DLF RAM authorization action reference - Data Lake Formation

This topic lists the Resource Access Management (RAM) permission actions for Data Lake Formation (DLF) REST APIs and management APIs. You can use this information to create fine-grained policies, manage permissions based on the principle of least privilege, and ensure security and flexibility.

Concepts

REST API: Data plane APIs that are based on Paimon and Iceberg REST APIs. These APIs are used for efficient data access and operations.
Management API: Management plane APIs that are based on Alibaba Cloud OpenAPI. These APIs are used for efficient resource management and O&M operations.
Note
To manage catalogs, databases, and tables in the DLF console, you need the appropriate management API permissions. If you do not need to access the console, do not grant these permissions. Grant Action permissions only for the specific operations that you need to perform in the DLF console.

Permission policies

You can attach permission policies to RAM users or RAM roles to grant specific access permissions.

Policy Name	Description
AliyunDLFFullAccess	Grants permissions to call all DLF APIs. This policy is suitable for users who need to perform comprehensive data lake management.
AliyunDLFReadOnlyAccess	Grants read-only permissions to call all read-only DLF APIs, such as List and Get operations. This policy prohibits write or delete operations, such as Create and Delete.

Procedure

Log on to the Resource Access Management (RAM) console as a RAM administrator.
In the navigation pane on the left, choose Identities > Users.
On the Users page, click Add Permissions in the Actions column of the target RAM user.
In the Grant Permissions panel, add permissions for the RAM user.
Click OK.

RAM authorization policy example

You can create custom permission policies for fine-grained permission management. For more information, see Create a custom permission policy.

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
          "dlf:ListDatabases",
          "dlf:CreateDatabase",
          "dlf:GetDatabase",
          "dlf:AlterDatabase",
          "dlf:ListTables",
          "dlf:CreateTable",
          "dlf:GetTable",
          "dlf:AlterTable",
          "dlf:ListPartitions",
          "dlf:ListViews"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Actions for REST APIs

Paimon REST

Category	REST API	RAM Authorization Actions	Description
Config	GetConfig	dlf:GetConfig	Gets the configuration of a data catalog.
Database	ListDatabases	dlf:ListDatabases	Lists databases.
	CreateDatabase	dlf:CreateDatabase	Creates a database.
	GetDatabase	dlf:GetDatabase	Gets a database.
	DropDatabase	dlf:DropDatabase	Deletes a database.
	AlterDatabase	dlf:AlterDatabase	Alters a database.
Table	ListTables	dlf:ListTables	Lists tables.
	CreateTable	dlf:CreateTable	Creates a table.
	ListTableDetails	dlf:ListTableDetails	Lists table details.
	GetTable	dlf:GetTable	Gets a table.
	AlterTable	dlf:AlterTable	Alters a table.
	DropTable	dlf:DropTable	Deletes a table.
	RenameTable	dlf:RenameTable	Renames a table.
	CommitTable	dlf:CommitTable	Commits table changes.
	RollbackTable	dlf:RollbackTable	Rolls back a table.
	GetTableToken	dlf:GetTableToken	Gets the token to access table data.
	GetTableSnapshot	dlf:GetTableSnapshot	Gets a table snapshot.
Partition	ListPartitions	dlf:ListPartitions	Lists partitions.
Partition	MarkDonePartitions	dlf:MarkDonePartitions	Marks partitions as complete.
Branch	ListBranches	dlf:ListBranches	Lists table branches.
	CreateBranch	dlf:CreateBranch	Creates a table branch.
	DropBranch	dlf:DropBranch	Deletes a table branch.
	ForwardBranch	dlf:ForwardBranch	Forwards a table branch.
View	ListViews	dlf:ListViews	Lists views.
	CreateView	dlf:CreateView	Creates a view.
	GetView	dlf:GetView	Gets a view.
	AlterView	dlf:AlterView	Alters a view.
	DropView	dlf:DropView	Deletes a view.
	RenameView	dlf:RenameView	Renames a view.
Function	ListFunctions	dlf:ListFunctions	Lists functions.
	CreateFunction	dlf:CreateFunction	Creates a function.
	GetFunction	dlf:GetFunction	Gets a function.
	AlterFunction	dlf:AlterFunction	Alters a function.
	DropFunction	dlf:DropFunction	Deletes a function.

