Before users can work with Data Lake Formation (DLF), you must configure two types of permissions for them: API permissions control which DLF API operations a user can call; data permissions control which data resources a user can access.
Prerequisites
Before you begin, make sure that you have:
An Alibaba Cloud account or RAM administrator privileges to grant RAM policies
The
super_administratororadminrole in DLF to grant data permissions
The Alibaba Cloud account holder is asuper_administratorin all regions by default. A RAM user who activates DLF in a region automatically inheritssuper_administratorprivileges for all resources in that region.
Step 1: Grant API permissions
A RAM administrator or the Alibaba Cloud account holder must attach a RAM policy to the user before the user can call any DLF API. DLF provides two predefined policies:
Policy | Access level |
| Full API access |
| Read-only API access |
Attach the policy that matches the user's role. For a complete list of DLF API operations and the permissions required for each, see Permission management.
Step 2: Grant data permissions
After API permissions are in place, grant data permissions so the user can access specific DLF resources. Only a super_administrator or admin can perform this step.
System roles
DLF provides two built-in system roles:
Role | Capabilities |
| All data permissions in DLF, including the ability to manage |
| All data permissions in DLF, plus the ability to create custom DLF roles and catalogs, and grant permissions |
super_administrator is the higher-privilege role — it includes all capabilities of admin.
Grant data permissions to a user
Use one of the following methods:
Assign a DLF role: Add a DLF role to the user. The user inherits all data permissions associated with that role. See Manage DLF users and roles for details.
Grant resource-specific permissions: Grant the user permissions on a specific resource directly. See Manage data permissions for details.