LakeFormation Permissions
LakeFormation Permissions
On the Instances page of the LakeFormation console, you can grant fine-grained data access permissions to user groups for all data resources such as catalogs, databases, and tables in an instance.
After the preceding authorization operations, one or more permission policies are generated. A permission policy contains the authorization entity, authorization object, operation permission, and authorization permission.
Table 1 describes LakeFormation permissions for different metadata types.
|
Object |
Operation Type |
Description |
|---|---|---|
|
Catalog |
ALL |
Perform all operations on catalogs. |
|
ALTER |
Modify catalogs. |
|
|
CREATE_DATABASE |
Create databases. |
|
|
DROP |
Delete catalogs. |
|
|
DESCRIBE |
Check the metadata of catalogs or switch catalogs. |
|
|
LIST_DATABASE |
View the resource list in a catalog. |
|
|
Database |
ALL |
Perform all operations on databases. |
|
ALTER |
Modify databases. |
|
|
DROP |
Delete databases. |
|
|
DESCRIBE |
Check the metadata of databases or switch databases. |
|
|
LIST_TABLE |
View the resource list in a database. |
|
|
LIST_FUNC |
View functions in a database. |
|
|
CREATE_TABLE |
Create a table in a database. |
|
|
CREATE_FUNC |
Create a function in a database. |
|
|
Table |
ALL |
Perform all operations on tables. |
|
ALTER |
Modify tables. |
|
|
DROP |
Delete tables. |
|
|
DESCRIBE |
Check the metadata of tables. |
|
|
UPDATE |
Update table data. |
|
|
INSERT |
Insert table data. |
|
|
SELECT |
Query data in a table. |
|
|
DELETE |
Delete data from a table. |
|
|
Column |
SELECT |
Query column data in a table. |
|
Function |
ALL |
Perform all operations on functions. |
|
ALTER |
Modify functions. |
|
|
DROP |
Delete functions. |
|
|
DESCRIBE |
Check the metadata of functions. |
|
|
EXEC |
Execute functions. |
|
|
Path |
READ |
Read files stored in a path. |
|
WRITE |
Write data into the files stored in a path. |
Implicit LakeFormation permissions
There is no explicit authorization in LakeFormation. LakeFormation administrators, database creators, and table creators have implicit LakeFormation permissions.
- A LakeFormation administrator:
- Is a user who has the LakeFormation FullAccess permission.
- Has the read and write permissions on all metadata under the account.
- Can grant or revoke any metadata access permission to or from any user, user group, or role.
- A database creator has all permissions for the database created by it, has the permission to create tables in the database, and can grant the permission to create tables in the database to other users in the same IAM account. The database creator does not have implicit permissions on tables created by others in the database.
- A table creator:
- Has all permissions on the tables it creates.
- Can grant permissions on all tables it create to entities in the same IAM account.
- Can view the database where the table created by it is in.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
