Data Permission Overview

Data lake permissions can be configured in three dimensions: database, table, and function.

Cloud service administrators can configure permissions of different user groups for different managed objects to centrally manage data lake resources.

You can centrally manage permissions on resources in the data lake on the LakeFormation console. IAM users and user groups can also be associated with fine-grained permission policies of LakeFormation for authorization. For details, see Creating a Custom Policy. If there are a large number of data resources in the data lake, you are advised to use the LakeFormation console to centrally manage permissions on resources in the data lake.

The following table lists the main elements in LakeFormation permission configuration.

**Table 1** Permission configuration elements
Element	Description
Authorization Entity	You can specify any user, user group, or role to be the authorization entity. The name of an authorization entity cannot contain hyphens (-). Otherwise, the operation may fail.
Granted To	Resources Data catalogs Databases Tables Columns Functions Paths
Operation Type	Access permission on the authorization object that the authorization entity has. Different authorization objects support different operations. For details, see Table 2.
Grant Authorization Permission	Whether to grant the authorization permission. After the authorization permission is granted, the authorization entity can grant the permission to other authorization entities.

**Table 2** Operation rights of different authorization objects
Object	Operation Type	Description
Catalog	ALL	Perform all operations on catalogs.
	ALTER	Modify catalogs.
	CREATE_DATABASE	Create databases.
	DROP	Delete catalogs.
	DESCRIBE	Check the metadata of catalogs or switch catalogs.
	LIST_DATABASE	View the resource list in a catalog.
Database	ALL	Perform all operations on databases.
	ALTER	Modify databases.
	DROP	Delete databases.
	DESCRIBE	Check the metadata of databases or switch databases.
	LIST_TABLE	View the resource list in a database.
	LIST_FUNC	View functions in a database.
	CREATE_TABLE	Create a table in a database.
	CREATE_FUNC	Create a function in a database.
Table	ALL	Perform all operations on tables.
	ALTER	Modify tables.
	DROP	Delete tables.
	DESCRIBE	Check the metadata of tables.
	UPDATE	Update table data.
	INSERT	Insert table data.
	SELECT	Query data in a table.
	DELETE	Delete data from a table.
Column	SELECT	Query column data in a table.
Function	ALL	Perform all operations on functions.
	ALTER	Modify functions.
	DROP	Delete functions.
	DESCRIBE	Check the metadata of functions.
	EXEC	Execute functions.
Path	READ	Read files stored in a path.
Path	WRITE	Write data into the files stored in a path.

Permission administrators are categorized into two types: system permission administrators and service permission administrators, each with distinct IAM permission requirements and scopes of permission management.

System permission administrator
- System permission administrators need the following IAM operation permissions: lakeformation:policy:describe, lakeformation:policy:create, and lakeformation:policy:drop.
- System permission administrators can assign metadata permissions to other authorization entities and revoke the assigned permissions as well.
Service permission administrator
- Service permission administrators need the following IAM operation permissions: lakeformation:policy:describe and lakeformation:policy:delegate.
- Service permission administrators are authorized to assign and revoke metadata permissions only after they have received the requisite permissions from the service permission administrator.

Assume that there are system permission administrator (User A), service permission administrator (User B), and common user (User C). After User A has granted User B the ALL permissions for catalog1, along with authorization rights, User B is then able to grant permissions such as DESC for catalog1 to User C. However, User B does not have the authority to grant permissions for any other catalogs to User C.