Help Center/ DataArts Lake Formation/ User Guide/ Data Permission Management/ Granting permissions
Updated on 2024-07-22 GMT+08:00
View PDF
Share

Granting permissions

You can centrally manage permissions on resources in the data lake and grant permissions to different authorization entities on the LakeFormation console.

Before authorization, ensure that the entity to be authorized exists. For example, the IAM user group has been created.

You can centrally manage permissions on resources in the data lake on the LakeFormation console. IAM users and user groups can also be associated with fine-grained permission policies of LakeFormation for authorization. For details, see Creating a Custom Policy. If there are a large number of data resources in the data lake, you are advised to use the LakeFormation console to centrally manage permissions on resources in the data lake.

Adding an Authorization Policy

  1. Log in to the LakeFormation console.
  2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
  3. Select the target LakeFormation instance from the drop-down list box on the left and choose Data Permissions > Data Authorization.
  4. Click Authorize. In the displayed dialog box, set parameters by referring to the following table and click OK.

    The name of an authorization entity (including users, user groups, and roles) cannot contain hyphens (-). Otherwise, the operation may fail.

    Table 1 Data authorization parameters

    Parameter

    Description

    Entity Type

    User group

    Select User Group(s): Select the user group to be authorized, for example, IAM user group. You can create one on the IAM console in advance.

    Role

    Role: Select the role to be authorized. You can create roles in advance by following the instructions provided in Creating a Role and Binding a User with It.

    User

    Select User(s): Select the user to be authorized.

    Granted To
    • Resources: authorizes the resources in LakeFormation instances.
    • Paths: authorizes the paths in the OBS service. This authorization type is used to grant permissions to foreign tables or functions.

    Resource Type

    Catalog

    This parameter is displayed when Granted To is set to Resources.

    Select the type of the resource to be authorized.

    NOTE:

    When granting the SELECT permission to a table, you need to select columns at the same time. For example, set Column to * to select all columns.

    Database

    Table

    Column

    Function

    Row Filter Criterion

    Whether to set row filtering criteria for the permission policy.

    For example, set the row filtering condition to department = "financial".

    This parameter is displayed when Resource Type is set to Table or Column. After the row filter criteria are set, the operation type can only be SELECT.

    Paths

    This parameter is displayed when Granted To is set to Paths.

    Click to select a path in the authorized OBS file system. You can select a maximum of 10 paths.

    Operation Type

    Select the operation type to be authorized. Different authorization types have different operation types. For details, see Table 2.

    Grant Authorization Permission

    Whether to grant the authorization permission.

    After authorization permission is granted, an authorization entity has the permission to authorize an object to other authorization entities.

  5. Click Cancel Authorization in the Operation column and click OK to cancel the authorization of a user group or role.

    Revoked authorizations cannot be recovered.

Adding Permissions for a Specified Resource

You can add permissions for a specified resource (database or table).

  1. Log in to the LakeFormation console.
  2. In the upper left corner, click and choose Analytics > LakeFormation to access the LakeFormation console.
  3. Select the target LakeFormation instance from the drop-down list box on the left.
  4. Access the page for granting permissions to a specified resource.

    • Catalog: In the navigation pane, choose Metadata > Catalog. In the Operation column of the catalog to be authorized, choose More > Authorize.
    • Database: In the navigation pane on the left, choose Metadata > Database. In the upper right corner, select the name of the catalog to which the target database belongs from the Catalog drop-down list, and choose More > Authorize in the Operation column of the database.
    • Data Table: In the navigation pane, choose Metadata > Table. In the upper right corner, select the catalog to which the target data table belongs and the database name from the Catalog and Database drop-down lists. Click Authorize in the Operation column of the data table.
    • Function: In the navigation pane on the left, choose Metadata > Function. In the upper right corner, select the catalog to which the target function belongs and the name of the database from the Catalog and Database drop-down lists. Click Authorize in the Operation column of the function.

  5. Configure related information by referring to Table 1 and click OK.
  6. Choose Data Permissions > Data Authorization to view the authorization information.

    After the authorization is complete, users in the selected user group or users or user groups with the selected role can perform operations on the current database.