Permissions example scenario

The following scenario helps demonstrate how you can set up permissions to secure access to data in AWS Lake Formation.

Shirley is a data administrator. She wants to set up a data lake for her company, AnyCompany. Currently, all data is stored in Amazon S3. John is a marketing manager and needs write access to customer purchasing information (contained in s3://customerPurchases). A marketing analyst, Diego, joins John this summer. John needs the ability to grant Diego access to perform queries on the data without involving Shirley.

To summarize:

• Shirley is the data lake administrator.

• John requires CREATE_DATABASE and CREATE_TABLE permission to create new databases and tables in the Data Catalog.

• John also requires SELECT, INSERT, and DELETE permissions on tables he creates.

• Diego requires SELECT permission on the table to run queries.

The employees of AnyCompany perform the following actions to set up permissions. The API operations shown in this scenario show a simplified syntax for clarity.

1. Shirley registers the Amazon S3 path containing customer purchasing information with Lake Formation.

   RegisterResource(ResourcePath("s3://customerPurchases"), false, Role_ARN )

2. Shirley grants John access to the Amazon S3 path containing customer purchasing information.

   GrantPermissions(John, S3Location("s3://customerPurchases"), [DATA_LOCATION_ACCESS]) )

3. Shirley grants John permission to create databases.

   GrantPermissions(John, catalog, [CREATE_DATABASE]) 

4. John creates the database John_DB. John automatically has CREATE_TABLE permission on that database because he created it.

   CreateDatabase(John_DB)

5. John creates the table John_Table pointing to s3://customerPurchases. Because he created the table, he has all permissions on it, and can grant permissions on it.

   CreateTable(John_DB, John_Table)

6. John allows his analyst, Diego, access to the table John_Table.

    GrantPermissions(Diego, John_Table, [SELECT])