DocsICP FilingConsole
官方文档
首页

Manage data permissions

更新时间:
复制 MD 格式
产品详情
我的收藏

This topic describes how to grant permissions on data catalogs, databases, and tables in Data Lake Formation (DLF).

Limitations

Only users with the DLF super_administrator or DLF admin role, or users who have the Grant permission on a resource, can grant permissions to other users or roles. To obtain the admin permission, contact a DLF super_administrator.

Data catalog

Grant permissions

  1. Log on to the Data Lake Formation (DLF) console.

  2. On the Catalogs page, click the name of a data catalog to open its details page.

  3. Click the Permissions tab, and then click Grant Permissions.

  4. In the Grant Permissions panel, configure the following parameters and click OK.

    Parameter

    Description

    Principal

    You can grant permissions to a user or a role.

    User to Assign, Roles

    • User: Currently, only RAM users are supported.

    • Role: System-defined and custom roles are supported. For more information, see User and Role Management.

    Predefined Permission Type

    Select one of the following permission types:

    • Custom (default): Defines custom permissions.

    • Data Reader: A predefined permission template that provides read-only permissions on resources in the data catalog.

    • Data Editor: A predefined permission template that provides read and write permissions on resources in the data catalog.

    Permissions

    Select the permissions to grant on the data catalog and all resources within it.

View permissions

  1. On the Catalogs page, click the name of a data catalog to open its details page.

  2. Click the Permissions tab to view the existing permissions.

Revoke permissions

  1. On the Catalogs page, click the name of a data catalog to open its details page.

  2. On the Permissions tab, select the checkbox for the permission that you want to revoke, and then click Revoke Permissions.

Database

Grant permissions

  1. Log on to the Data Lake Formation (DLF) console.

  2. On the Catalogs page, click the name of a data catalog to open its details page.

  3. In the Database list, click the name of a database to open the tables page.

  4. Click the Permissions tab, and then click Grant Permissions.

  5. In the Grant Permissions panel, configure the following parameters.

    Parameter

    Description

    Principal

    You can grant permissions to a user or a role.

    User to Assign, Roles

    • User: Currently, only RAM users are supported.

    • Role: System-defined and custom roles are supported. For more information, see User and Role Management.

    Predefined Permission Type

    Select one of the following permission types:

    • Custom (default): Defines custom permissions.

    • Data Reader: A predefined permission template that provides read-only permissions on the database and its resources.

    • Data Editor: A predefined permission template that provides read and write permissions on the database and its resources.

    Permissions

    Select the permissions to grant on the database and all resources within it.

View permissions

  1. On the Database tab, click the name of a database to open the tables page.

  2. Click the Permissions tab to view the existing permissions.

Revoke permissions

  1. On the Database tab, click the name of a database to open the tables page.

  2. On the Permissions tab, select the checkbox for the permission that you want to revoke.

  3. Click Revoke Permissions.

Table

Grant permissions

  1. Log on to the Data Lake Formation (DLF) console.

  2. On the Catalogs page, click the name of a data catalog to open its details page.

  3. In the Database list, click the name of a database to open the tables page.

  4. In the Tables list, click the name of a table to open the columns page.

  5. Click the Permissions tab, and then click Grant Permissions.

  6. In the Grant Permissions panel, configure the following parameters and click OK.

    Parameter

    Description

    Principal

    You can grant permissions to a user or a role.

    User to Assign, Roles

    • User: Currently, only RAM users are supported.

    • Role: System-defined and custom roles are supported. For more information, see User and Role Management.

    Predefined Permission Type

    Select one of the following permission types:

    • Custom (default): Defines custom permissions.

    • Data Reader: A predefined permission template that provides read-only permissions on the table.

    • Data Editor: A predefined permission template that provides read and write permissions on the table.

    Table

    Select the operation permissions to grant on the table. Available permissions include:

    • ALL: Grants all permissions.

    • Alter: Lets you modify the table schema.

    • Drop: Lets you drop the table.

    • Select: Lets you query data in the table.

    • Update: Lets you update data in the table.

    • Grant: Lets you grant permissions to other users.

    Column

    Permission configuration options:

    • All Columns (default): The permissions apply to all columns in the table.

    • Selected Columns: This option is available only if you grant the Select permission. It lets you define fine-grained access control for specific columns. The following options are available:

      • Include Columns: The permission applies only to the selected columns. Users can access only the columns that you explicitly specify.

      • Exclude Columns: The permission applies to all columns except the selected ones. Users cannot access the excluded columns but can access all other columns.

    Note

    • Version requirements: To use column-level permissions, the compute engine must be Paimon version 1.2 (1-ali-12.0) or later, such as Realtime Compute for Apache Flink VVR 11.1 or later.

      If you need to upgrade other engines, join the DingTalk group (106575000021) and contact the DLF R&D team.

    • Scope: Column-level permissions are supported only for internal Paimon tables.

    • Permission intersection rule: If both a user and a role they assume have the Select permission on columns, the user's effective permissions are the intersection of the columns granted to the user and the role.

    Row permissions

    • All Rows (default): The permissions apply to all rows in the table.

    • Row-level permission: This option supports complex expressions. For more information, see Row filter specifications.

View permissions

  1. In the Database list, click the name of a database to open the tables page.

  2. In the Tables list, click the name of a table to open the columns page.

  3. Click the Permissions tab to view the existing permissions.

Revoke permissions

  1. In the Database list, click the name of a database to open the tables page.

  2. In the Tables list, click the name of a table to open the columns page.

  3. On the Permissions tab, select the checkbox for the permission that you want to revoke.

  4. Click Revoke Permissions.

Previous:Manage DLF users and rolesNext:Row filter specifications