All Products
Search

This Product

    Data Lake Formation:Configure permissions

    Document Center

    Data Lake Formation:Configure permissions

    Last Updated:Mar 26, 2026

    Before users can work with Data Lake Formation (DLF), you must configure two types of permissions for them: API permissions control which DLF API operations a user can call; data permissions control which data resources a user can access.

    Prerequisites

    Before you begin, make sure that you have:

    • An Alibaba Cloud account or RAM administrator privileges to grant RAM policies

    • The super_administrator or admin role in DLF to grant data permissions

    The Alibaba Cloud account holder is a super_administrator in all regions by default. A RAM user who activates DLF in a region automatically inherits super_administrator privileges for all resources in that region.

    Step 1: Grant API permissions

    A RAM administrator or the Alibaba Cloud account holder must attach a RAM policy to the user before the user can call any DLF API. DLF provides two predefined policies:

    Policy Access level
    AliyunDLFFullAccess Full API access
    AliyunDLFReadOnlyAccess Read-only API access

    Attach the policy that matches the user's role. For a complete list of DLF API operations and the permissions required for each, see DLF RAM authorization action reference.

    Step 2: Grant data permissions

    After API permissions are in place, grant data permissions so the user can access specific DLF resources. Only a super_administrator or admin can perform this step.

    System roles

    DLF provides two built-in system roles:

    Role Capabilities
    super_administrator All data permissions in DLF, including the ability to manage admin roles and all capabilities of the admin role
    admin All data permissions in DLF, plus the ability to create custom DLF roles and catalogs, and grant permissions

    super_administrator is the higher-privilege role — it includes all capabilities of admin.

    Grant data permissions to a user

    Use one of the following methods:

    • Assign a DLF role: Add a DLF role to the user. The user inherits all data permissions associated with that role. See Manage DLF users and roles for details.

    • Grant resource-specific permissions: Grant the user permissions on a specific resource directly. See Data authorization management for details.