RAM authorization - Data Lake Formation - Alibaba Cloud Documentation Center

Resource Access Management (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access permissions. Using RAM helps you avoid sharing your Alibaba Cloud account keys with other users and allows you to grant users the least privilege access. RAM uses permission policies to define authorizations. This topic describes the general structure of a RAM policy, and the policy statement elements (Action, Resource, and Condition) defined by Data Lake Formation for RAM permission policies. The RAM code (RamCode) for Data Lake Formation is dlf , and the supported authorization granularity is OPERATION .

General structure of a policy

Permission policies support JSON format with the following general structure:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "<Effect>",
      "Action": "<Action>",
      "Resource": "<Resource>",
      "Condition": {
        "<Condition_operator>": {
          "<Condition_key>": [
            "<Condition_value>"
          ]
        }
      }
    }
  ]
}

The following list describes the fields in the policy:

Version: Specifies the policy version number. It is fixed at 1.
Statement:
- Effect: Specifies the authorization result. Valid values: Allow and Deny.
- Action: Specifies one or more operations that are allowed or denied.
- Resource: Specifies the specific objects affected by the operations. You can use Alibaba Cloud Resource Names (ARNs) to describe specific resources.
- Condition: Specifies the conditions for the authorization to take effect. This field is optional.
  - Condition operator: Specifies the conditional operators. Different types of conditions support different conditional operators.
  - Condition_key: Specifies the condition keys.
  - Condition_value: Specifies the condition values.

Action

The following table lists the actions defined by Data Lake Formation. The table's columns are detailed below:

Action: The actions can be used in the Action element of RAM permission policy statements to grant permissions to perform the operation.
API: The API that you can call to perform the action.
Access level: The predefined level of access granted for each API. Valid values: create, list, get, update, and delete.
Resource type: The type of the resource that support authorization to perform the action. It indicates if the action supports resource-level permission. The specified resource must be compatible with the action. Otherwise, the policy will be ineffective.
- For APIs with resource-level permissions, required resource types are marked with an asterisk (*). Specify the corresponding ARN in the Resource element of the policy.
- For APIs without resource-level permissions, it is shown as All Resources. Use an asterisk (*) in the Resource element of the policy.
Condition key: The condition keys defined by the service. The key allows for granular control, applying to either actions alone or actions associated with specific resources. In addition to service-specific condition keys, Alibaba Cloud provides a set of common condition keys that are applicable across all RAM-integrated services. For more information, see Common condition keys.
Dependent action: The dependent actions required to run the action. To complete the action, the RAM user or the RAM role must have the permissions to perform all dependent actions.

