All Products
Search

This Product

    Data Lake Formation:Manage DLF users and roles

    Document Center

    Data Lake Formation:Manage DLF users and roles

    Last Updated:Nov 10, 2025

    This topic describes how to authorize and manage Resource Access Management (RAM) users and roles in Data Lake Formation (DLF).

    Users and roles

    image

    To access DLF, follow these steps:

    1. Grant the required RAM API access policy to the RAM user or role.

    2. Grant the necessary metadata permissions to the DLF user or a DLF Role.

    Manage DLF users

    View and sync users

    1. Log on to the DLF console.

    2. In the left menu, click System & Security.

    3. On the Access Control tab,click the Users subtab and click Sync Users. This syncs all RAM users and roles under your Alibaba Cloud account to DLF.

    Note

    Deleting a RAM user or role also deletes it from DLF.

    Manage DLF roles

    A DLF role is a collection of permissions. You can use it to assign the same set of permissions to multiple users.

    System roles

    Role name

    Description

    Permissions

    admin

    Data lake administrator

    Has full data access permissions, can grant permissions in DLF, and can create custom roles and catalogs.

    super_administrator

    Super administrator

    Has all permissions of the admin role and can modify the users assigned to the admin role.

    Note

    DLF automatically assigns the super_administrator role to the RAM user who activates DLF for the current region.

    Note

    To implement granular data permissions and manage authorization efficiently, create a custom role and grant permissions to it. New users added to this role inherit its permissions, eliminating repetitive authorization and improving management efficiency.

    Create a new role

    1. Go to the role management page.

      1. Log on to the .

      2. In the left menu, click System & Security.

      3. On the Access Control tab, click the Roles tab.

    2. Click Create Role.

    3. In the Create Role panel, enter a role name and click OK.

      You can click Add to select existing users and assign the new DLF role to the users.

    Assign a DLF role to a user

    Assigning a system or custom DLF role to a user grants all permissions associated with that role.

    Procedure:

    1. On the Roles page, find the target role and click Modify in the Actions column.

    2. In the Modify Role panel, click Add and select existing users.

    3. Click OK.

    Delete a role

    1. On the Roles page, find the target role and click Delete in the Actions column.

    2. In the dialog, click OK.

    Note

    The system roles admin and super_administrator cannot be deleted.