

# Granting data permissions using the named resource method
<a name="granting-cat-perms-named-resource"></a>

The named Data Catalog resource method is a way of granting permissions to AWS Glue Data Catalog objects, such as catalogs, databases, tables, columns, and views, using a centralized approach. It allows you to define resource-based policies that control access to specific resources within your data lake.

When you use the named resource method to grant permissions, you can specify the resource type and the permissions that you want to grant or revoke for that resource. You can also revoke the permission later if needed, thereby removing the permissions from the associated resources. 

You can grant permissions by using the AWS Lake Formation console, APIs, or the AWS Command Line Interface (AWS CLI).

**Topics**
+ [Granting catalog permissions using the named resource method](granting-multi-catalog-permissions.md)
+ [Granting database permissions using the named resource method](granting-database-permissions.md)
+ [Granting table permissions using the named resource method](granting-table-permissions.md)
+ [Granting permissions on views using the named resource method](granting-view-permissions.md)

# Granting catalog permissions using the named resource method
<a name="granting-multi-catalog-permissions"></a>

The following steps explain how to grant catalog permissions by using the named resource method.

------
#### [ Console ]

Use the **Grant permissions** page on the Lake Formation console. The page is divided into the following sections:
+ **Principal type** – You can grant permissions to specific principals or use attribute tags.
  +  **Principals** – The IAM users, roles, IAM Identity Center users and groups, SAML users and groups, AWS accounts, organizations, or organizational units to grant permissions.

    **Principal by attributes** – Add tag key-value pairs from IAMroles or IAM session tags. Principals with matching attributes receive access to the specified resource. 
  +  **LF-Tags or catalog resources** – The catalogs, databases, tables, views, or resource links to grant permissions on.
  +  **Permissions** – The Lake Formation permissions to grant.

**Note**  
To grant permissions on a database resource link, see [Granting resource link permissions](granting-link-permissions.md).

1. Open the **Grant permissions** page.

   Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the catalog creator, or an IAM user who has **Grantable permissions** on the catalog.

   Do one of the following:
   + In the navigation pane, under **Permissions**, choose **Data permissions**. Then choose **Grant**.
   + In the navigation pane, choose **Catalogs** under **Data Catalog**. Then, on the **Catalogs** page, choose a catalog, and from the **Actions** menu, under **Permissions**, choose **Grant**.
**Note**  
You can grant permissions on a catalog through its resource link. To do so, on the **Catalogs** page, choose a catalog link container, and on the **Actions** menu, choose **Grant on target**. For more information, see [How resource links work in Lake Formation](resource-links-about.md).

1. Next, in the **Principal type** section, choose principals or specify attributes attached to the principals.  
![\[The principal type section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Principals and Principals by attributes.Below the title are the principals.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-catalog-principal-type.png)

****Specify principals****  
**IAM users and roles**  
Choose one or more users or roles from the **IAM users and roles** list.  
**IAM Identity Center**  
Choose one or more users or groups from the **Users and groups** list. Select **Add** to add more users or groups.  
**SAML users and groups**  
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon Quick users or groups. Press Enter after each ARN.  
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).  
Lake Formation integration with Quick is supported only for Quick Enterprise Edition.  
**External accounts**  
For **AWS account, AWS organization**, or **IAM Principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or ARN for the IAM user or role. Press **Enter** after each ID.  
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.  
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.

****Principals by attributes****  
**Attributes**  
Add the IAM tag key-value pairs from the IAM role.   
**Permission scope**  
Specify if you're granting permissions to principals with matching attributes in the same account or in another account.

1. In the **LF-Tags or catalog resources** section, choose **Named data catalog resources**.  
![\[The LF-Tags or catalog resources section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Resources matched by LF-Tags, and Named data catalog resources. Below the tiles are two dropdown lists: Database and Table. The Database dropdown list has a tile beneath it containing the selected database name.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-resources-catalog.png)

1. Choose one or more catalogs from the **Catalogs** list. You can also choose one or more **Databases**, **Tables**, and/or **Data filters**.

