Data Lake Formation (DLF) uses a two-layer permission model to control access to its API operations and data resources. A Resource Access Management (RAM) user must pass both layers of permission verification to access DLF data resources.
Layer 1 — RAM permissions: control whether a RAM user can call DLF API operations or access DLF pages.
Layer 2 — DLF data permissions: control whether a RAM user can read, write, or manage DLF internal resources such as databases, tables, columns, functions, and data catalogs.
Layer 1: RAM permissions
Layer 1 determines whether a RAM user can call DLF API operations. Two built-in authorization policies are available in the RAM console:
AliyunDLFFullAccess: grants permission to call all DLF API operations, including write operations.
AliyunDLFReadOnlyAccess: grants permission to call read-only DLF API operations (List and Get). Does not include Create, Delete, or other write operations.
The SubmitQuery API operation is classified as a write operation. Attach AliyunDLFFullAccess to any RAM user who needs to call SubmitQuery.
For more granular control, create a custom RAM authorization policy to restrict access at the individual API operation level.
Layer 2: DLF data permissions
Layer 2 controls access to DLF internal resources: databases, tables, columns, functions, and data catalogs. It also governs permission management operations such as managing roles, users, and permissions.
Layer 2 has two sub-types with an OR relationship — a RAM user passes Layer 2 verification if they satisfy either sub-type:
| DLF fine-grained data permissions | DLF-DSS coarse-grained data permissions for RAM users | |
|---|---|---|
| Scope | Databases, tables, columns, functions, data catalogs; role, user, and permission management | Databases, tables, columns, functions, data catalogs; role, user, and permission management |
| Built-in policies | Managed through DLF roles (admin, super_administrator) and resource-level grants | AliyunDLFDSSFullAccess, AliyunDLFDSSReadOnlyAccess |
| Granularity | Fine-grained (database, table, column level) | Coarse-grained |
| Use when | Fine-grained data access control is required | Establishing quick service-to-service trust between Alibaba Cloud services |
| Recommended | Yes — use for most permission management scenarios | No — limited applicability; use only for service trust scenarios |
The data catalog permission control switch must be turned on for permission verification to apply to data resources (databases, tables, columns, functions, and data catalogs). Permission verification for role, user, and permission management is always enforced regardless of the switch state.
Built-in admin roles
DLF provides two built-in admin roles to simplify data permission management. Find and assign them in the DLF console under Data Permission > Role.
| Role | Permissions | Can modify admin users |
|---|---|---|
admin (data lake administrator) | All data permissions and authorization permissions in DLF | No |
super_administrator (super administrator) | All data permissions and authorization permissions in DLF | Yes |
For detailed fine-grained permission settings, see Overview.
DLF-DSS coarse-grained data permissions for RAM users
DLF-DSS coarse-grained data permissions are primarily used to quickly establish mutual trust between Alibaba Cloud services. Two built-in policies are available in the RAM console:
AliyunDLFDSSFullAccess: grants access to all fine-grained DLF resources.
AliyunDLFDSSReadOnlyAccess: grants read-only access to all fine-grained DLF resources (List, Get, Select, Execute).
If a RAM user is grantedAdministratorAccess, that user has all DLF-DSS permissions, which is equivalent toAliyunDLFDSSFullAccess.
Currently, DLF-DSS coarse-grained data permissions are not applicable to many scenarios. Use DLF fine-grained data permissions for production data permission management. Reserve DLF-DSS coarse-grained permissions for service-to-service trust scenarios.
Common scenarios
Scenario 1: RAM user needs metadata query only
Grant Layer 1 API permissions by attaching AliyunDLFFullAccess or AliyunDLFReadOnlyAccess to the RAM user in the RAM console.
No Layer 2 configuration is required for metadata query.
Scenario 2: RAM user needs to manage data permissions
Grant Layer 1 API permissions: attach
AliyunDLFFullAccessorAliyunDLFReadOnlyAccessto the RAM user.Turn on the permission control switch for the target data catalog. For instructions, see Configure permissions.
(Optional) If you use E-MapReduce (EMR) to query or modify data, turn on the DLF-Auth permission switch in the EMR cluster.
Grant the RAM user data permissions using one of the following methods:
Grant the
adminorsuper_administratorrole to the RAM user using your Alibaba Cloud account. The user then has all data permissions and can perform authorization management. For instructions, see Role management.Grant all permissions on a specific database to the RAM user. For instructions, see Add permissions.
Grant permissions on a specific table or column to the RAM user. For instructions, see Add permissions.
FAQ
A RAM user gets a "no permission to call the DLF API operation" error
The error message displays a permission like dlf:xxx, indicating the user has not been granted Layer 1 API permissions. Attach AliyunDLFFullAccess or AliyunDLFReadOnlyAccess to the user in the RAM console based on the level of access required.
The system shows "no resource permissions" when a RAM user tries to grant permissions
The RAM user passed Layer 1 verification but does not have the Layer 2 authorization permissions needed to grant access to others. Resolve this by doing one of the following:
Grant the user authorization permissions on the specific resources, or assign corresponding roles. See Add permissions.
Grant the user the
adminorsuper_administratorrole. See Role management.Grant the user DLF-DSS permissions that cover the authorization action. For example,
dlf-dss:BatchGrantPermissionscombined withdlf-dss:SelectTablelets the user grant Select permissions on tables to other users.
A RAM user gets a NoPermission error when calling permission-related API operations
API operations such as listPermissions and listRoles require either fine-grained admin roles or DLF-DSS permissions. Resolve this by doing one of the following:
Grant the user the
adminorsuper_administratorrole. See Role management.Grant the user DLF-DSS permissions from the RAM console (
AliyunDLFDSSFullAccessorAliyunDLFDSSReadOnlyAccess). For example:dlf-dss:ListRoles— lets the user view all roles in DLF.dlf-dss:ListPermissions— lets the user view all granted permissions in DLF.