This page lists the Resource Access Management (RAM) permission actions for Data Lake Formation (DLF) REST APIs and management APIs. Use these actions to build fine-grained permission policies based on the principle of least privilege.
Key concepts
REST API — Data plane APIs based on Paimon and Iceberg REST APIs, used for data access and operations.
Management API — Management plane APIs based on Alibaba Cloud OpenAPI, used for resource management and operations and maintenance (O&M).
Management API permissions are required to manage catalogs, databases, and tables in the DLF console. If you do not need console access, do not grant these permissions. Grant only the actions needed for the specific operations you perform.
Permission policies
Attach a permission policy to a RAM user or RAM role to grant access. DLF provides two managed policies:
| Policy name | Description |
|---|---|
| AliyunDLFFullAccess | Grants full access to all DLF APIs. Suitable for users who manage the entire data lake. |
| AliyunDLFReadOnlyAccess | Grants read-only access to all List and Get operations. Write and delete operations (Create, Delete) are not allowed. |
Grant a managed policy to a RAM user
-
Log on to the Resource Access Management (RAM) console as a RAM administrator.
-
In the left navigation pane, choose Identities > Users.
-
On the Users page, click Add Permissions in the Actions column for the target RAM user.
-
In the Grant Permissions panel, add the permissions.
-
Click Confirm New Authorization.
Custom policy example
For fine-grained access control, create a custom permission policy. For more information, see Create a custom permission policy.
The following example grants a user permission to list and modify databases and tables:
{
"Version": "1",
"Statement": [
{
"Action": [
"dlf:ListDatabases",
"dlf:CreateDatabase",
"dlf:GetDatabase",
"dlf:AlterDatabase",
"dlf:ListTables",
"dlf:CreateTable",
"dlf:GetTable",
"dlf:AlterTable",
"dlf:ListPartitions",
"dlf:ListViews"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Choose actions by use case
Use the following table to find the right actions for your scenario without reading the full action reference.
| If you need to... | Grant these actions |
|---|---|
| Read data lake metadata (catalogs, databases, tables) | dlf:GetConfig, dlf:ListDatabases, dlf:GetDatabase, dlf:ListTables, dlf:GetTable, dlf:ListTableDetails, dlf:ListCatalogs, dlf:GetCatalog |
| Write and manage tables | All read actions above, plus dlf:CreateTable, dlf:AlterTable, dlf:DropTable, dlf:RenameTable, dlf:CommitTable, dlf:RollbackTable |
| Manage databases | dlf:CreateDatabase, dlf:AlterDatabase, dlf:DropDatabase |
| Manage roles and users | dlf:GetUser, dlf:ListUsers, dlf:CreateRole, dlf:UpdateRole, dlf:DeleteRole, dlf:GetRole, dlf:ListRoles, dlf:GrantRoleToUsers, dlf:RevokeRoleFromUsers |
| Grant or revoke permissions on resources | dlf:GrantPermission, dlf:RevokePermission, dlf:BatchGrantPermissions, dlf:BatchRevokePermissions, dlf:ListPermissions |
| Activate DLF | dlf:DescribeRegions, dlf:GetRegionStatus, dlf:Subscribe, dlf:CreateInstance |
Actions for REST APIs
Paimon REST
| Category | REST API | RAM action | Access level | Description |
|---|---|---|---|---|
| Config | GetConfig | dlf:GetConfig |
Read | Gets the configuration of a data catalog. |
| Database | ListDatabases | dlf:ListDatabases |
List | Lists databases. |
| Database | CreateDatabase | dlf:CreateDatabase |
Write | Creates a database. |
| Database | GetDatabase | dlf:GetDatabase |
Read | Gets a database. |
| Database | DropDatabase | dlf:DropDatabase |
Write | Deletes a database. |
