Granting table permissions using the Lake Formation console and the named resource method - AWS Lake Formation

Granting table permissions using the Lake Formation console and the named resource method

You can use the Lake Formation console and the named resource method to grant Lake Formation permissions on Data Catalog tables. You can grant permissions on individual tables, or with a single grant operation, you can grant permissions on all tables in a database.

If you grant permissions on all tables in a database, you are implicitly granting the DESCRIBE permission on the database. The database then appears on the Databases page on the console, and is returned by the GetDatabases API operation.

When you choose SELECT as the permission to grant, you have the option to apply a column filter, row filter, or cell filter.

The following steps explain how to grant table permissions by using the named resource method and the Grant Permissions page on the Lake Formation console. The page is divided into these sections:

  • Principals – The users, roles, AWS accounts, organizations, or organizational units to grant permissions to.

  • LF-Tags or catalog resources – The databases, tables, or resource links to grant permissions on.

  • Permissions – The Lake Formation permissions to grant.

Note

To grant permissions on a table resource link, see Granting resource link permissions.

Open the Grant permissions page

  1. Open the AWS Lake Formation console at https://console.aws.amazon.com/lakeformation/, and sign in as a data lake administrator, the table creator, or a user who has been granted permissions on the table with the grant option.

  2. Do one of the following:

    • In the navigation pane, choose Data permissions. Then choose Grant.

    • In the navigation pane, choose Tables. Then, on the Tables page, choose a table, and on the Actions menu, under Permissions, choose Grant.

    Note

    You can grant permissions on a table through its resource link. To do so, on the Tables page, choose a resource link, and on the Actions menu, choose Grant on target. For more information, see How resource links work in Lake Formation.

Specify the principals

In the Principals section, choose a principal type and specify principals to grant permissions to.


                  The Principals section contains three tiles that are named in the
                     following text. Each tile contains a option button and text. The IAM users and
                     roles tile is selected, and an IAM users and roles dropdown list is below the
                     tiles.
IAM users and roles

Choose one or more users or roles from the IAM users and roles list.

SAML users and groups

For SAML and Amazon QuickSight users and groups, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon QuickSight users or groups. Press Enter after each ARN.

For information about how to construct the ARNs, see Lake Formation Grant and Revoke AWS CLI Commands.

Note

Lake Formation integration with Amazon QuickSight is supported for Amazon QuickSight Enterprise Edition only.

External accounts

For AWS account , AWS organization, or IAM Principal enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or the ARN for the IAM user or role. Press Enter after each ID.

An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.

An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" character and 8 to 32 additional lowercase letters or digits.

Specify the tables

In the LF-Tags or catalog resources section, choose a database. Then choose one or more tables, or All tables.


                  The LF-Tags or catalog resources section contains two tiles arranged
                     horizontally, where each tile contains an option button and descriptive text.
                     The options are Resources matched by LF-tags, and Named data catalog
                     resources. Named data catalog resources is selected. Below the tiles are two
                     dropdown lists: Database and Table. The Database dropdown list has a tile
                     beneath it containing the selected database name. The Table dropdown list has a
                     tile beneath it containing the selected table name.

Specify the permissions

In the Permissions section, do one of the following to select permissions and grantable permissions:

Specify table permissions (no data filtering)

  1. Select the table permissions to grant, and optionally select grantable permissions.

    
                           The Table and column permissions section has two subsections:
                              Table permissions and Grantable permissions. Each subsection has a
                              check box for each possible Lake Formation permission: Alter, Insert, Drop,
                              Delete, Select, Describe, and Super. The Super permission is set off
                              to the right of the other permissions, and has a description: "This
                              permission allows the principal to grant any of the permissions to the
                              left, and supersedes those grantable permissions."

    If you grant Select, the Data permissions section appears beneath the Table and column permissions section, with the All data access option selected by default. Accept the default.

    
                           The section contains three tiles, arranged horizontally, each
                              with an option button and a description. The option buttons are: All
                              data access (selected), Simple column-based access, and Advanced
                              cell-level filters.
  2. Choose Grant.

Specify the Select permission with data filtering

  1. Select the Select permission. Don't select any other permissions.

    The Data permissions section appears beneath the Table and column permissions section.

  2. Do one of the following:

    • Apply simple column filtering only.

      1. Choose Simple column-based access.

        
                                       The top section is the Table and column permissions
                                          section. It is described in the preceding screenshot. It
                                          contains check boxes for table permissions and grantable
                                          permissions. The bottom section, Data permissions, has
                                          three tiles arranged horizontally, where each tile has an
                                          option button and description. The options are All data
                                          access, Simple column-based access, and Advanced
                                          cell-level filters. The Simple column-based access option
                                          is selected. Beneath the tiles is an option button group
                                          with the label Choose permission filter. The options are
                                          Include columns and Exlcude columns. Beneath the option
                                          group is a Select columns dropdown list, and beneath that
                                          is a Grantable permissions subsection, which contains a
                                          single check box labeled Select.
      2. Choose whether to include or exclude columns, and then choose the columns to include or exclude.

        Only include lists are supported when granting permissions to an external AWS account or organization.

      3. (Optional) Under Grantable permissions, turn on the grant option for the Select permission.

        If you include the grant option, the grant recipient can grant permissions only on the columns that you grant to them.

      Note

      You can also apply column filtering only by creating a data filter that specifies a column filter and specifies all rows as the row filter. However, this requires more steps.

    • Apply column, row, or cell filtering.

      1. Choose Advanced cell-level filters.

        
                                       This section, titled Data permissions, is beneath the
                                          Table permissions section. It has three tiles arranged
                                          horizontally, where each tile has an option button and
                                          description. The options are All data access, Simple
                                          column-based access, and Advanced cell-level filters. The
                                          Advanced cell-level filters option is selected. Beneath
                                          the tiles is the label View existing permissions with an
                                          exposure triangle to the left. The existing permissions
                                          are not exposed. Below that is a section entitled Data
                                          filters to grant. To the right of the title are three
                                          buttons: Refresh, Manage filters, and Create new filter.
                                          Below the title and buttons is a text field with the
                                          placeholder text "Find filter". Below that is a table of
                                          existing filters. Each row has a check box at the left.
                                          The column headings are Filter name, Table, Database, and
                                          Table catalog ID. There are two rows. The filter name in
                                          the first row is restrict-pharma. The name in the second
                                          row is no-pharma.
      2. (Optional) Expand view existing permissions.

      3. (Optional) Choose Create new filter.

      4. (Optional) To view details for the listed filters, or to create new or delete existing filters, choose Manage filters.

        The Data filters page opens in a new browser window.

        When you are finished on the Data filters page, return to the Grant permissions page, and if necessary, refresh the page to view any new data filters that you created.

      5. Select one or more data filters to apply to the grant.

        Note

        If there are no data filters in the list, it means that no data filters were created for the selected table.

  3. Choose Grant.