1. In the **Catalog permissions** section, select permissions and grantable permissions. Under **Catalog permissions**, select one or more permissions to grant.  
![\[The Permissions section the catalog permissions tile. Below the tiles is a group of check boxes for catalog permissions to grant. Check boxes include Super user, Create catalog, Create database, Alter, Drop, Describe, and Super. Below that group is another group of the same check boxes for grantable permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-catalog-permissions-section.png)

   Choose **Super user** to grant unrestricted administrative privileges to perform any operation on all resources within the catalog (databases, tables, and views).
**Note**  
After granting `Create database` or `Alter` on a catalog that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see [Granting data location permissions](granting-location-permissions.md).

1. (Optional) Under **Grantable permissions**, select the permissions that the grant recipient can grant to other principals in their AWS account. This option is not supported when you are granting permissions to an IAM principal from an external account. 

1. Choose **Grant**.

   The **Data permissions** page shows the permission details. If you used **Principals by attribute** option to grant permissions, you can view the permission grant to `ALLPrincipals` in the list.

------
#### [ AWS CLI ]

For granting catalog permissions using AWS CLI, see [Creating Amazon Redshift federated catalogs](create-ns-catalog.md).

------

# Granting database permissions using the named resource method
<a name="granting-database-permissions"></a>

The following steps explain how to grant database permissions by using the named resource method.

------
#### [ Console ]

Use the **Grant permissions** page on the Lake Formation console. The page is divided into the following sections:
+  **Principal type** – The **Principals** section include the IAM users, roles, IAM Identity Center users and groups, SAML users and groups, AWS accounts, organizations, or organizational units to grant permissions. In the **Principals by attributes** section, you can specify the key and values for the attributes attached to the IAM roles. 
+  **LF-Tags or catalog resources** – The databases, tables, views, or resource links to grant permissions on.
+  **Permissions** – The Lake Formation permissions to grant.

**Note**  
To grant permissions on a database resource link, see [Granting resource link permissions](granting-link-permissions.md).

1. Open the **Grant permissions** page.

   Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the database creator, or an IAM user who has **Grantable permissions** on the database.

   Do one of the following:
   + In the navigation pane, under **Permissions**, choose **Data permissions**. Then choose **Grant**.
   + In the navigation pane, choose **Databases** under **Data Catalog**. Then, on the **Databases** page, choose a database, and from the **Actions** menu, under **Permissions**, choose **Grant**.
**Note**  
You can grant permissions on a database through its resource link. To do so, on the **Databases** page, choose a resource link, and on the **Actions** menu, choose **Grant on target**. For more information, see [How resource links work in Lake Formation](resource-links-about.md).

1. In the **Principal type** section, specify principals or grant permissions to principals using attributes.  
![\[The Principals section contains four tiles. Each tile contains a option button and text.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/identity-center-grant-perm.png)  
**IAM users and roles**  
Choose one or more users or roles from the **IAM users and roles** list.  
**IAM Identity Center**  
Choose one or more users or groups from the **Users and groups** list. Select **Add** to add more users or groups.  
**SAML users and groups**  
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon Quick users or groups. Press Enter after each ARN.  
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).  
Lake Formation integration with Quick is supported only for Quick Enterprise Edition.  
**External accounts**  
For **AWS account, AWS organization**, or **IAM Principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or ARN for the IAM user or role. Press **Enter** after each ID.  
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.  
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.  
Principals by attributes  
Specify the attribute key and value(s). If you choose more than one value, you are creating an attribute expression with an OR operator. This means that if any of the attribute tag values assigned to an IAM role or user match, the role/user gains access permissions on the resource.  
 Choose the permission scope by specifying if you're granting permissions to principals with matching attributes in the same account or in another account. 

1. In the **LF-Tags or catalog resources** section, choose **Named data catalog resources**.  
![\[The LF-Tags or catalog resources section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Resources matched by LF-Tags, and Named data catalog resources. Below the tiles are two dropdown lists: Database and Table. The Database dropdown list has a tile beneath it containing the selected database name.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-resources-section-2.png)

1. Choose one or more databases from the **Database** list. You can also choose one or more **Tables** and/or **Data filters**.

