Before users can use Data Lake Formation (DLF), you (administrators) must configure two types of permissions for them. This topic guides you through that task.
Configure API permissions
To interact with DLF through APIs or SDKs, a user must first be granted the appropriate permissions by the Alibaba Cloud account or a RAM administrator. These permissions control what API operations the user can call. DLF provides two predefined policies:
AliyunDLFFullAccess: Grants full API access.AliyunDLFReadOnlyAccess: Grants read-only API access.
For more information, see DLF RAM authorization action reference.
Configure data permissions
After granting API permissions, configure proper data permissions for users so they can access specific data resources. DLF offers two system roles: super_administrator and admin.
super_administrator: Has all data permissions in DLF. This role can manageadminroles, plus all abilities of theadminrole.admin: Has all data permissions in DLF, plus the ability to create custom DLF roles and catalogs and grant permissions.
The Alibaba Cloud account is a super_administrator of DLF in all regions by default.
A RAM user who activates DLF in a region automatically inherits the super_administrator privileges for all resources in that region.
The super_administrator or admin role can grant data permissions to a user in the following ways:
Add a DLF role to a user: The user will then have all the data permissions associated with that DLF role. For more information, see Manage DLF users and roles.
Grant specific permissions on a resource to a user. For more information, see Data authorization management.