To manage Data Lake Formation (DLF) permissions in DataWorks, DataWorks must be authorized to access DLF resources. When you grant this authorization, the system automatically creates the AliyunServiceRoleForDataWorksAccessDLF service-linked role — so you don't have to manually create a role or configure its permissions.
Use cases
The AliyunServiceRoleForDataWorksAccessDLF role enables DataWorks to:
Access DLF resources, including catalogs, databases, tables, and fields.
Grant permissions on your DLF resources.
Revoke permissions on your DLF resources.
Role details
| Attribute | Value |
|---|---|
| Role name | AliyunServiceRoleForDataWorksAccessDLF |
| Policy name | AliyunServiceRolePolicyForDataWorksAccessDLF |
| Description | DataWorks uses this role by default to access your DLF resources. |
The role policy grants DataWorks the following permissions:
{
"Version": "1",
"Statement": [
{
"Action": [
"dlf:GetCatalog",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:GetTable",
"dlf:GetRole",
"dlf:ListCatalogs",
"dlf:ListDatabases",
"dlf:ListFunctionNames",
"dlf:ListFunctions",
"dlf:ListTableNames",
"dlf:ListTables",
"dlf:ListRoles",
"dlf:ListRoleUsers",
"dlf:CheckPermissions",
"dlf:BatchGrantPermissions",
"dlf:BatchRevokePermissions",
"dlf:GrantPermissions",
"dlf:RevokePermissions",
"dlf:UpdatePermissions",
"dlf:ListPermissions",
"dlf-dss:GetCatalog",
"dlf-dss:GetDatabase",
"dlf-dss:GetFunction",
"dlf-dss:GetTable",
"dlf-dss:ListCatalogs",
"dlf-dss:ListDatabases",
"dlf-dss:ListFunctionNames",
"dlf-dss:ListFunctions",
"dlf-dss:ListTableNames",
"dlf-dss:ListTables",
"dlf-dss:ListRoleUsers",
"dlf-dss:ListRoles",
"dlf-dss:CheckPermissions",
"dlf-dss:GrantPermissions",
"dlf-dss:RevokePermissions",
"dlf-dss:UpdatePermissions",
"dlf-dss:ListPermissions",
"dlf-dss:BatchGrantPermissions",
"dlf-dss:BatchRevokePermissions",
"dlf-dss:CreateTable",
"dlf-dss:AlterTable",
"dlf-dss:DropTable",
"dlf-dss:DescribeTable",
"dlf-dss:SelectTable",
"dlf-dss:UpdateTable",
"dlf-dss:DescribeDatabase",
"dlf-dss:CreateDatabase",
"dlf-dss:AlterDatabase",
"dlf-dss:DropDatabase",
"dlf-dss:DescribeFunction",
"dlf-dss:AlterFunction",
"dlf-dss:CreateFunction",
"dlf-dss:DropFunction",
"dlf-dss:ExecuteFunction"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dlf.dataworks.aliyuncs.com"
}
}
}
]
}Create the service-linked role
The role is created automatically. When you request access to DLF in access control, DataWorks prompts you to authorize access. After you confirm, the system creates the AliyunServiceRoleForDataWorksAccessDLF role in the Resource Access Management (RAM) console.
For step-by-step instructions, see DLF data access control.
Delete the service-linked role
Delete the role in the RAM console. For instructions, see Delete a RAM role.
After deleting the role, you can no longer manage DLF permissions in DataWorks.
Permissions required to create the role
To allow a RAM user to create the AliyunServiceRoleForDataWorksAccessDLF role, attach either of the following to that RAM user:
The
AliyunDataWorksFullAccesspolicy, orA custom policy with the following statement:
{
"Version": "1",
"Statement": [
{
"Action": "dataworks:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dlf.dataworks.aliyuncs.com"
}
}
}
]
}