| Database | AlterDatabase | dlf:AlterDatabase |
Write | Updates a database. |
| Table | ListTables | dlf:ListTables |
List | Lists tables. |
| Table | CreateTable | dlf:CreateTable |
Write | Creates a table. |
| Table | ListTableDetails | dlf:ListTableDetails |
List | Lists table details. |
| Table | GetTable | dlf:GetTable |
Read | Gets a table. |
| Table | AlterTable | dlf:AlterTable |
Write | Updates a table. |
| Table | DropTable | dlf:DropTable |
Write | Deletes a table. |
| Table | RenameTable | dlf:RenameTable |
Write | Renames a table. |
| Table | CommitTable | dlf:CommitTable |
Write | Commits table changes. |
| Table | RollbackTable | dlf:RollbackTable |
Write | Rolls back table changes. |
| Table | GetTableToken | dlf:GetTableToken |
Read | Gets the token used to access table data. |
| Table | GetTableSnapshot | dlf:GetTableSnapshot |
Read | Gets a table snapshot. |
| Partition | ListPartitions | dlf:ListPartitions |
List | Lists partitions. |
| Partition | MarkDonePartitions | dlf:MarkDonePartitions |
Write | Marks partitions as complete. |
| Branch | ListBranches | dlf:ListBranches |
List | Lists table branches. |
| Branch | CreateBranch | dlf:CreateBranch |
Write | Creates a table branch. |
| Branch | DropBranch | dlf:DropBranch |
Write | Deletes a table branch. |
| Branch | ForwardBranch | dlf:ForwardBranch |
Write | Advances a table branch. |
| View | ListViews | dlf:ListViews |
List | Lists views. |
| View | CreateView | dlf:CreateView |
Write | Creates a view. |
| View | GetView | dlf:GetView |
Read | Gets a view. |
| View | AlterView | dlf:AlterView |
Write | Updates a view. |
| View | DropView | dlf:DropView |
Write | Deletes a view. |
| View | RenameView | dlf:RenameView |
Write | Renames a view. |
| Function | ListFunctions | dlf:ListFunctions |
List | Lists functions. |
| Function | CreateFunction | dlf:CreateFunction |
Write | Creates a function. |
| Function | GetFunction | dlf:GetFunction |
Read | Gets a function. |
| Function | AlterFunction | dlf:AlterFunction |
Write | Updates a function. |
| Function | DropFunction | dlf:DropFunction |
Write | Deletes a function. |
Iceberg REST
Iceberg REST APIs use the same RAM actions as the equivalent Paimon REST operations. For example, ListNamespaces requires dlf:ListDatabases, and LoadNamespaceMetadata requires dlf:GetDatabase.
| Category | REST API | RAM action | Access level | Description |
|---|---|---|---|---|
| Config | GetConfig | dlf:GetConfig |
Read | Gets the configuration of a data catalog. |
| Namespace | ListNamespaces | dlf:ListDatabases |
List | Lists namespaces. |
| Namespace | CreateNamespace | dlf:CreateDatabase |
Write | Creates a namespace. |
| Namespace | LoadNamespaceMetadata | dlf:GetDatabase |
Read | Gets a namespace. |
| Namespace | NamespaceExists | dlf:GetDatabase |
Read | Checks whether a namespace exists. |
| Namespace | UpdateProperties | dlf:AlterDatabase |
Write | Updates namespace properties. |
| Namespace | DropNamespace | dlf:DropDatabase |
Write | Deletes a namespace. |
| Table | ListTables | dlf:ListTables |
List | Lists tables. |
| Table | CreateTable | dlf:CreateTable |
Write | Creates a table. |
| Table | LoadTable | dlf:GetTable |
Read | Gets a table. |
| Table | TableExists | dlf:GetTable |
Read | Checks whether a table exists. |
| Table | UpdateTable | dlf:AlterTable |
Write | Updates a table. |
| Table | DropTable | dlf:DropTable |
Write | Deletes a table. |
Actions for management APIs
Management API permissions are required to manage resources in the DLF console. Grant only the actions needed for the specific console operations you perform.