1. In the **Permissions** section, select permissions and grantable permissions. Under **Database permissions**, select one or more permissions to grant.  
![\[The Permissions section contains two tiles, arranged horizontally. Each tile contains a option button and text. The Database permissions tile is selected. The other tile, Column-based permissions, is disabled, because it relates to table permissions. Below the tiles is a group of check boxes for database permissions to grant. Check boxes include Create Table, Alter, Drop, Describe, and Super. Below that group is another group of the same check boxes for grantable permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-db-permissions-section.png)
**Note**  
After granting `Create Table` or `Alter` on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see [Granting data location permissions](granting-location-permissions.md).

1. (Optional) Under **Grantable permissions**, select the permissions that the grant recipient can grant to other principals in their AWS account. This option is not supported when you are granting permissions to an IAM principal from an external account. 

1. Choose **Grant**.

------
#### [ AWS CLI ]

You can grant database permissions by using the named resource method and the AWS Command Line Interface (AWS CLI).

**To grant database permissions using the AWS CLI**
+ Run a `grant-permissions` command, and specify a database or the Data Catalog as the resource, depending on the permission being granted.

  In the following examples, replace *<account-id>* with a valid AWS account ID.  
**Example – Grant to create a database**  

  This example grants `CREATE_DATABASE` to user `datalake_user1`. Because the resource on which this permission is granted is the Data Catalog, the command specifies an empty `CatalogResource` structure as the `resource` parameter.

  ```
  1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:user/datalake_user1 --permissions "CREATE_DATABASE" --resource '{ "Catalog": {}}'
  ```  
**Example – Grant to create tables in a designated database**  

  The next example grants `CREATE_TABLE` on the database `retail` to user `datalake_user1`.

  ```
  1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::<account-id>:user/datalake_user1 --permissions "CREATE_TABLE" --resource '{ "Database": {"Name":"retail"}}'
  ```  
**Example – Grant to an external AWS account with the Grant option**  

  The next example grants `CREATE_TABLE` with the grant option on the database `retail` to external account 1111-2222-3333.

  ```
  1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "CREATE_TABLE" --permissions-with-grant-option "CREATE_TABLE" --resource '{ "Database": {"Name":"retail"}}'
  ```  
**Example – Grant to an organization**  

  The next example grants `ALTER` with the grant option on the database `issues` to the organization `o-abcdefghijkl`.

  ```
  1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:organization/o-abcdefghijkl --permissions "ALTER" --permissions-with-grant-option "ALTER" --resource '{ "Database": {"Name":"issues"}}'
  ```  
**Example - Grant to `ALLIAMPrincipals` in the same account**  

  The next example grants `CREATE_TABLE` permission on the database `retail` to all principals in the same account. This option enables every principal in the account to create a table in the database and create a table resource link allowing integrated query engines to access shared databases and tables. This option is especially useful when a principal receives a cross-account grant, and does not have the permission to create resource links. In this scenario, the data lake administrator can create a placeholder database and grant `CREATE_TABLE` permission to the `ALLIAMPrincipal` group, enabling every IAM principal in the account to create resource links in the placeholder database. 

  ```
  1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "CREATE_TABLE"  --resource '{ "Database": {"Name":"temp","CatalogId":"111122223333"}}' 
  ```  
**Example - Grant to `ALLIAMPrincipals` in an external account**  

  The next example grants `CREATE_TABLE` on the database `retail` to all principals in an external account. This option enables every principal in the account to create a table in the database.

  ```
  1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "CREATE_TABLE"  --resource '{ "Database": {"Name":"retail","CatalogId":"123456789012"}}'
  ```

**Note**  
After granting `CREATE_TABLE` or `ALTER` on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see [Granting data location permissions](granting-location-permissions.md).

------

**See also**  
 [Lake Formation permissions reference](lf-permissions-reference.md) 
 [Granting permissions on a database or table shared with your account](regranting-shared-resources.md) 
 [Accessing and viewing shared Data Catalog tables and databases](viewing-shared-resources.md) 

# Granting table permissions using the named resource method
<a name="granting-table-permissions"></a>

You can use the Lake Formation console or AWS CLI to grant Lake Formation permissions on Data Catalog tables. You can grant permissions on individual tables, or with a single grant operation, you can grant permissions on all tables in a database. 

