Step 4: Grant table permissions
Grant permissions to data analysts for consumption of the databases tag_database
and the table col_tag_database
using LF-tags Confidential
and Sensitive
.
-
Follow these steps to grant permissions to the
lf-data-analyst
user on the objects associated with the LF-TagConfidential=True
(Database:tag_database) to haveDescribe
the database andSelect
permission on tables.Sign in to the Lake Formation console at https://console.amazonaws.cn/lakeformation/
as lf-data-engineer
.Under Permissions, select Data lake permissions.
Choose Grant.
Under Principals, select IAM users and roles.
For IAM users and roles, choose
lf-data-analyst
.Under LF-Tags or catalog resources, select Resources matched by LF-Tags.
Choose Add LF-tag.
For Key, choose
Confidential
.For Values, choose
True
.For Database permissions, select
Describe
.For Table permissions, choose Select and Describe.
Choose Grant.
-
Next, repeat the steps to grant permissions to data analysts for LF-Tag expression for
Confidential=False
. This LF-tag is used for describing thecol_tag_database
and the tablesource_data_col_lvl
when logged in aslf-data-analyst
from Amazon Athena.Sign in to the Lake Formation console at https://console.amazonaws.cn/lakeformation/
as lf-data-engineer
.On the Databases page, select the database
col_tag_database
.Choose Action and Grant.
Under Principals, select IAM users and roles.
For IAM users and roles, choose
lf-data-analyst
.Select Resources matched by LF-Tags.
Choose Add LF-Tag.
For Key, choose
Confidential
.For Values¸ choose
False
.For Database permissions, select
Describe
.For Table permissions, do not select anything.
Choose Grant.
-
Next, repeat the steps to grant permissions to data analysts for LF-Tag expression for
Confidential=False
andSensitive=True
. This LF-tag is used for describing thecol_tag_database
and the tablesource_data_col_lvl
(column-level) when logged in aslf-data-analyst
from Amazon Athena.Sign into the Lake Formation console at https://console.amazonaws.cn/lakeformation/
as lf-data-engineer
.On the Databases page, select the database
col_tag_database
.Choose Action and Grant.
Under Principals, select IAM users and roles.
For IAM users and roles, choose
lf-data-analyst
.Select Resources matched by LF-Tags.
Choose Add LF-tag.
For Key, choose
Confidential
.For Values¸ choose
False
.Choose Add LF-tag.
For Key, choose
Sensitive
.For Values¸ choose
True
.For Database permissions, select
Describe
.For Table permissions, select
Select
andDescribe
.Choose Grant.