Help Center/ DataArts Lake Formation/ User Guide/ Data Permission Management/ Granting permissions
Updated on 2025-01-10 GMT+08:00
View PDF
Share

Granting permissions

You can centrally manage permissions on resources in the data lake and grant permissions to different authorization entities on the LakeFormation console.

Before authorization, ensure that the entity to be authorized exists. For example, the IAM user group has been created.

You can centrally manage permissions on resources in the data lake on the LakeFormation console. IAM users and user groups can also be associated with fine-grained permission policies of LakeFormation for authorization. For details, see Creating a Custom Policy. If there are a large number of data resources in the data lake, you are advised to use the LakeFormation console to centrally manage permissions on resources in the data lake.

Adding an Authorization Policy

  1. Log in to the LakeFormation console.
  2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
  3. Select the target LakeFormation instance from the drop-down list box on the left and choose Data Permissions > Data Authorization.
  4. Click Authorize. In the displayed dialog box, set parameters by referring to the following table and click OK.

    • The name of an authorization entity cannot contain hyphens (-). Otherwise, the operation may fail.
    • A maximum of 256 permission policies can be granted to a single table.
    Table 1 Data authorization parameters

    Parameter

    Description

    Entity Type
    • User Group(s): Select the user group to be authorized, for example, IAM user group. You can create one on the IAM console in advance.
    • Role: Select the role to be authorized. You can create roles in advance by following the instructions provided in Creating a Role and Binding a User with It.
    • IAM User: Select an IAM user that you want to grant permissions to.
    • Agency: Select an agency.

    Granted To
    • Resources: authorizes the resources in LakeFormation instances.
    • Paths: authorizes the paths in the OBS service. This authorization type is used to grant permissions to foreign tables or functions.

    Resource Type

    Select the type of the resource to be authorized. This parameter is displayed when Granted To is set to Resources.

    Select the catalog, database, table, column, and function to be authorized based on site requirements.

    NOTE:

    When granting the SELECT permission to a table, you need to select columns at the same time. For example, set Column to * to select all columns.

    Row Filter Criterion

    Whether to set row filtering criteria for the permission policy. This parameter is displayed when Resource Type is set to Table or Column.

    • The format is as follows: Column name Operator Column value

      The following operators are supported: =, <=, <, >, >=, and like.

      For example, if the row filter criterion is set to "department = financial", the row whose value is financial in the department column is selected.

    • After the row filter criteria are set, the operation type can only be SELECT.

    Column Masking Type

    Select the column masking type. This parameter is available when Resource Type is set to Column.

    • PARTIAL_MASK: Mask some data.
    • REDACT: Modify the data in the original column.
    • HASH: Use the hash algorithm for encryption.
    • NULLIFY: Replace the original value with the NULL value.
    • UNMASKED: Display the original information.
    • DATA_ONLY_SHOW_YEAR: Display only the year part of a date string.
    • CUSTOM: Use user-defined masking rules.
    NOTE:
    • After a column masking rule is set, the operation type can only be SELECT.
    • LakeFormation provides only the functions of managing and obtaining dynamic masking policies. LakeFormation does not handle conflicts involving dynamic masking policies.

    Column Masking Parameters

    An option of the column masking type. You can configure the parameters by referring to Table 2. This parameter is available when Resource Type is set to Column.

    Path

    This parameter is displayed when Granted To is set to Paths.

    Click to select a path in the authorized OBS file system. You can select a maximum of 10 paths.

    Operation Type

    Select the operation type to be authorized. Different authorization types have different operation types. For details, see Table 2.

    Grant Authorization Permission

    Whether to grant the authorization permission.

    After authorization permission is granted, an authorization entity has the permission to authorize an object to other authorization entities.
    Table 2 Column masking parameters

    Column Masking Type

    Column Masking Parameter (example)

    Masking Description

    PARTIAL_MASK

    show last 4

    Display only the last four characters, for example, *******1234.

    show first 4

    Display only the first four characters, for example, 1234*******.

    REDACT

    #

    Use the number sign (#) to modify the data in the original column, for example, ###########.

    *

    Use asterisks (*) to modify the data in the original column, for example, ***********.

    HASH

    hash256

    Use the hash256 algorithm to encrypt data in a column.

    NULLIFY

    None

    Replace the original value with NULL.

    UNMASKED

    None

    Display the original information.

    DATA_ONLY_SHOW_YEAR

    None

    Display only the year part of a date string.

    CUSTOM

    Custom

    Use user-defined masking rules.

  5. Click Cancel Authorization in the Operation column and click OK to cancel the authorization.

    Revoked authorizations cannot be recovered.

    To modify the row filter criteria, click More in the Operation column and click Edit Row Filter. This operation is supported only when row filter criteria are configured.

    To modify the column masking configuration, click More in the Operation column and click Edit Column Masking Parameter. This operation is supported only when column masking is configured.

Adding Permissions for a Specified Resource

You can add permissions for a specified resource (database or table).

  1. Log in to the LakeFormation console.
  2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
  3. Select the target LakeFormation instance from the drop-down list box on the left.
  4. Access the page for granting permissions to a specified resource.

    • Catalog: In the navigation pane, choose Metadata > Catalog. In the Operation column of the catalog to be authorized, choose More > Authorize.
    • Database: In the navigation pane on the left, choose Metadata > Database. In the upper right corner, select the name of the catalog to which the target database belongs from the Catalog drop-down list, and choose More > Authorize in the Operation column of the database.
    • Data Table: In the navigation pane, choose Metadata > Table. In the upper right corner, select the catalog to which the target data table belongs and the database name from the Catalog and Database drop-down lists. Click Authorize in the Operation column of the data table.
    • Function: In the navigation pane on the left, choose Metadata > Function. In the upper right corner, select the catalog to which the target function belongs and the name of the database from the Catalog and Database drop-down lists. Click Authorize in the Operation column of the function.

  5. Configure related information by referring to Table 1 and click OK.
  6. Choose Data Permissions > Data Authorization to view the authorization information.

    After the authorization is complete, users in the selected user group or users or user groups with the selected role can perform operations on the current database.