If you grant permissions on all tables in a database, you are implicitly granting the `DESCRIBE` permission on the database. The database then appears on the **Databases** page on the console, and is returned by the `GetDatabases` API operation. This automatic `DESCRIBE` permission grant doesn't apply when using attribute-based access control (ABAC). When granting permissions on all tables in a database using attributes, Lake Formation doesn't implicitly grant `DESCRIBE` permission to the database.

When you choose `SELECT` as the permission to grant, you have the option to apply a column filter, row filter, or cell filter.

------
#### [ Console ]

The following steps explain how to grant table permissions by using the named resource method and the **Grant data lake permissions** page on the Lake Formation console. The page is divided into these sections:
+  **Principals types** – The users, roles, AWS accounts, organizations, or organizational units to grant permissions to. You can also grant permissions to principals with matching attributes.
+  **LF-Tags or catalog resources** – The databases, tables, or resource links to grant permissions on.
+  **Permissions** – The Lake Formation permissions to grant.

**Note**  
To grant permissions on a table resource link, see [Granting resource link permissions](granting-link-permissions.md).

1. Open the Grant permissions page.

   Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the table creator, or a user who has been granted permissions on the table with the grant option.

   Do one of the following:
   + In the navigation pane, choose **Data permissions** under **Permissions**. Then choose **Grant**.
   + In the navigation pane, choose **Tables**. Then, on the **Tables** page, choose a table, and on the **Actions** menu, under **Permissions**, choose **Grant**.
**Note**  
You can grant permissions on a table through its resource link. To do so, on the **Tables** page, choose a resource link, and on the **Actions** menu, choose **Grant on target**. For more information, see [How resource links work in Lake Formation](resource-links-about.md).

1. Next, in the **Principal types** section, specify principals or principals with matching attrubutes to grant permissions.  
**IAM users and roles**  
Choose one or more users or roles from the **IAM users and roles** list.  
**IAM Identity Center**  
Choose one or more users or groups from the **Users and groups** list.  
**SAML users and groups**  
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Quick users or groups. Press Enter after each ARN.  
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).  
Lake Formation integration with Quick is supported for Quick Enterprise Edition only.  
**External accounts**  
For **AWS account , AWS organization**, or **IAM Principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or the ARN for the IAM user or role. Press **Enter** after each ID.  
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.  
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" character and 8 to 32 additional lowercase letters or digits.  
Principals by attributes  
Specify the attribute key and value(s). If you choose more than one value, you are creating an attribute expression with an OR operator. This means that if any of the attribute tag values assigned to an IAM role or user match, the role/user gains access permissions on the resource  
 Choose the permission scope by specifying if you're granting permissions to principals with matching attributes in the same account or in another account. 

1. In the **LF-Tags or catalog resources** section, choose a database. Then choose one or more tables, or **All tables**.  
![\[The LF-Tags or catalog resources section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Resources matched by LF-Tags, and Named data catalog resources. Named data catalog resources is selected. Below the tiles are two dropdown lists: Database and Table. The Database dropdown list has a tile beneath it containing the selected database name. The Table dropdown list has a tile beneath it containing the selected table name.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-resources-tables-section-2.png)

1. 

**Specify the permissions with no data filtering.**

   In the **Permissions** section, select the table permissions to grant, and optionally select grantable permissions.  
![\[The Table and column permissions section has two subsections: Table permissions and Grantable permissions. Each subsection has a check box for each possible Lake Formation permission: Alter, Insert, Drop, Delete, Select, Describe, and Super. The Super permission is set off to the right of the other permissions, and has a description: "This permission allows the principal to grant any of the permissions to the left, and supersedes those grantable permissions."\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-table-permissions-section-no-filter.png)

   If you grant **Select**, the **Data permissions** section appears beneath the **Table and column permissions** section, with the **All data access** option selected by default. Accept the default.  
![\[The section contains three tiles, arranged horizontally, each with an option button and a description. The option buttons are: All data access (selected), Simple column-based access, and Advanced cell-level filters.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-select-all-data-access.png)

1. Choose **Grant**.

1. 

**Specify the **Select** permission with data filtering**

   Select the **Select** permission. Don't select any other permissions.

   The **Data permissions** section appears beneath the **Table and column permissions** section.

