permission on the authorization object that the authorization entity has. Different authorization objects support different operations. For details, see Table 2.

Grant Authorization Permission

Whether to grant the authorization permission. After the authorization permission is granted, the authorization entity can grant the permission to other authorization entities.

Table 2 Permissions of different authorization objects

Authorization Object

Operation Type

Permissions Description

Catalog

ALL

Perform all operations on catalogs.

ALTER

Modify catalogs.

CREATE_DATABASE

Create databases.

DROP

Delete catalogs.

DESCRIBE

Check the metadata of catalogs or switch catalogs.

LIST_DATABASE

View the resources in a catalog.

Database

ALL

Perform all operations on databases.

ALTER

Modify databases.

DROP

Delete databases.

DESCRIBE

Check the metadata of databases or switch databases.

LIST_TABLE

View the resources in a database.

LIST_FUNC

View functions in a database.

CREATE_TABLE

Create a table in a database.

CREATE_FUNC

Create a function in a database.

Table

ALL

Perform all operations on tables.

ALTER

Modify tables.

DROP

Delete tables.

DESCRIBE

Check the metadata of tables.

UPDATE

Update data of a table.

INSERT

Insert data into a table.

SELECT

Query data in a table.

DELETE

Delete data from a table.

Column

SELECT

Query column data in a table.

Function

ALL

Perform all operations on functions.

ALTER

Modify functions.

DROP

Delete functions.

DESCRIBE

Check the metadata of functions.

EXEC

Execute functions.

Path

READ

Read files stored in a path.

WRITE

Write data into the files stored in a path.

System permission administrators vs. Service permission administrators

They have different IAM permission requirements and scopes of permission management.

  • System permission administrators
    • IAM operation permissions required: lakeformation:policy:describe, lakeformation:policy:create, and lakeformation:policy:drop.
    • Permission management scope: They can assign metadata permissions to other authorization entities and revoke the assigned permissions as well.
  • Service permission administrators
    • IAM operation permissions required: lakeformation:policy:describe and lakeformation:policy:delegate.
    • Permission management scope: They are authorized to assign and revoke metadata permissions only after they have received the requisite permissions from the service permission administrators.

Assume that there are system permission administrator (User A), service permission administrator (User B), and common user (User C). After User A grants the ALL permissions on Catalog1 and authorization permissions to User B, User B can grant the DESC permission on Catalog1 to User C. However, User B cannot grant the permissions on other catalogs to User C.

Constraints

  • The name of an authorization entity cannot contain hyphens (-).
  • A maximum of 256 permission policies can be granted to a single table.

Prerequisites

Before authorization, ensure that the entity to be authorized exists. For example, the IAM user group has been created.

Adding an Authorization Policy

  1. Log in to the LakeFormation console.
  2. Select the target LakeFormation instance from the drop-down list box on the left and choose Data Permissions > Data Authorization.
  3. Click Authorize. In the displayed dialog box, set parameters by referring to the following table and click OK.

    Table 3 Data authorization parameters

    Parameter

    Description

    Entity Type

    Type of the entity to be authorized. Options:

    • User group
    • Role
    • IAM user
    • Agency

    Select User Group/Role/Select IAM user/Select Agency

    Name of the entity to be authorized. The name cannot contain hyphens (-). Otherwise, the operation may fail.

    • Select User Group: Select the user group to be authorized, for example, IAM user group. You can create one on the IAM console in advance.
    • Role: Select the role to be authorized. You can create roles in advance by following the instructions provided in Creating a Role and Granting Permissions.
    • Select IAM user: Select an IAM user to be authorized.
    • Select Agency: Select an agency to be authorized.

    Granted To

    • Resources: Indicates that the authorization objects are resources in LakeFormation instances.
    • Paths: Indicates that the authorization objects are OBS paths. This authorization type is used to grant permissions to foreign tables or functions.

    Resource Type

    Type of the resource to be authorized. This parameter is displayed when Granted To is set to Resources.

    Select the catalog, database, table, column, and function to be authorized based on site requirements.

    Row Filter Criterion

    Whether to set row filtering criteria for the permission policy. This parameter is displayed when Resource Type is set to Table or Column. After this parameter is set, Column Masking Type and Column Masking Parameters cannot be set.