| Category | Management API | RAM action | Access level | Description |
|---|---|---|---|---|
| Activation | DescribeRegions | dlf:DescribeRegions |
List | Retrieves the domain list for the DLF service. |
| Activation | GetRegionStatus | dlf:GetRegionStatus |
Read | Gets the activation status of a region. |
| Activation | Subscribe | dlf:Subscribe |
Write | Activates DLF. |
| Activation | CreateInstance | dlf:CreateInstance |
Write | Purchases compute resources. |
| User and role management | GetUser | dlf:GetUser |
Read | Gets a user. |
| User and role management | ListUsers | dlf:ListUsers |
List | Lists users. |
| User and role management | CreateRole | dlf:CreateRole |
Write | Creates a role. |
| User and role management | UpdateRole | dlf:UpdateRole |
Write | Updates a role. |
| User and role management | DeleteRole | dlf:DeleteRole |
Write | Deletes a role. |
| User and role management | GetRole | dlf:GetRole |
Read | Gets a role. |
| User and role management | ListRoles | dlf:ListRoles |
List | Lists roles. |
| User and role management | GrantRoleToUsers | dlf:GrantRoleToUsers |
Permissions management | Grants a role to multiple users in a batch. |
| User and role management | RevokeRoleFromUsers | dlf:RevokeRoleFromUsers |
Permissions management | Revokes a role from multiple users in a batch. |
| User and role management | UpdateRoleUsers | dlf:UpdateRoleUsers |
Write | Updates the users in a role. |
| User and role management | ListRoleUsers | dlf:ListRoleUsers |
List | Lists users associated with a role. |
| User and role management | ListUserRoles | dlf:ListUserRoles |
List | Lists roles associated with a user. |
| User and role management | RefreshUserSync | dlf:RefreshUserSync |
Write | Starts user synchronization. |
| Data catalog | CreateCatalog | dlf:CreateCatalog |
Write | Creates a data catalog. |
| Data catalog | GetCatalog | dlf:GetCatalog |
Read | Gets a data catalog. |
| Data catalog | DropCatalog | dlf:DropCatalog |
Write | Deletes a data catalog. |
| Data catalog | AlterCatalog | dlf:AlterCatalog |
Write | Updates a data catalog. |
| Data catalog | ListCatalogs | dlf:ListCatalogs |
List | Lists data catalogs. |
| Data catalog | GetCatalogById | dlf:GetCatalogById |
Read | Gets a data catalog by catalog ID. |
| Database | AlterDatabase | dlf:AlterDatabase |
Write | Updates a database. |
| Database | GetDatabase | dlf:GetDatabase |
Read | Gets a database. |
| Database | DropDatabase | dlf:DropDatabase |
Write | Deletes a database. |
| Database | CreateDatabase | dlf:CreateDatabase |
Write | Creates a database. |
| Database | ListDatabaseDetails | dlf:ListDatabaseDetails |
List | Lists database details. |
| Database | ListDatabases | dlf:ListDatabases |
List | Lists databases. |
| Table | CreateTable | dlf:CreateTable |
Write | Creates a table. |
| Table | DropTable | dlf:DropTable |
Write | Deletes a table. |
| Table | ListTableDetails | dlf:ListTableDetails |
List | Lists table details. |
| Table | GetTable | dlf:GetTable |
Read | Gets a table. |
| Table | ListTables | dlf:ListTables |
List | Lists tables. |
| View | ListViews | dlf:ListViews |
List | Lists views. |
| View | ListViewDetails | dlf:ListViewDetails |
List | Lists view details. |
| View | CreateView | dlf:CreateView |
Write | Creates a view. |
| View | GetView | dlf:GetView |
Read | Gets a view. |
| View | AlterView | dlf:AlterView |
Write | Updates a view. |
| View | DropView | dlf:DropView |
Write | Deletes a view. |
| Function | ListFunctions | dlf:ListFunctions |
List | Lists functions. |
| Function | ListFunctionDetails | dlf:ListFunctionDetails |
List | Lists function details. |
| Function | CreateFunction | dlf:CreateFunction |
Write | Creates a function. |
| Function | GetFunction | dlf:GetFunction |
Read | Gets a function. |
| Function | AlterFunction | dlf:AlterFunction |
Write | Updates a function. |
| Function | DropFunction | dlf:DropFunction |
Write | Deletes a function. |
| Permission management | GrantPermission | dlf:GrantPermission |
Permissions management | Grants permissions on a resource. |
| Permission management | RevokePermission | dlf:RevokePermission |
Permissions management | Revokes permissions on a resource. |
| Permission management | BatchGrantPermissions | dlf:BatchGrantPermissions |
Permissions management | Grants permissions in a batch. |
| Permission management | BatchRevokePermissions | dlf:BatchRevokePermissions |
Permissions management | Revokes permissions in a batch. |
| Permission management | ListPermissions | dlf:ListPermissions |
List | Lists permissions for a specified resource. |
| Iceberg table | GetIcebergTable | dlf:GetIcebergTable |
Read | Gets an Iceberg table. |
| Iceberg table | ListIcebergSnapshots | dlf:ListIcebergSnapshots |
List | Lists snapshots of an Iceberg table. |