1. Do one of the following:
   + Apply simple column filtering only.

     1. Choose **Simple column-based access**.  
![\[The top section is the Table and column permissions section. It is described in the preceding screenshot. It contains check boxes for table permissions and grantable permissions. The bottom section, Data permissions, has three tiles arranged horizontally, where each tile has an option button and description. The options are All data access, Simple column-based access, and Advanced cell-level filters. The Simple column-based access option is selected. Beneath the tiles is an option button group with the label Choose permission filter. The options are Include columns and Exclude columns. Beneath the option group is a Select columns dropdown list, and beneath that is a Grantable permissions subsection, which contains a single check box labeled Select.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-table-permissions-section-column-filter.png)

     1. Choose whether to include or exclude columns, and then choose the columns to include or exclude.

        Only include lists are supported when granting permissions to an external AWS account or organization.

     1. (Optional) Under **Grantable permissions**, turn on the grant option for the Select permission.

         If you include the grant option, the grant recipient can grant permissions only on the columns that you grant to them.
**Note**  
You can also apply column filtering only by creating a data filter that specifies a column filter and specifies all rows as the row filter. However, this requires more steps.
   + Apply column, row, or cell filtering.

     1. Choose **Advanced cell-level filters**.  
![\[This section, titled Data permissions, is beneath the Table permissions section. It has three tiles arranged horizontally, where each tile has an option button and description. The options are All data access, Simple column-based access, and Advanced cell-level filters. The Advanced cell-level filters option is selected. Beneath the tiles is the label View existing permissions with an exposure triangle to the left. The existing permissions are not exposed. Below that is a section entitled Data filters to grant. To the right of the title are three buttons: Refresh, Manage filters, and Create new filter. Below the title and buttons is a text field with the placeholder text "Find filter". Below that is a table of existing filters. Each row has a check box at the left. The column headings are Filter name, Table, Database, and Table catalog ID. There are two rows. The filter name in the first row is restrict-pharma. The name in the second row is no-pharma.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-table-permissions-section-cell-filter.png)

     1. (Optional) Expand **View existing permissions**.

     1. (Optional) Choose **Create new filter**.

     1. (Optional) To view details for the listed filters, or to create new or delete existing filters, choose **Manage filters**.

        The **Data filters** page opens in a new browser window.

        When you are finished on the **Data filters** page, return to the **Grant permissions** page, and if necessary, refresh the page to view any new data filters that you created.

     1. Select one or more data filters to apply to the grant.
**Note**  
If there are no data filters in the list, it means that no data filters were created for the selected table.

1. Choose **Grant**.

------
#### [ AWS CLI ]

You can grant table permissions by using the named resource method and the AWS Command Line Interface (AWS CLI).

**To grant table permissions using the AWS CLI**
+ Run a `grant-permissions` command, and specify a table as the resource.

**Example – Grant on a single table - no filtering**  
The following example grants `SELECT` and `ALTER` to user `datalake_user1` in AWS account 1111-2222-3333 on the table `inventory` in the database `retail`.  

```
1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" "ALTER" --resource '{ "Table": {"DatabaseName":"retail", "Name":"inventory"}}'
```
If you grant the `ALTER` permission on a table that has its underlying data in a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see [Granting data location permissions](granting-location-permissions.md).

**Example – Grant on All Tables with the Grant option - no filtering**  
The next example grants `SELECT` with the grant option on all tables in database `retail`.  

```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ "Table": { "DatabaseName": "retail", "TableWildcard": {} } }'
```<a name="simple-column-filter-example"></a>

**Example – Grant with simple column filtering**  
This next example grants `SELECT` on a subset of columns in the table `persons`. It uses simple column filtering.  

```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --resource '{ "TableWithColumns": {"DatabaseName":"hr", "Name":"persons", "ColumnNames":["family_name", "given_name", "gender"]}}'
```

**Example – Grant with a data filter**  
This example grants `SELECT` on the `orders` table and applies the `restrict-pharma` data filter.  

```
aws lakeformation grant-permissions --cli-input-json file://grant-params.json
```
The following are the contents of file `grant-params.json`.  

```
{
    "Principal": {"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1"},
    "Resource": {
        "DataCellsFilter": {
            "TableCatalogId": "111122223333",
            "DatabaseName": "sales",
            "TableName": "orders",
            "Name": "restrict-pharma"
        }
    },
    "Permissions": ["SELECT"],
    "PermissionsWithGrantOption": ["SELECT"]
}
```

