Managing data access across a shared data lake is error-prone when permissions are scattered across multiple systems. DataWorks provides a centralized interface to request, approve, and audit data access permissions for Data Lake Formation (DLF) and Data Lake Formation (DLF) - Legacy, with a built-in approval workflow to ensure permissions are granted only when appropriate.
How it works
Three roles participate in the permission workflow:
Role | Responsibility |
Requester | Submits permission requests on the Permission Application tab. Tracks request status on the Permission Application Records tab. |
Approver | Reviews and processes pending requests on the Permission Application Processing tab. Views processed records on the Permission Application Processing Record page. |
Auditor | Views all workspace members' table permissions on the Permission Audit page. Can revoke permissions from any member. |
DLF data source types
Data Access Control supports two DLF data source types, which differ in permission granularity and duration options:
Data source type | Description | Application duration |
Data Lake Formation (DLF) | Version 3.0 of DLF. Supports fine-grained access control at the metabase, table, and column levels. | Permanent only |
Data Lake Formation (DLF) - Legacy | Earlier version of DLF. Retains the original permission management model. | Custom duration (auto-revoked on expiration) |
Available permissions by granularity
The following table summarizes the permissions available at each granularity level for Data Lake Formation (DLF):
Granularity | Selectable permissions |
Metabase-level |
|
Table-level |
|
Column-level | Select columns in the Select column (only internal Paimon tables in DLF support column-level permission management) |
Navigate to Data Access Control
Log on to the DataWorks console. In the top navigation bar, select the target region. In the left-side navigation pane, choose Data Governance > Security Center, then click Go to Security Center. On the Security Center page, choose Data Platform Security > Data Access Control.
When you use DataWorks to manage DLF permissions for the first time, DataWorks prompts for authorization. After you grant it, the system automatically creates the service-linked role AliyunServiceRoleForDataWorksAccessDLF. For details, see Service-Linked Role for DataWorks to Access DLF.Request permissions
In the left-side navigation pane, choose Data Platform Security > Data Access Control > Permission Application to open the Permission Application tab.
In the Application Content section, select an Engine Type.
Data Lake Formation (DLF): Version 3.0 of DLF.
Data Lake Formation (DLF) - Legacy: Earlier version of DLF.
The following steps use Data Lake Formation (DLF) as an example. The procedure for Data Lake Formation (DLF) - Legacy is similar, but the available permissions may differ.
Set Authorization Granularity and Catalog, then select the objects for which you want to request permissions.
Metabase-level permission: Select the target metabases, then select the required permissions in the Metabase permissions column.
Table-level permission: Select the target tables in the Tables to Be Added section. The table details appear on the right. Select the required permissions in the corresponding permission columns.
Column-level permission: In the Tables to Be Added section, select the target tables. The table and column details appear on the right. Click the expand icon next to a table name to view its columns, then select the required columns in the Select column. > Note: Only internal Paimon tables in DLF support column-level permission management.
Configure the Application information:
Parameter
Description
User
The account or role to grant permissions to. Options: Current login account (the account currently accessing the workspace), Apply on Behalf of Others (requires a Username), or DLF Role (select one or more DLF roles from the drop-down list; available only when the engine type is Data Lake Formation (DLF)).
Application duration
The validity period. For Data Lake Formation (DLF), only Permanent is supported. For Data Lake Formation (DLF) - Legacy, specify a custom duration; permissions are automatically revoked on expiration.
Reason for Application
The reason for the request.
Click Apply for permission to submit the request. The Permission Application Records tab shows the approval status and request history.
Approve permission requests
A RAM user must have the Data Lake Administrator or Super Administrator role to approve permission requests.
Go to the Permission Application Processing tab. Select Data Lake Formation (DLF) or Data Lake Formation (DLF) - Legacy as the Engine Type, and use the filters to find requests pending your approval.
If a single request applies to multiple tables with different owners, the system automatically splits it into multiple requests based on the table owners.
Click Approval in the Operation column of the target request to open the Approval details dialog box. Review the Application Details and Approval record tabs.
Enter your comments in the Approval Comments field and click Agree or Reject. To process multiple requests at once, select them on the Permission Application Processing page, click Batch Approve or Batch Deny, then enter Approval Comments.
View approval records
On the Permission Application Processing Record page, filter by Requesting Account, Approval Results, or Workspace to find specific records. Click View details in the Operation column to see the full details of a request.
