All Products
Search

This Product

    Data Lake Formation:Manage DLF users and roles

    Document Center

    Data Lake Formation:Manage DLF users and roles

    Last Updated:Mar 26, 2026

    DLF uses a two-layer permission model. To give a RAM user or role access to DLF, you must configure both layers:

    1. RAM layer — Grant a RAM API access policy to the Resource Access Management (RAM) user or RAM role.

    2. DLF layer — Grant metadata permissions to the corresponding DLF user or DLF role. This controls which data lake resources the user can access.

    image

    Manage DLF users

    Sync users

    Run a manual sync to make all RAM users and RAM roles under your Alibaba Cloud account available in DLF.

    1. Log on to the DLF console.

    2. In the left menu, click System & Security.

    3. On the Access Control tab, click the Users subtab, then click Sync Users.

    Deleting a RAM user or RAM role also deletes it from DLF.

    Manage DLF roles

    A DLF role is a collection of permissions. Assign a role to multiple users to grant them the same permissions at once, without configuring each user individually.

    System roles

    DLF includes two built-in system roles that cannot be deleted:

    RoleDescriptionPermissions
    adminData lake administratorFull data access permissions; can grant permissions in DLF; can create custom roles and catalogs.
    super_administratorSuper administratorAll permissions of admin; can also modify users assigned to the admin role. Automatically assigned to the RAM user who activates DLF for the current region.

    Custom roles

    For granular data access control, create custom roles and grant permissions to them. Users added to a custom role inherit its permissions automatically, which eliminates repetitive per-user authorization.

    Create a role

    1. Log on to the DLF console.

    2. In the left menu, click System & Security.

    3. On the Access Control tab, click the Roles tab.

    4. Click Create Role.

    5. In the Create Role panel, enter a role name and click OK. (Optional) Click Add to select existing users and assign this role to them immediately.

    Assign a role to users

    Assigning a DLF role to a user grants that user all permissions associated with the role.

    1. On the Roles page, find the target role and click Modify in the Actions column.

    2. In the Modify Role panel, click Add and select the users to assign.

    3. Click OK.

    Delete a role

    The system roles admin and super_administrator cannot be deleted.

    1. On the Roles page, find the target role and click Delete in the Actions column.

    2. In the dialog, click OK.

    What's next