If you want to manage Data Lake Formation (DLF) permissions in DataWorks, you must grant DataWorks the permissions to access DLF resources. After the permissions are granted to DataWorks, the system creates a service-linked role named AliyunServiceRoleForDataWorksAccessDLF. This topic describes the service-linked role that is created when you grant DataWorks the permissions to access DLF.
Scenarios
- Authorize DataWorks to access DLF resources such as catalogs, databases, tables, and fields.
- Allow DataWorks to grant the permissions on DLF resources to users.
- Allow DataWorks to revoke the permissions on DLF resources from users.
Description of the AliyunServiceRoleForDataWorksAccessDLF role
- Role name: AliyunServiceRoleForDataWorksAccessDLF
- Policy: AliyunServiceRolePolicyForDataWorksAccessDLF
- Policy description: In Security Center, this role is specified by default to access DLF resources.
{
"Version": "1",
"Statement": [
{
"Action": [
"dlf:GetCatalog",
"dlf:GetDatabase",
"dlf:GetFunction",
"dlf:GetTable",
"dlf:GetRole",
"dlf:ListCatalogs",
"dlf:ListDatabases",
"dlf:ListFunctionNames",
"dlf:ListFunctions",
"dlf:ListTableNames",
"dlf:ListTables",
"dlf:ListRoles",
"dlf:ListRoleUsers",
"dlf:CheckPermissions",
"dlf:BatchGrantPermissions",
"dlf:BatchRevokePermissions",
"dlf:GrantPermissions",
"dlf:RevokePermissions",
"dlf:UpdatePermissions",
"dlf:ListPermissions",
"dlf-dss:GetCatalog",
"dlf-dss:GetDatabase",
"dlf-dss:GetFunction",
"dlf-dss:GetTable",
"dlf-dss:ListCatalogs",
"dlf-dss:ListDatabases",
"dlf-dss:ListFunctionNames",
"dlf-dss:ListFunctions",
"dlf-dss:ListTableNames",
"dlf-dss:ListTables",
"dlf-dss:ListRoleUsers",
"dlf-dss:ListRoles",
"dlf-dss:CheckPermissions",
"dlf-dss:GrantPermissions",
"dlf-dss:RevokePermissions",
"dlf-dss:UpdatePermissions",
"dlf-dss:ListPermissions",
"dlf-dss:BatchGrantPermissions",
"dlf-dss:BatchRevokePermissions",
"dlf-dss:CreateTable",
"dlf-dss:AlterTable",
"dlf-dss:DropTable",
"dlf-dss:DescribeTable",
"dlf-dss:SelectTable",
"dlf-dss:UpdateTable",
"dlf-dss:DescribeDatabase",
"dlf-dss:CreateDatabase",
"dlf-dss:AlterDatabase",
"dlf-dss:DropDatabase",
"dlf-dss:DescribeFunction",
"dlf-dss:AlterFunction",
"dlf-dss:CreateFunction",
"dlf-dss:DropFunction",
"dlf-dss:ExecuteFunction"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:DeleteServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dlf.dataworks.aliyuncs.com"
}
}
}
]
}
Create a service-linked role
In Security Center, if you set Engine Type to DLF in the Application Content section on the Permission Application tab of the Data Access Control page, the system prompts you to grant DataWorks the permissions to access DLF. After you grant the permissions to DataWorks, the system creates the AliyunServiceRoleForDataWorksAccessDLF service-linked role in the Resource Access Management (RAM) console.
Delete the service-linked role
You can delete the service-linked role in the RAM console. After the role is deleted, you cannot manage DLF permissions in DataWorks. For more information, see Delete a RAM role.
Permissions required by a RAM user to create the service-linked role
To allow a RAM user to create the AliyunServiceRoleForDataWorksAccessDLF service-linked role, you must attach the AliyunDataWorksFullAccess policy or the following policy to the RAM user:
{
"Version": "1",
"Statement": [
{
"Action": "dataworks:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ram:ServiceName": "dlf.dataworks.aliyuncs.com"
}
}
}
]
}