Permission management

Data Lake Formation (DLF) enforces a two-layer permission model — API permissions and data permissions — to control what RAM users can access.

A RAM user must pass both layers to access the DLF console or data:

API permissions: Determine whether a RAM user can call specific DLF APIs or access console pages.
Data permissions: Govern access to specific data lake assets, such as catalogs, databases, and tables.

Permission check workflow

How permission checks work

Layer 1: API permissions

API permissions govern access to all DLF APIs. The following system policies are available in the RAM console:

Policy name	Description
AliyunDLFFullAccess	Grants full access to all DLF APIs and console pages.
AliyunDLFReadOnlyAccess	Grants read-only access to DLF APIs (`List`, `Get`). Blocks write and delete operations (`Create`, `Delete`).

Layer 2: Data permissions

Data permissions govern access to data lake assets and principal-related operations in DLF.

DLF provides built-in administrator roles. Assign them from System & Security > Access Control > Roles. See Manage DLF users and roles for details.

Role name	Role description	Details
admin	Data lake administrator	Full data and authorization permissions in DLF. Can add custom roles and create catalogs.
super_administrator	Super administrator	Includes all `admin` permissions and can modify `admin` role membership. Note The RAM user who activates DLF automatically becomes the `super_administrator` for the current region. A RAM user with the `AdministratorAccess` system policy has permissions equivalent to the `super_administrator` role.