This topic describes the permission model for Data Lake Formation (DLF) and explains how to grant permissions to a Resource Access Management (RAM) user to access DLF features.
The Data Lake Formation (DLF) permission model consists of two layers: API permissions and DLF data permissions. To access DLF pages or data, a user must pass permission verification at both layers.
API permissions: These permissions control access to all DLF APIs. They determine whether a Resource Access Management (RAM) user can access specific DLF APIs or pages.
DLF data permissions: These permissions manage granular access to data resources in the data lake, such as databases, tables, and data catalogs, and control data operations. This layer ensures that even with general RAM permissions, operations on specific data resources require detailed authorization, which provides precise, data-level protection.
Permission check flowchart
How permission checks work
Layer 1: RAM API permissions
This layer centrally controls access to all DLF APIs, ensuring that a Resource Access Management (RAM) user can only access their authorized features or pages. The RAM console provides two preset authorization policies to accommodate different access requirements.
Policy Name | Description |
AliyunDLFFullAccess | Grants permissions to call all DLF APIs. This policy is suitable for users who need to perform comprehensive data lake management. |
AliyunDLFReadOnlyAccess | Grants read-only permissions. This includes permissions to call all read-only DLF APIs, such as List and Get operations. This policy prohibits any write or delete operations, such as Create and Delete. |
Layer 2: Granular DLF data permissions
This layer primarily controls access to and use of resources within DLF, such as data catalogs, databases, and tables. It also controls permissions for operations related to roles, users, and authorizations.
To help administrators manage data permissions centrally, DLF provides built-in data administrator roles. You can go to the page to view these two roles and add users to them. For more information about granular permission configuration, see User and Role Management.
Role name | Role description | Role Description |
admin | Data lake administrator | Has all data permissions and authorization permissions in Data Lake Formation. This role can also add custom roles and create new catalogs. |
super_administrator | Super administrator | Has all the permissions of the admin role and can also modify users assigned to the admin role. Note
|