Creating a User and Assigning Permissions
This chapter describes how to use What Is IAM? to implement fine-grained permissions control for your LakeFormation instances. With IAM, you can:
- Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing the resources.
- Assign users only the permissions required to perform a given task based on their job responsibilities.
- Entrust an account or a cloud service to perform professional and efficient O&M on your resources.
If your cloud account does not need individual IAM users, skip this section.
This section describes the procedure for granting permissions. See Figure 1 for details.
Prerequisites
Before assigning permissions to a user group, learn about LakeFormation permissions in LakeFormation Permissions and select them as needed.
If you need to assign permissions to other services, check all the policies supported by IAM in System-defined Permissions.
Procedure
- Creating a User Group and Assigning Permissions
Create a user group on the IAM console, and assign LakeFormation permissions to the group.
- Create an IAM user.
Create a user on the IAM console and add the user to the group created in 1.
- Log in and verify permissions.
Log in to the console as the user you created, and verify that the user has the assigned permissions.
You can perform the following operation to verify a permission:
Click the service list and choose LakeFormation. On the Overview page, click Buy Instance in the upper right corner. If the instance creation page is displayed, the lakeformation:role:create permission has already taken effect.
LakeFormation Permissions
By default, new IAM users lack permissions assigned. Add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services.
You can grant permissions to a role or by creating a policy.
- Roles: A coarse-grained IAM authorization strategy to assign permissions based on user responsibilities. Only a limited number of service-level roles are available. Some roles depend other roles to take effect. When you assign such roles to users, remember to assign the roles they depend on. Roles are not an ideal choice for fine-grained authorization and secure access control.
- Read-only permission authorization using IAM: To assign the read-only permission of LakeFormation in an IAM project to a sub-user, create a user group for this user as a tenant administrator and add the LakeFormation ReadOnlyAccess system-defined policy to this user group.
- Enterprise project authorization: To assign all permission of LakeFormation in an enterprise project to a sub-user, create a user group for this user as a tenant administrator and add the LakeFormation CommonAccess permission to the user group and make this permission apply globally. Then, grant this permission to this enterprise project.
- Policies: A type of fine-grained authorization that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and ideal for secure access control. Most fine-grained policies split permissions by API. For details about how to customize IAM policies for LakeFormation, see Creating a Custom Policy.
|
Role/Policy Name |
Description |
Type |
Dependency |
|---|---|---|---|
|
LakeFormation FullAccess |
Administrator permissions for LakeFormation. Users granted these permissions can use all LakeFormation functions. |
System policy |
|
|
LakeFormation ReadOnlyAccess |
Read-only permissions for LakeFormation. Users granted these permissions can query LakeFormation data. |
System policy |
|
|
LakeFormation CommonOperations |
Basic permissions for LakeFormation, including viewing, authorizing, and canceling the LakeFormation service agreement and basic permissions for dependent services such as OBS and TMS. |
System policy |
|
|
Operation Type |
Policy |
Description |
|---|---|---|
|
Read-only |
lakeformation:access:describe |
Querying the access client |
|
lakeformation:agency:describe |
Querying an agency |
|
|
lakeformation:catalog:describe |
Querying catalog metadata |
|
|
lakeformation:configuration:describe |
Querying configurations |
|
|
lakeformation:credential:describe |
Obtaining authentication information |
|
|
lakeformation:database:describe |
Querying database metadata |
|
|
lakeformation:file:describe |
Querying files |
|
|
lakeformation:function:describe |
Query function metadata. |
|
|
lakeformation:group:describe |
Obtaining the relationship between a user group and associated roles |
|
|
lakeformation:instance:describe |
Querying an instance |
|
|
lakeformation:instance:listAuthorizedLocation |
Querying the OBS paths authorized to LakeFormation |
|
|
lakeformation:instanceJob:describe |
Querying an instance-level task |
|
|
lakeformation:job:describe |
Querying a task |
|
|
lakeformation:metadataEvent:describe |
Querying a metadata event |
|
|
lakeformation:obs:describe |
Querying the list of OBS buckets |
|
|
lakeformation:part:describe |
