This topic describes the Data Lake Formation (DLF) permission model, including how to grant permissions to a Resource Access Management (RAM) user. This allows them to access and use DLF features.
The permission model has two layers: API permissions and data permissions. To access DLF console or data, a user must pass permission checks at both layers.
API permissions: Govern access to all DLF APIs. This layer determines whether a RAM user can access specific DLF APIs or console pages.
Data permissions: Manage granular permissions for data assets within the data lake, such as a catalog, database, or table.
Permission check workflow
How permission checks work
Layer 1: API permissions
This layer centrally controls access to all DLF APIs, ensuring that a RAM user can only access their authorized features or console pages. We offer two system policies in the RAM console to meet different access requirements:
Policy name | Description |
AliyunDLFFullAccess | Use this policy for users who perform comprehensive data lake management. |
AliyunDLFReadOnlyAccess | Grants access to read-only DLF APIs (like |
Layer 2: Data permissions
This layer controls access to data assets within DLF. It also governs permissions for operations related to DLF principals.
To facilitate centralized data permission management, DLF provides built-in administrator roles. You can find these roles on and add users to them.
Role name | Role description | Details |
admin | Data lake administrator | Has all data permissions and authorization permissions in DLF. This role can also add custom roles and create new catalogs. |
super_administrator | Super administrator | Has all the permissions of the Note
|