Data Lake Formation (DLF) lets data lake administrators and authorized users grant, view, and revoke data permissions on catalog resources — data catalogs, databases, tables, columns, and functions — for RAM users, RAM roles, and DLF roles.
The following compute engines support DLF data authorization:
E-MapReduce (EMR) — EMR-3.40.0 and later, or EMR-5.6.0 and later, including Spark, Hive, and Presto (Presto is only supported in EMR-3.40.0 and EMR-5.6.0)
Databricks
Grant permissions
Who can do this: Data lake administrators and users with authorization permissions.
The Add Permission form has three sections:
| Section | What to configure |
|---|---|
| Principal | The RAM user, RAM role, or DLF role to grant permissions to |
| Resources | The catalog resource to authorize (data catalog, database, table, column, or function) |
| Permission | The specific data permissions to grant for the selected resource type |
To grant permissions:
Log in to the Data Lake Formation console.
In the left-side navigation pane, choose Data Permission > Data Permissions.
Click Add Permission.
Specify the Principal:
Principal Type: Select RAM User/Role or Role.
RAM User/Role: A RAM user or RAM role managed in the RAM console.
Role: A role defined in Data Lake Formation, managed in the DLF console.
Choose Principal: Select one or more RAM users, RAM roles, or DLF roles.
Specify the Resources:
Authorization Method: Resource-based authorization is the only supported method. It grants data permissions on specific resources such as data catalogs, databases, tables, columns, and functions.
Resource Type: Select the resource type — data catalog, database, table, column, or function.
Select the resource entity. Use fuzzy search to find the specific data catalog, database, table, column, or function to authorize.
Configure the Permission: Set the data permissions and granted permissions for the selected resource type, then click OK.
Available permission options differ by resource type. Refer to the console for the applicable options.
View permissions
Who can do this: Data lake administrators and users with authorization permissions.
Log in to the Data Lake Formation console.
In the left-side navigation pane, choose Data Permission > Data Permissions.
On the Data Permissions page, review the permission entries. The fields are described below:
| Field | Description |
|---|---|
| Principal | The ID and name of the authorized entity |
| Principal Type | The type of principal: RAM user, RAM role, or DLF role |
| Resource Type | The resource type: database, table, or column |
| Resource Name | The name of the specific resource, such as the database name |
| Data Permission | The name of the granted permission. For descriptions of each permission, see Permissions |
Revoke permissions
Who can do this: Data lake administrators and users with authorization permissions.
On the Data Permissions page, search for the permission entry to revoke.
In the Actions column, click Revoke Permissions.
In the confirmation dialog, click Delete.