Querying a partition |
|
|
lakeformation:policy:describe |
Obtaining a permission policy |
|
|
lakeformation:policy:export |
Obtaining permission policies in batches |
|
|
lakeformation:role:describe |
Querying a role |
|
|
lakeformation:table:describe |
Querying table metadata |
|
|
lakeformation:tableFile:describe |
Querying a file |
|
|
lakeformation:tableFileGroup:describe |
Querying metadata of a table file group |
|
|
lakeformation:tag:describe |
Querying tags of a resource |
|
|
lakeformation:user:describe |
Obtaining relationship between user and associated roles |
|
|
Write |
lakeformation:access:create |
Creating a client for service access |
|
lakeformation:access:delete |
Deleting the client for service access |
|
|
lakeformation:agency:create |
Creating an agency |
|
|
lakeformation:agency:drop |
Deleting an agency |
|
|
lakeformation:catalog:alter |
Modifying catalog metadata |
|
|
lakeformation:catalog:create |
Creating catalog metadata |
|
|
lakeformation:catalog:drop |
Deleting catalog metadata |
|
|
lakeformation:database:alter |
Modifying database metadata |
|
|
lakeformation:database:create |
Creating database metadata |
|
|
lakeformation:database:drop |
Deleting database metadata |
|
|
lakeformation:dataset:create |
Creating dataset metadata |
|
|
lakeformation:file:create |
Creating a file |
|
|
lakeformation:file:drop |
Deleting a file |
|
|
lakeformation:file:alter |
Modifying a file |
|
|
lakeformation:function:alter |
Modifying function metadata |
|
|
lakeformation:function:create |
Creating function metadata |
|
|
lakeformation:function:drop |
Deleting function metadata |
|
|
lakeformation:group:alter |
Modifying the relationship between a user group and associated roles |
|
|
lakeformation:instance:access |
Applying for service access |
|
|
lakeformation:instance:alter |
Modifying an instance |
|
|
lakeformation:instance:create |
Creating an instance |
|
|
lakeformation:instance:drop |
Deleting an instance |
|
|
lakeformation:instanceJob:alter |
Modifying a task |
|
|
lakeformation:instanceJob:create |
Creating a task |
|
|
lakeformation:instanceJob:drop |
Deleting a task |
|
|
lakeformation:instanceJob:exec |
Executing an instance-level task |
|
|
lakeformation:instance:createSubscriber |
Creating a metadata event subscriber |
|
|
lakeformation:instance:deleteSubscriber |
Deleting a metadata event subscriber |
|
|
lakeformation:job:alter |
Modifying a task |
|
|
lakeformation:job:create |
Creating a task |
|
|
lakeformation:job:drop |
Deleting a task |
|
|
lakeformation:job:exec |
Executing a task |
|
|
lakeformation:model:create |
Creating model metadata |
|
|
lakeformation:metadata:restore |
Restoring metadata |
|
|
lakeformation:part:alter |
Modifying a partition |
|
|
lakeformation:part:drop |
Deleting a partition |
|
|
lakeformation:part:create |
Creating a partition |
|
|
lakeformation:policy:create |
Creating a permission policy |
|
|
lakeformation:policy:delegate |
Delegating a permission policy to another authorization entity |
|
|
lakeformation:policy:drop |
Deleting a permission policy |
|
|
lakeformation:role:alter |
Modifying the relationship between a role and associated user group |
|
|
lakeformation:role:create |
Creating a role |
|
|
lakeformation:role:drop |
Deleting a role |
|
|
lakeformation:table:alter |
Modifying table metadata |
|
|
lakeformation:table:create |
Creating table metadata |
|
|
lakeformation:table:drop |
Deleting table metadata |
|
|
lakeformation:tableFile:alter |
Modifying a table file |
|
|
lakeformation:tableFile:create |
Creating a table file |
|
|
lakeformation:tableFile:drop |
Deleting a table file |
|
|
lakeformation:tableFileGroup:alter |
Modifying the metadata of the table file group |
|
|
lakeformation:tableFileGroup:create |
Creating the metadata of the table file group |
|
|
lakeformation:tableFileGroup:drop |
Deleting the metadata of a table file group |
|
|
lakeformation:transaction:operate |
Operating transactions |
|
|
lakeformation:user:alter |
Modifying the relationship between a user and associated roles |
|
|
Permission management |
lakeformation:accessService:grant |
Authorizing an access service |
|
lakeformation:accessTenant:grant |
Authorizing an access tenant |
|
|
lakeformation:accessAgency:describe |
Querying agency information |
|
|
lakeformation:accessService:describe |
Viewing an access service |
|
|
lakeformation:agreement:describe |
Querying a service agreement authorization |
|
|
lakeformation:agreement:cancel |
Canceling a service agreement authorization |
|
|
lakeformation:agreement:grant |
Granting a service agreement authorization |
|
|
lakeformation:instance:authorizeLocation |
Authorize an OBS path to LakeFormation |
|
|
lakeformation:instance:cancelAuthorizeLocation |
Canceling the authorization of an OBS path |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
