Grant and Revoke DLF Catalog & Database Permissions - Data Lake Formation

Grant, view, and revoke data permissions on catalogs, databases, and tables in Data Lake Formation (DLF).

Prerequisites

Before you begin, ensure that you have:

A DLF account with the super_administrator or admin role, or explicit Grant permission on the target resource. To get admin permission, contact a super_administrator.

Permissions overview

DLF organizes data resources in a three-level hierarchy: catalog → database → table. Permissions are managed independently at each level — granting access to a catalog does not automatically grant access to its databases or tables.

The following tables list the available permissions for each resource type:

Resource	Available permissions
Catalog	Permissions selected in the Grant Permissions panel
Database	Permissions selected in the Grant Permissions panel
Table	ALL, Alter, Drop, Select, Update, Grant

Table permission descriptions:

Permission	What it allows
ALL	Grants all available permissions on the table
Alter	Modify the table schema
Drop	Delete the table
Select	Query data in the table
Update	Update data in the table
Grant	Grant permissions on this table to other users

Grant permissions

Grant catalog permissions

Log on to the DLF console.
In the left navigation menu, select Catalogs, and click your catalog name.
On the Permissions tab, click Grant Permissions.
In the Grant Permissions panel, configure the following parameters and click OK.

Parameter	Description
Principal	Select DLF User or DLF Role.
Select DLF User / Select DLF Role	Select a RAM identity (for a user) or a system or custom role (for a role) from the dropdown list. For more information, see Manage DLF users and roles.
Predefined Permission Type	Select a permission template: Custom (default, define individual permissions), Data Reader (read-only access), or Data Editor (read/write access).
Permissions	Select the permissions to grant.

Grant database permissions

Log on to the DLF console.
In the left navigation menu, select Catalogs, and click your catalog name.
In the Database section, click your database name.
On the Permissions tab, click Grant Permissions.
In the Grant Permissions panel, configure the following parameters and click OK.

Parameter	Description
Principal	Select DLF User or DLF Role.
Select DLF User / Select DLF Role	Select a RAM identity (for a user) or a system or custom role (for a role) from the dropdown list. For more information, see Manage DLF users and roles.
Predefined Permission Type	Select a permission template: Custom (default), Data Reader (read-only access to this database), or Data Editor (read/write access to this database).
Permissions	Select the permissions to grant.

Grant table permissions

Log on to the DLF console.
In the left navigation menu, select Catalogs, and click your catalog name.
In the Database section, click your database name.
On the Tables subtab, click a table name.
On the Permissions tab, click Grant Permissions.
In the Grant Permissions panel, configure the following parameters and click OK.

Parameter	Description
Principal	Select DLF User or DLF Role.
Select DLF User / Select DLF Role	Select a RAM identity (for a user) or a system or custom role (for a role) from the dropdown list. For more information, see Manage DLF users and roles.
Predefined Permission Type	Select a permission template: Custom (default), Data Reader (read-only access), or Data Editor (read/write access).
Table	Select the table-level permissions to grant: ALL, Alter, Drop, Select, Update, or Grant. See the permission descriptions above.
Column	Applies only when Select is the sole table permission granted. Select All Columns (default) to apply permissions to all columns, or Selected Columns to restrict by column. When using Selected Columns, choose Include Selected Columns (grant access only to those columns) or Exclude Selected Columns (grant access to all columns except those listed).

Column-level permissions have the following constraints:

Scope: Column-level permission management applies only to internal Paimon tables.

Version requirement: Your compute engine must use Paimon 1.2 (1-ali-12.0) or later — for example, Realtime Compute for Apache Flink Ververica Runtime (VVR) 11.1 or later. For assistance with other versions, join our DingTalk group (ID: 106575000021).

Permission intersection rule: If a user and their associated role both have column-level Select permission, DLF grants access to the intersection of their granted column sets.

View permissions

View catalog permissions

In the left navigation menu, select Catalogs, and click your catalog name.
On the Permissions tab, view the list of principals and their granted permissions.

View database permissions

In the left navigation menu, select Catalogs, and click your catalog name.
In the Database section, click your database name.
On the Permissions tab, view the list of principals and their granted permissions.

View table permissions

In the left navigation menu, select Catalogs, and click your catalog name.
In the Database section, click your database name.
On the Tables subtab, click a table name.
On the Permissions tab, view the list of principals and their granted permissions.

Revoke permissions

Revoke catalog permissions

In the left navigation menu, select Catalogs, and click your catalog name.
On the Permissions tab, select the permissions to revoke and click Revoke Permissions.

Revoke database permissions

In the left navigation menu, select Catalogs, and click your catalog name.
In the Database section, click your database name.
On the Permissions tab, select the permissions to revoke and click Revoke Permissions.

Revoke table permissions

In the left navigation menu, select Catalogs, and click your catalog name.
In the Database section, click your database name.
On the Tables subtab, click a table name.
On the Permissions tab, select the permissions to revoke and click Revoke Permissions.