Iceberg REST

Category	REST API	RAM Authorization	Description
Config	GetConfig	dlf:GetConfig	Gets the configuration of a data catalog.
Namespace	ListNamespaces	dlf:ListDatabases	Lists namespaces.
	CreateNamespace	dlf:CreateDatabase	Creates a namespace.
	LoadNamespaceMetadata	dlf:GetDatabase	Gets a namespace.
	NamespaceExists	dlf:GetDatabase	Checks whether a namespace exists.
	UpdateProperties	dlf:AlterDatabase	Updates namespace properties.
	DropNamespace	dlf:DropDatabase	Deletes a namespace.
Table	ListTables	dlf:ListTables	Lists tables.
	CreateTable	dlf:CreateTable	Creates a table.
	LoadTable	dlf:GetTable	Gets a table.
	TableExists	dlf:GetTable	Checks whether a table exists.
	UpdateTable	dlf:AlterTable	Updates a table.
	DropTable	dlf:DropTable	Deletes a table.

Actions for management APIs

Category	Management API	RAM: Authorization Actions	Description
Activation	DescribeRegions	dlf:DescribeRegions	Lists DLF regions.
	GetRegionStatus	dlf:GetRegionStatus	Gets the activation status.
	Subscribe	dlf:Subscribe	Activates DLF.
	CreateInstance	dlf:CreateInstance	Purchases compute resources.
User and role management	GetUser	dlf:GetUser	You can retrieve a user.
	ListUsers	dlf:ListUsers	Lists DLF users.
	CreateRole	dlf:CreateRole	Creates a DLF role.
	UpdateRole	dlf:UpdateRole	Updates a DLF role.
	DeleteRole	dlf:DeleteRole	Deletes a DLF role.
	GetRole	dlf:GetRole	Gets a DLF role.
	ListRoles	dlf:ListRoles	Lists DLF roles.
	GrantRoleToUsers	dlf:GrantRoleToUsers	Grants a DLF role to multiple DLF users.
	RevokeRoleFromUsers	dlf:RevokeRoleFromUsers	Revokes a DLF role from multiple DLF users.
	UpdateRoleUsers	dlf:UpdateRoleUsers	Updates the DLF users within a role.
	ListRoleUsers	dlf:ListRoleUsers	Lists the users associated with a DLF role.
	ListUserRoles	dlf:ListUserRoles	Lists the DLF roles assigned to a user.
	RefreshUserSync	dlf:RefreshUserSync	Starts DLF user synchronization.
Data catalog	CreateCatalog	dlf:CreateCatalog	Creates a data catalog.
	GetCatalog	dlf:GetCatalog	Gets a data catalog.
	DropCatalog	dlf:DropCatalog	Deletes a data catalog.
	AlterCatalog	dlf:AlterCatalog	Updates a data catalog.
	ListCatalogs	dlf:ListCatalogs	Lists data catalogs.
	GetCatalogByld	dlf:GetCatalogByld	Gets a data catalog by its Catalog ID.
Database	AlterDatabase	dlf:AlterDatabase	Updates a database.
	GetDatabase	dlf:GetDatabase	Gets a database.
	DropDatabase	dlf:DropDatabase	Deletes a database.
	CreateDatabase	dlf:CreateDatabase	Creates a database.
	ListDatabaseDetails	dlf:ListDatabaseDetails	Lists database details.
	ListDatabases	dlf:ListDatabases	Lists databases.
Table	CreateTable	dlf:CreateTable	Creates a table.
	DropTable	dlf:DropTable	Deletes a table.
	ListTableDetails	dlf:ListTableDetails	Lists table details.
	GetTable	dlf:GetTable	Gets a table.
	ListTables	dlf:ListTables	Lists tables.
View	ListViews	dlf:ListViews	Lists views.
	ListViewDetails	dlf:ListViewDetails	Lists view details.
	CreateView	dlf:CreateView	Creates a view.
	GetView	dlf:GetView	Gets a view.
	AlterView	dlf:AlterView	Alters a view.
	DropView	dlf:DropView	Deletes a view.
Function	ListFunctions	dlf:ListFunctions	Lists functions.
	ListFunctionDetails	dlf:ListFunctionDetails	Lists function details.
	CreateFunction	dlf:CreateFunction	Creates a function.
	GetFunction	dlf:GetFunction	Gets a function.
	AlterFunction	dlf:AlterFunction	Alters a function.
	DropFunction	dlf:DropFunction	Deletes a function.
Permission management	GrantPermission	dlf:GrantPermission	Grants permissions on a resource.
	RevokePermission	dlf:RevokePermission	Revokes permissions on a resource.
	BatchGrantPermissions	dlf:BatchGrantPermissions	Grants permissions in a batch.
	BatchRevokePermissions	dlf:BatchRevokePermissions	Revokes permissions in a batch.
	ListPermissions	dlf:ListPermissions	Lists the permissions for a specified resource.
Iceberg table	GetIcebergTable	dlf:GetIcebergTable	Gets an Iceberg table.
Iceberg table	ListIcebergSnapshots	dlf:ListIcebergSnapshots	Lists Iceberg table snapshots.