All Products
Search

This Product

    Data Lake Formation:Configure permissions

    Document Center

    Data Lake Formation:Configure permissions

    Last Updated:Mar 26, 2026

    Data Lake Formation (DLF) lets you control access to catalog metadata and data by toggling permission control on or off for each catalog. When permission control is enabled, all access is subject to authorization checks. When disabled, any user with menu access can read all data regardless of their data permissions.

    Warning

    Assess the impact on your users and workloads before enabling or disabling permission control.

    Before you begin

    Review the following before enabling permission control:

    • User access: Users without explicit grants lose access to DLF metadata management and data exploration as soon as you enable permission control. Identify which users need permissions granted before you switch.

    • Engine integration: Enabling DLF permission control does not automatically enforce permissions at the engine layer in E-MapReduce (EMR). You must enable DLF-AUTH separately for each engine (Hive, Spark, Presto, and Impala). For details, see DLF-Auth.

    • Rollback impact: Disabling permission control removes all authorization enforcement. Any user with menu permissions can then access all data, regardless of their data permissions.

    Enable permission control

    1. Log on to the Data Lake Formation console.

    2. In the left-side navigation pane, click Data Permission > Permission Settings.

    3. In the Catalog List, find the catalog whose permission control status is Disabled. In the Whether to Enable Permission Control column, click image.

    4. In the confirmation dialog, click OK.

    Permission control is now active for the catalog.

    Impact after enabling

    What changesWho is affected
    DLF metadata management and data exploration require explicit permissionsUsers without a permission grant cannot access metadata or data
    EMR engine access (Hive, Spark, Presto, and Impala) requires DLF-AUTH to be enabledUsers without grants are blocked at the engine layer when DLF-AUTH is active

    Disable permission control

    1. In the left-side navigation pane, click Data Permission > Permission Settings.

    2. In the Catalog List, find the catalog whose permission control status is Enabled. In the Whether to Enable Permission Control column, click image.

    3. In the confirmation dialog, click OK.

    Permission control is now inactive for the catalog.

    Impact after disabling

    What changesWho is affected
    DLF metadata management and data exploration no longer enforce access controlAny user with menu permissions can access all data, regardless of their data permissions
    EMR engine layer permissions are not automatically removedDisable DLF-AUTH separately for each engine — for example, run the disableHive operation in the DLF-AUTH component to disable Hive permissions