------

**See also**  
[Overview of Lake Formation permissions](lf-permissions-overview.md)
[Data filtering and cell-level security in Lake Formation](data-filtering.md)
[Lake Formation personas and IAM permissions reference](permissions-reference.md)
 [Granting resource link permissions](granting-link-permissions.md)
 [Accessing and viewing shared Data Catalog tables and databases](viewing-shared-resources.md) 

# Granting permissions on views using the named resource method
<a name="granting-view-permissions"></a>

The following steps explain how to grant permissions on views by using the named resource method and the **Grant permissions** page. The page is divided into the following sections:
+  **Principal types** – The IAM users, roles, IAM Identity Center users and groups, AWS accounts, organizations, or organizational units to grant permissions. You can also grant permissions to principals with matching attributes.
+  **LF-Tags or catalog resources** – The databases, tables, views, or resource links to grant permissions on.
+  **Permissions** – The data lake permissions to grant.

## Open the **Grant permissions** page
<a name="view-start-grant"></a>

1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the database creator, or an IAM user who has **Grantable permissions** on the database.

1. Do one of the following:
   + In the navigation pane, under **Permissions**, choose **Data permissions**. Then choose **Grant**.
   + In the navigation pane, choose **Views** under **Data Catalog**. Then, on the **Views** page, choose a view, and from the **Actions** menu, under **Permissions**, choose **Grant**.
**Note**  
You can grant permissions on a view through its resource link. To do so, on the **Views** page, choose a resource link, and on the **Actions** menu, choose **Grant on target**. For more information, see [How resource links work in Lake Formation](resource-links-about.md).

## Specify the principal types
<a name="views-specify-principals"></a>

 In the **Principal types** section, either choose Principals or Principals by attributes. If you choose Principals, the following options are available:

**IAM users and roles**  
Choose one or more users or roles from the **IAM users and roles** list.

**IAM Identity Center **  
Choose one or more users or groups from the **Users and groups** list.

**SAML users and groups**  
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon Quick users or groups. Press Enter after each ARN.  
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).  
Lake Formation integration with Quick is supported only for Quick Enterprise Edition.

**External accounts**  
For **AWS account, AWS organization**, or **IAM Principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or ARN for the IAM user or role. Press **Enter** after each ID.  
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.  
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.  
**See Also**  
+  [Accessing and viewing shared Data Catalog tables and databases](viewing-shared-resources.md) 

**Principals by attributes**  
Specify the attribute key and value(s). If you choose more than one value, you are creating an attribute expression with an OR operator. This means that if any of the attribute tag values assigned to an IAM role or user match, the role/user gains access permissions on the resource  
 Choose the permission scope by specifying if you're granting permissions to principals with matching attributes in the same account or in another account. 

## Specify the views
<a name="view-specify-resources"></a>

In the **LF-Tags or catalog resources** section, choose one or more views to grant permissions on.

1. Choose **Named data catalog resources**.

1. Choose one or more views from the **Views** list. You can also choose one or more catalogs, databases, tables, and/or data filters.

   Granting data lake permissions to `All tables` within a database will result in the grantee having permissions on all tables and views within the database.

## Specify the permissions
<a name="view-specify-permissions"></a>

In the **Permissions** section, select permissions and grantable permissions.

![\[The Permissions section has a group of check boxes for view permissions to grant. Check boxes include Select, Describe, Drop, and Super. Below that group is another group of the same check boxes for grantable permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/view-permissions.png)


1. Under **View permissions**, select one or more permissions to grant.

1. (Optional) Under **Grantable permissions**, select the permissions that the grant recipient can grant to other principals in their AWS account. This option is not supported when you are granting permissions to an IAM principal from an external account. 

1. Choose **Grant**.

**See Also**  
 [Lake Formation permissions reference](lf-permissions-reference.md) 
 [Granting permissions on a database or table shared with your account](regranting-shared-resources.md)