Action	API	Access level	Resource type	Condition key	Dependent action
dlf:GetIcebergNamespace	GetIcebergNamespace	get	All Resource ``	None	None
dlf:GetCatalogToken	GetCatalogToken	get	All Resource ``	None	None
dlf:DropShare	DropShare	delete	All Resource ``	None	None
dlf:BatchRevokePermissions	BatchRevokePermissions	create	All Resource ``	None	None
dlf:ListIcebergSnapshots	ListIcebergSnapshots	get	All Resource ``	None	None
dlf:ListIcebergTableDetails	ListIcebergTableDetails	get	All Resource ``	None	None
dlf:UpdateRoleUsers	UpdateRoleUsers	update	All Resource ``	None	None
dlf:DescribeRegions	DescribeRegions	get	All Resource ``	None	None
dlf:ListPartitions	ListPartitions	get	All Resource ``	None	None
dlf:RefreshUserSync	RefreshUserSync	create	All Resource ``	None	None
dlf:ListUserRoles	ListUserRoles	get	All Resource ``	None	None
dlf:CreateDatabase	CreateDatabase	create	All Resource ``	None	None
dlf:GetRegionStatus	GetRegionStatus	get	All Resource ``	None	None
dlf:AlterCatalog	AlterCatalog	none	All Resource ``	None	None
dlf:ListProvidedShares	ListProvidedShares	get	All Resource ``	None	None
dlf:DropDatabase	DropDatabase	delete	All Resource ``	None	None
dlf:RevokeRoleFromUsers	RevokeRoleFromUsers	none	All Resource ``	None	None
dlf:Subscribe	Subscribe	create	All Resource ``	None	None
dlf:ListSnapshots	ListSnapshots	get	All Resource ``	None	None
dlf:BatchGrantPermissions	BatchGrantPermissions	create	All Resource ``	None	None
dlf:GetTable	GetTable	get	All Resource ``	None	None
dlf:ListPermissions	ListPermissions	get	All Resource ``	None	None
dlf:GetDatabaseSummary	GetDatabaseSummary	get	All Resource ``	None	None
dlf:AlterShare	AlterShare	none	All Resource ``	None	None
dlf:DeleteRole	DeleteRole	delete	All Resource ``	None	None
dlf:GetIcebergTable	GetIcebergTable	get	All Resource ``	None	None
dlf:ListPartitionSummaries	ListPartitionSummaries	get	All Resource ``	None	None
dlf:GetCatalogSummaryTrend	GetCatalogSummaryTrend	get	All Resource ``	None	None
dlf:GrantRoleToUsers	GrantRoleToUsers	create	All Resource ``	None	None
dlf:GetTableSummary	GetTableSummary	get	All Resource ``	None	None
dlf:ListDatabases	ListDatabases	get	All Resource ``	None	None
dlf:ListIcebergNamespaceDetails	ListIcebergNamespaceDetails	get	All Resource ``	None	None
dlf:ListShareReceivers	ListShareReceivers	get	All Resource ``	None	None
dlf:GetUser	GetUser	get	All Resource ``	None	None
dlf:ListUsers	ListUsers	get	All Resource ``	None	None
dlf:AlterTable	AlterTable	none	All Resource ``	None	None
dlf:ListRoleUsers	ListRoleUsers	get	All Resource ``	None	None
dlf:ListShareResources	ListShareResources	get	All Resource ``	None	None
dlf:DropCatalog	DropCatalog	delete	All Resource ``	None	None
dlf:RollbackTable	RollbackTable	none	All Resource ``	None	None
dlf:AlterReceiver	AlterReceiver	none	All Resource ``	None	None
dlf:AlterShareReceivers	AlterShareReceivers	none	All Resource ``	None	None
dlf:GetCatalogSummary	GetCatalogSummary	get	All Resource ``	None	None
dlf:DropReceiver	DropReceiver	delete	All Resource ``	None	None
dlf:ListRoles	ListRoles	get	All Resource ``	None	None
dlf:GetTableSnapshot	GetTableSnapshot	get	All Resource ``	None	None
dlf:CreateReceiver	CreateReceiver	create	All Resource ``	None	None
dlf:GetDatabase	GetDatabase	get	All Resource ``	None	None
dlf:GetCatalog	GetCatalog	get	All Resource ``	None	None
dlf:ListTables	ListTables	get	All Resource ``	None	None
dlf:GetReceiver	GetReceiver	get	All Resource ``	None	None
dlf:GetShare	GetShare	get	All Resource ``	None	None
dlf:DropTable	DropTable	delete	All Resource ``	None	None
dlf:ListTableDetails	ListTableDetails	get	All Resource ``	None	None
dlf:ListDatabaseDetails	ListDatabaseDetails	get	All Resource ``	None	None
dlf:CreateShare	CreateShare	create	All Resource ``	None	None
dlf:GetCatalogById	GetCatalogById	get	All Resource ``	None	None
dlf:GetTableToken	GetTableToken	get	All Resource ``	None	None
dlf:ListCatalogs	ListCatalogs	get	All Resource ``	None	None
dlf:AlterShareResources	AlterShareResources	none	All Resource ``	None	None
dlf:CreateTable	CreateTable	create	All Resource ``	None	None
dlf:GetTableCompaction	GetTableCompaction	get	All Resource ``	None	None
dlf:ListReceivedShares	ListReceivedShares	get	All Resource ``	None	None
dlf:GetRole	GetRole	get	All Resource ``	None	None
dlf:ListReceivers	ListReceivers	get	All Resource ``	None	None
dlf:CreateCatalog	CreateCatalog	create	All Resource ``	None	None
dlf:CreateRole	CreateRole	create	All Resource ``	None	None
dlf:UpdateRole	UpdateRole	update	All Resource ``	None	None
dlf:AlterDatabase	AlterDatabase	none	All Resource ``	None	None

Resource

The following table lists the resources defined by Data Lake Formation. Specify them in the Resource element of RAM policy statements to grant permissions for specific operations. They are uniquely identified by ARNs. Format: acs:{#ramcode}:{#regionId}:{#accountId}:{#resourceType}:

acs: The initialism of Alibaba Cloud service, which indicates the public cloud of Alibaba Cloud.
{#ramcode}: The code used in RAM to indicate an Alibaba Cloud service.
{#regionId}: The region ID. If the resource covers all regions, set it to an asterisk (*).
{#accountId}: The ID of the Alibaba Cloud account. If the resource covers all Alibaba Cloud accounts, set it to an asterisk (*).
{#resourceType}: The service-defined resource identifier. It supports a hierarchical structure, which is similar to a file path. If the statement covers global resources, set it to an asterisk (*).

Resource type

ARN

Condition

Data Lake Formation does not define product-level condition keys. However, you can use Alibaba Cloud common condition keys for access control. For more information, see Common condition keys.

How to create custom RAM policies?

You can create custom policies and grant them to RAM users, RAM user groups, or RAM roles. For instructions, see: