Step 3: Set up data filters and grant permissions - Amazon Lake Formation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 3: Set up data filters and grant permissions

This tutorial uses two data analysts: one responsible for the US marketplace and another for the Japanese marketplace. Each analyst uses Athena to analyze customer reviews for their specific marketplace only. Create two different data filters, one for the analyst responsible for the US marketplace, and another for the one responsible for the Japanese marketplace. Then, grant the analysts their respective permissions.

Create data filters and grant permissions

  1. Create a filter to restrict access to the US marketplace data.

    1. Sign into the Lake Formation console at https://console.amazonaws.cn/lakeformation/ in US East (N. Virginia) region as the DatalakeAdmin user.

    2. Choose Data filters.

    3. Choose Create new filter.

    4. For Data filter name, enter amazon_reviews_US.

    5. For Target database, choose the database lakeformation_tutorial_row_security.

    6. For Target table, choose the table amazon_reviews.

    7. For Column-level access, leave as the default.

    8. For Row filter expression, enter marketplace='US'.

    9. Choose Create filter.

  2. Create a filter to restrict access to the Japanese marketplace data.

    1. On the Data filters page, choose Create new filter.

    2. For Data filter name, enter amazon_reviews_JP.

    3. For Target database, choose the database lakeformation_tutorial_row_security.

    4. For Target table, choose the table amazon_reviews.

    5. For Column-level access, leave as the default.

    6. For Row filter expression, enter marketplace='JP'.

    7. Choose Create filter.

  3. Next, grant permissions to the data analysts using these data filters. Follow these steps to grant permissions to the US data analyst (DataAnalystUS):

    1. Under Permissions, choose Data lake permissions.

    2. Under Data permission, choose Grant.

    3. For Principals, choose IAM users and roles, and select the role DataAnalystUS.

    4. For LF tags or catalog resources, choose Named data catalog resources.

    5. For Database, choose lakeformation_tutorial_row_security.

    6. For Tables-optional, choose amazon_reviews.

    7. For Data filters – optional¸ select amazon_reviews_US.

    8. For Data filter permissions, select Select.

    9. Choose Grant.

  4. Follow these steps to grant permissions to the Japanese data analyst (DataAnalystJP):

    1. Under Permissions, choose Data lake permissions.

    2. Under Data permission, choose Grant.

    3. For Principals, choose IAM users and roles, and select the role DataAnalystJP.

    4. For LF tags or catalog resources, choose Named data catalog resources.

    5. For Database, choose lakeformation_tutorial_row_security.

    6. For Tables-optional, choose amazon_reviews.

    7. For Data filters – optional¸ select amazon_reviews_JP.

    8. For Data filter permissions, select Select.

    9. Choose Grant.