Help Center/ DataArts Lake Formation/ User Guide/ Preparations/ Managing Permissions/ Creating a User and Assigning Permissions
Updated on 2024-02-02 GMT+08:00

Creating a User and Assigning Permissions

This chapter describes how to use What Is IAM? to implement fine-grained permissions control for your LakeFormation instances. With IAM, you can:

  • Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing the resources.
  • Assign users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust an account or a cloud service to perform professional and efficient O&M on your resources.

If your cloud account does not need individual IAM users, skip this section.

This section describes the procedure for granting permissions. See Figure 1 for details.

Prerequisites

Before assigning permissions to a user group, learn about LakeFormation permissions in LakeFormation Permissions and select them as needed.

If you need to assign permissions to other services, check all the policies supported by IAM in System-defined Permissions.

Procedure

Figure 1 Granting LakeFormation permissions
  1. Creating a User Group and Assigning Permissions

    Create a user group on the IAM console, and assign LakeFormation permissions to the group.

  2. Create an IAM user.

    Create a user on the IAM console and add the user to the group created in 1.

  3. Log in and verify permissions.

    Log in to the console as the user you created, and verify that the user has the assigned permissions.

    You can perform the following operation to verify a permission:

    Click the service list and choose LakeFormation. On the Overview page, click Buy Instance in the upper right corner. If the instance creation page is displayed, the lakeformation:role:create permission has already taken effect.

LakeFormation Permissions

By default, new IAM users lack permissions assigned. Add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services.

You can grant permissions to a role or by creating a policy.

  • Roles: A coarse-grained IAM authorization strategy to assign permissions based on user responsibilities. Only a limited number of service-level roles are available. Some roles depend other roles to take effect. When you assign such roles to users, remember to assign the roles they depend on. Roles are not an ideal choice for fine-grained authorization and secure access control.
    • Read-only permission authorization using IAM: To assign the read-only permission of LakeFormation in an IAM project to a sub-user, create a user group for this user as a tenant administrator and add the LakeFormation ReadOnlyAccess system-defined policy to this user group.
    • Enterprise project authorization: To assign all permission of LakeFormation in an enterprise project to a sub-user, create a user group for this user as a tenant administrator and add the LakeFormation CommonAccess permission to the user group and make this permission apply globally. Then, grant this permission to this enterprise project.
  • Policies: A type of fine-grained authorization that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and ideal for secure access control. Most fine-grained policies split permissions by API. For details about how to customize IAM policies for LakeFormation, see Creating a Custom Policy.
Table 1 LakeFormation system permissions

Role/Policy Name

Description

Type

Dependency

LakeFormation FullAccess

Administrator permissions for LakeFormation. Users granted these permissions can use all LakeFormation functions.

System policy

N/A

LakeFormation ReadOnlyAccess

Read-only permissions for LakeFormation. Users granted these permissions can query LakeFormation data.

System policy

N/A

LakeFormation CommonAccess

Basic permissions for LakeFormation, including viewing, authorizing, and canceling the LakeFormation service agreement and basic permissions for dependent services such as OBS and TMS.

System policy

N/A

Table 2 LakeFormation fine-grained permissions

Operation Type

Item

Description

Read-only

lakeformation:instance:describe

Permission to query LakeFormation instances.

lakeformation:catalog:describe

Permission to query the data catalogs of LakeFormation metadata.

lakeformation:database:describe

Permission to query the databases of LakeFormation metadata.

lakeformation:table:describe

Permission to query the data tables of LakeFormation metadata.

lakeformation:function:describe

Permission to query the functions of LakeFormation metadata.

lakeformation:policy:describe

Permission to query LakeFormation permission policies.

lakeformation:policy:export

Permission to query LakeFormation permission policies in batches.

lakeformation:agency:describe

Permission to query LakeFormation agencies.

lakeformation:credential:describe

Permission to obtain the authentication information for accessing LakeFormation.

lakeformation:group:describe

Permission to obtain the relationship between a LakeFormation user group and its associated roles.

lakeformation:user:describe

Permission to obtain the relationship between a LakeFormation user and its associated roles.

lakeformation:role:describe

Permission to query LakeFormation roles.

lakeformation:configuration:describe

Permission to query user configurations.

lakeformation:access:describe

Permission to query the client access permission.

lakeformation:job:describe

Permission to query LakeFormation tasks.

Write

lakeformation:instance:create

Permission to create LakeFormation instances.

lakeformation:role:create

Permission to create LakeFormation roles.

lakeformation:policy:create

Permission to create LakeFormation permission policies.

lakeformation:function:create

Permission to create the functions of LakeFormation metadata.

lakeformation:catalog:create

Permission to create the data catalogs of LakeFormation metadata.

lakeformation:database:create

Permission to create the databases of LakeFormation metadata.

lakeformation:table:create

Permission to create the tables of LakeFormation metadata.

lakeformation:access:create

Permission to create the client access permission.

lakeformation:agency:create

Permission to create LakeFormation agencies.

lakeformation:job:create

Permission to create LakeFormation tasks.

lakeformation:instance:alter

Permission to modify LakeFormation instances.

lakeformation:catalog:alter

Permission to modify the data catalogs of LakeFormation metadata.

lakeformation:database:alter

Permission to modify the databases of LakeFormation metadata.

lakeformation:table:alter

Permission to modify the tables of LakeFormation metadata.

lakeformation:function:alter

Permission to modify the functions of LakeFormation metadata.

lakeformation:role:alter

Permission to modify the relationship between a LakeFormation role and its associated user groups.

lakeformation:group:alter

Permission to modify the relationship between a LakeFormation user group and its associated roles.

lakeformation:user:alter

Permission to modify the relationship between a LakeFormation user and its associated roles.

lakeformation:job:alter

Permission to modify LakeFormation tasks.

lakeformation:instance:drop

Permission to delete LakeFormation instances.

lakeformation:role:drop

Permission to delete LakeFormation roles.

lakeformation:policy:drop

Permission to delete LakeFormation permission policies.

lakeformation:function:drop

Permission to delete the functions of LakeFormation metadata.

lakeformation:catalog:drop

Permission to delete the data catalogs of LakeFormation metadata.

lakeformation:database:drop

Permission to delete the databases of LakeFormation metadata.

lakeformation:table:drop

Permission to delete the tables of LakeFormation metadata.

lakeformation:access:delete

Permission to delete the client access permission.

lakeformation:agency:drop

Permission to delete LakeFormation agencies.

lakeformation:job:drop

Permission to delete LakeFormation tasks.

lakeformation:transaction:operate

Permission to operate LakeFormation transactions.

lakeformation:instance:access

Permission to query a LakeFormation instance or apply for the access to it.

lakeformation:job:exec

Permission to execute LakeFormation tasks.