    • The format is as follows: Column name Operator Column value

      The following operators are supported: =, <=, <, >, >=, and like.

      For example, if the row filter criterion is set to "department = financial", the row whose value is financial in the department column is selected.

    • After the row filter criteria are set, the operation type can only be SELECT.

    Column Masking Type

    Select the column masking type. This parameter is available when Resource Type is set to Column. After this parameter is set, Row Filter Condition cannot be set.

    • PARTIAL_MASK: Mask some data.
    • REDACT: Modify the data in the original column.
    • HASH: Use the hash algorithm for encryption.
    • NULLIFY: Replace the original value with the NULL value.
    • UNMASKED: Display the original information.
    • DATA_ONLY_SHOW_YEAR: Display only the year part of a date string.
    • CUSTOM: Use user-defined masking rules.
    NOTE:

    LakeFormation provides only the functions of managing and obtaining dynamic masking policies. LakeFormation does not handle conflicts involving dynamic masking policies.

    Column Masking Parameters

    An option of the column masking type. You can configure the parameters by referring to Table 4. This parameter is available when Resource Type is set to Column. After this parameter is set, Row Filter Condition cannot be set.

    Path

    This parameter is displayed when Granted To is set to Paths.

    Click and select the OBS path to be authorized. You can select a maximum of 10 paths.

    You cannot select a path that has been authorized by another LakeFormation instance to avoid permission conflicts.

    Operation Type

    Operation type to be authorized. Options vary depending on the value you selected for Granted To. For details, see Table 2.

    • When granting the SELECT permission to a table, you need to configure Column. For example, set it to *.
    • After Column Masking Type is set, the operation type can only be SELECT.

    Grant Authorization Permission

    Whether to grant the authorization permission.

    After authorization permission is granted, an authorization entity has the permission to authorize an object to other authorization entities.

    Table 4 Column masking parameters

    Column Masking Type

    Column Masking Parameter (example)

    Masking Description

    PARTIAL_MASK

    show last 4

    Display only the last four characters, for example, *******1234.

    show first 4

    Display only the first four characters, for example, 1234*******.

    REDACT

    #

    Use the number sign (#) to modify the data in the original column, for example, ###########.

    *

    Use asterisks (*) to modify the data in the original column, for example, ***********.

    HASH

    hash256

    Use the hash256 algorithm to encrypt data in a column.

    NULLIFY

    None

    Replace the original value with NULL.

    UNMASKED

    None

    Display the original information.

    DATA_ONLY_SHOW_YEAR

    None

    Display only the year part of a date string.

    CUSTOM

    Custom

    Use user-defined masking rules.

  4. Click Cancel Authorization in the Operation column and click OK to cancel the authorization.

    Cancelled authorizations cannot be recovered.

  5. To modify the row filter criteria, click More in the Operation column and click Edit Row Filter. This operation is supported only when row filter criteria are configured.
  6. To modify the column masking configuration, click More in the Operation column and click Edit Column Masking Parameter. This operation is supported only when column masking is configured.

Adding Permissions for a Specified Resource

You can add permissions for a specified resource (database or table).

  1. Log in to the LakeFormation console.
  2. Select the target LakeFormation instance from the drop-down list box on the left.
  3. Access the page for granting permissions to a specified resource.

    • Catalog: In the navigation pane, choose Metadata > Catalog. In the Operation column of the catalog to be authorized, choose More > Authorize.
    • Database: In the navigation pane on the left, choose Metadata > Database. In the upper right corner, select the name of the catalog to which the target database belongs from the Catalog drop-down list, and choose More > Authorize in the Operation column of the database.
    • Data Table: In the navigation pane, choose Metadata > Table. In the upper right corner, select the catalog to which the target data table belongs and the database name from the Catalog and Database drop-down lists. Click Authorize in the Operation column of the data table.
    • Function: In the navigation pane on the left, choose Metadata > Function. In the upper right corner, select the catalog to which the target function belongs and the name of the database from the Catalog and Database drop-down lists. Click Authorize in the Operation column of the function.

  4. Configure related information by referring to Table 3 and click OK.
  5. Choose Data Permissions > Data Authorization to view the authorization information.

    After the authorization is complete, users in the selected user group or users or user groups with the selected role can perform operations on the current resource.

Reference