Notes and restrictions for column-level filtering
There are three ways to specify column filtering:
-
By using data filters, as described earlier.
-
By using simple column filtering or nested column filtering.
-
By using TAGs.
Simple column filtering just specifies a list of columns to include or exclude. Both the Lake Formation console, the API, and the Amazon CLI support simple column filtering. For an example, see Grant with Simple Column Filtering.
The following notes and restrictions apply to column filtering:
-
Amazon Glue ETL jobs support column filtering only by using data filters (cell-level security). The job fails if simple column filtering is applied to any table that the job references. If you want only column filtering, grant access to tables using data filters and enter
true
for the row filter expression in the console, or useAllRowsWildcard
in your API calls. -
To grant
SELECT
with the grant option and column filtering, you must use an include list, not an exclude list. Without the grant option, you can use either include or exclude lists. -
To grant
SELECT
on a table with column filtering, you must have been grantedSELECT
on the table with the grant option and without any row restrictions. You must have access to all rows. -
If you grant
SELECT
with the grant option and column filtering to a principal in your account, that principal must specify column filtering for the same columns or a subset of the granted columns when granting to another principal. If you grantSELECT
with the grant option and column filtering to an external account, the data lake administrator in the external account can grantSELECT
on all columns to another principal in their account. However, even withSELECT
on all columns, that principal will have visibility only on the columns granted to the external account. -
You can't apply column filtering on partition keys.
-
A principal with the
SELECT
permission on a subset of columns in a table can't be granted theALTER
,DROP
,DELETE
, orINSERT
permission on that table. For a principal with theALTER
,DROP
,DELETE
, orINSERT
permission on a table, if you grant theSELECT
permission with column filtering, it has no effect.
The following notes and restrictions apply to nested column filtering:
-
You can include or exclude five-levels of nested fields in a data filter.
Col1.Col1_1.Col1_1_1.Col1_1_1_1.Col1_1_1_1_1
-
You can't apply column filtering on nested fields within partition columns.
-
If your table schema contains a top-level column name ("customer"."address") that has the same pattern of a nested field representation within a data filter (a nested column with a top level column name
customer
and a nested field nameaddress
is specified as"customer"."address"
in a data filter), you can't explicitly specify access to either top level column or nested field because both are represented using the same pattern in the inclusion/exclusion lists. This is ambiguous, and Lake Formation can't resolve if you're specifying the top level column or the nested field. -
If a top level column or nested field contains a double quote within the name, you must include a second double quote when you specify access to a nested field within a data cells filter's include and exclude list.
Example nested column name with double quotes –
a.b.double"quote
Example nested column representation within a data filter –
"a"."b"."double""quote"