Granting Table Permissions Using the Lake Formation Console and the Named Resource Method - AWS Lake Formation

Granting Table Permissions Using the Lake Formation Console and the Named Resource Method

You can use the Lake Formation console and the named resource method to grant Lake Formation permissions on Data Catalog tables. You can grant permissions on individual tables, or with a single grant operation, you can grant permissions on all tables in a database. If you grant permissions on all tables in a database, you are implicitly granting the DESCRIBE permission on the database. The database then appears on the Databases page on the console, and is returned by the GetDatabases API operation.

The following steps explain how to grant table permissions by using the named resource method and the Grant Permissions page on the Lake Formation console. The page is divided into these sections:

  • Principals – The users, roles, AWS accounts, organizations, or organizational units to grant permissions to.

  • Policy tags or catalog resources – The databases, tables, or resource links to grant permissions on.

  • Permissions – The Lake Formation permissions to grant.

Note

To grant permissions on a table resource link, see Granting Resource Link Permissions.

Open the Grant Permissions Page

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/, and sign in as a data lake administrator, the table creator, or a user who has been granted permissions on the table with the grant option.

  2. Do one of the following:

    • In the navigation pane, choose Data permissions. Then choose Grant.

    • In the navigation pane, choose Tables. Then, on the Tables page, choose a table, and on the Actions menu, under Permissions, choose Grant.

    Note

    You can grant permissions on a table through its resource link. To do so, on the Tables page, choose a resource link, and on the Actions menu, choose Grant on target. For more information, see How Resource Links Work in Lake Formation.

Specify the Principals

In the Principals section, choose a principal type and specify principals to grant permissions to.


                  The Principals section contains three tiles that are named in the
                     following text. Each tile contains a option button and text. The IAM users and
                     roles tile is selected, and an IAM users and roles dropdown list is below the
                     tiles.
IAM users and roles

Choose one or more users or roles from the IAM users and roles list.

SAML users and groups

For SAML and Amazon QuickSight users and groups, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon QuickSight users or groups. Press Enter after each ARN.

For information about how to construct the ARNs, see Lake Formation Grant and Revoke AWS CLI Commands.

Note

Lake Formation integration with Amazon QuickSight is supported for Amazon QuickSight Enterprise Edition only.

External accounts

For AWS account or AWS organization, enter one or more valid AWS account IDs, organization IDs, or organizational unit IDs. Press Enter after each ID.

An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.

An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.

Specify the Tables

In the Policy tags or catalog resources section, choose a database. Then choose one or more tables, or All tables.


                  The Policy tags or catalog resources section contains two tiles arranged
                     horizontally, where each tile contains an option button and descriptive text.
                     The options are Resources matched by LF-tags, and Named data catalog
                     resources. Named data catalog resources is selected. Below the tiles are two
                     dropdown lists: Database and Table. The Database dropdown list has a tile
                     beneath it containing the selected database name. The Table dropdown list has a
                     tile beneath it containing the selected table name.

Specify the Permissions

In the Permissions section, select permissions and grantable permissions.

There are two types of permissions that you can grant:

  • Table permissions – Table permissions include Alter, Insert, Drop, Delete, Describe, Select, and Super. The Select permission grants read access to all columns in the table.

    
                        The Permissions section contains two tiles. Each tile contains a
                           option button and text. The Table permissions tile is selected. The other
                           tile is  Column-based permissions. Below the tiles is a group of check
                           boxes for table permissions to grant. Check boxes include Alter, Insert,
                           Drop, Delete, Select, Describe, and Super. Below that group is another
                           group of the same check boxes for grantable permissions.
  • Column-based permissions – Column permissions grant access to only a subset of table columns ("column filtering"). You can specify the subset with an inclusion list or an exclusion list. If you include the grant option, the grant recipient can grant permissions only on the columns that you grant to them. The only permission that you can grant when granting column-based permissions is the Select permission.

    
                        The Permissions section contains two tiles. Each tile contains a
                           option button and text. The Column-based permissions tile is selected.
                           The other tile is  Table permissions. Below the tiles is a group of
                           option buttons: Include columns and Exclude columns. Below the option
                           buttons is a Select columns dropdown list, and below that is a Grantable
                           permissions subsection with a single check box labeled Select.

The following are the rules for granting these permissions using the Lake Formation console:

  • To grant Select on all columns, or to grant other table permissions such as Insert, in the Permissions section, choose the Table permissions option. Then, do the following:

    1. Under Table permissions, select the permissions to grant.

    2. (Optional) Under Grantable permissions, select the permissions that the grant recipient can grant to other principals in their AWS account.

    3. Choose Grant.

    Note

    If you grant the Alter permission on a table that has its underlying data in a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see Granting Data Location Permissions.

  • To grant only Select with column filtering, in the Permissions section, choose Column-based permissions and specify the columns to include or exclude. Then choose Grant.

    Important

    If you grant column permissions, don't grant the Select permission under the Table permissions option. That permission grants access to all columns.