Notes and restrictions for column-level filtering - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Notes and restrictions for column-level filtering

There are three ways to specify column filtering:

  • By using data filters, as described earlier.

  • By using simple column filtering or nested column filtering.

  • By using TAGs.

Simple column filtering just specifies a list of columns to include or exclude. Both the Lake Formation console, the API, and the Amazon CLI support simple column filtering. For an example, see Grant with Simple Column Filtering.

The following notes and restrictions apply to column filtering:

  • Amazon Glue ETL jobs support column filtering only by using data filters (cell-level security). The job fails if simple column filtering is applied to any table that the job references. If you want only column filtering, grant access to tables using data filters and enter true for the row filter expression in the console, or use AllRowsWildcard in your API calls.

  • To grant SELECT with the grant option and column filtering, you must use an include list, not an exclude list. Without the grant option, you can use either include or exclude lists.

  • To grant SELECT on a table with column filtering, you must have been granted SELECT on the table with the grant option and without any row restrictions. You must have access to all rows.

  • If you grant SELECT with the grant option and column filtering to a principal in your account, that principal must specify column filtering for the same columns or a subset of the granted columns when granting to another principal. If you grant SELECT with the grant option and column filtering to an external account, the data lake administrator in the external account can grant SELECT on all columns to another principal in their account. However, even with SELECT on all columns, that principal will have visibility only on the columns granted to the external account.

  • You can't apply column filtering on partition keys.

  • A principal with the SELECT permission on a subset of columns in a table can't be granted the ALTER, DROP, DELETE, or INSERT permission on that table. For a principal with the ALTER, DROP, DELETE, or INSERT permission on a table, if you grant the SELECT permission with column filtering, it has no effect.

The following notes and restrictions apply to nested column filtering:

  • You can include or exclude five-levels of nested fields in a data filter.

    Col1.Col1_1.Col1_1_1.Col1_1_1_1.Col1_1_1_1_1

  • You can't apply column filtering on nested fields within partition columns.

  • If your table schema contains a top-level column name ("customer"."address") that has the same pattern of a nested field representation within a data filter (a nested column with a top level column name customer and a nested field name address is specified as "customer"."address" in a data filter), you can't explicitly specify access to either top level column or nested field because both are represented using the same pattern in the inclusion/exclusion lists. This is ambiguous, and Lake Formation can't resolve if you're specifying the top level column or the nested field.

  • If a top level column or nested field contains a double quote within the name, you must include a second double quote when you specify access to a nested field within a data cells filter's include and exclude list.

    Example nested column name with double quotes – a.b.double"quote

    Example nested column representation within a data filter – "a"."b"."double""quote"