# Granting permissions on Data Catalog resources
You can grant **Data permissions** to principals in AWS Lake Formation so that the principals can create and manage Data Catalog resources, and can access underlying data. You can grant **Data lake permissions** on catalogs, databases, tables, and views. When you grant permissions on tables, you can limit access to specific table columns or rows for even more fine-grained access control.
You can grant permissions on individual catalogs, databases, tables and views, or with a single grant operation, you can grant permissions on all databases, tables and views in a catalog or a database. If you grant permissions on all tables in a database to IAM principals, you are implicitly granting the `DESCRIBE` permission on the database. The database then appears on the **Databases** page on the console, and is returned by the `GetDatabases` API operation. The same principle applies at the catalog level - when you receive permissions for databases within a catalog, you also get `DESCRIBE` permissions for that catalog.
**Important**
The implicit `DESCRIBE` permission applies only when granting permissions to IAM principals within the same AWS account. For cross-account resources, you must explicitly grant `DESCRIBE` permissions. The automatic `DESCRIBE` permission grant doesn't apply when using attribute-based access control (ABAC). When granting permissions on all tables in a database using attributes, Lake Formation doesn't implicitly grant `DESCRIBE` permission to the database.
You can grant permissions by using either the named resource method or the Lake Formation tag-based access control (LF-TBAC) method.
You can grant permissions to principals in the same AWS account or to external accounts or organizations. When you grant to external accounts or organizations, you are sharing Data Catalog objects that you own with those accounts or organizations. Principals in those accounts or organizations can then access Data Catalog objects that you own and the underlying data.
**Note**
Currently, the LF-TBAC method supports granting cross-account permissions to IAM principals, AWS accounts, organizations, and organizational units (OUs).
When you grant permissions to external accounts or organizations, you must include the grant option. Only the data lake administrator in the external account can access the shared objects until the administrator grants permissions on the shared objects to other principals in the external account.
You can grant Data Catalog permissions by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
**Note**
When you delete a Data Catalog object, all permissions that are associated with the object become invalid. Recreating the same resource with the same name, will not recover Lake Formation permissions. Users will have to setup new permissions again.
**See also:**
[Sharing Data Catalog tables and databases across AWS Accounts](sharing-catalog-resources.md)
[Metadata access control](access-control-metadata.md)
[Lake Formation permissions reference](lf-permissions-reference.md)
# IAM permissions required to grant or revoke Lake Formation permissions
All principals, including the data lake administrator, need the following AWS Identity and Access Management (IAM) permissions to grant or revoke AWS Lake Formation Data Catalog permissions or data location permissions with the Lake Formation API or the AWS CLI:
+ `lakeformation:GrantPermissions`
+ `lakeformation:BatchGrantPermissions`
+ `lakeformation:RevokePermissions`
+ `lakeformation:BatchRevokePermissions`
+ `glue:GetTable`, `glue:GetDatabase`, or `glue:GetCatalog` for a table, database, or catalog that you're granting permissions using the named resource method.
**Note**
Data lake administrators have implicit Lake Formation permissions to grant and revoke Lake Formation permissions. But they still need the IAM permissions on the Lake Formation grant and revoke API operations.
IAM roles with `AWSLakeFormationDataAdmin` AWS managed policy cannot add new data lake administrators because this policy contains an explicit deny for the Lake Formation API operation, `PutDataLakeSetting`.
The following IAM policy is recommended for principals who are not data lake administrators and who want to grant or revoke permissions using the Lake Formation console.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"lakeformation:ListPermissions",
"lakeformation:GrantPermissions",
"lakeformation:BatchGrantPermissions",
"lakeformation:RevokePermissions",
"lakeformation:BatchRevokePermissions",
"glue:GetCatalogs",
"glue:GetDatabases",
"glue:SearchTables",
"glue:GetTables",
"glue:GetCatalog",
"glue:GetDatabase",
"glue:GetTable",
"iam:ListUsers",
"iam:ListRoles",
"sso-directory:DescribeUser",
"sso-directory:DescribeGroup",
"sso:DescribeInstance"
],
"Resource": "*"
}
]
}
```
------
All of the `glue:` and `iam:` permissions in this policy are available in the AWS managed policy `AWSGlueConsoleFullAccess`.
To grant permissions by using Lake Formation tag-based access control (LF-TBAC), principals need additional IAM permissions. For more information, see [Lake Formation tag-based access control best practices and considerations](lf-tag-considerations.md) and [Lake Formation personas and IAM permissions reference](permissions-reference.md).
**Cross-account permissions**
Users who want to grant cross-account Lake Formation permissions by using the named resource method must also have the permissions in the `AWSLakeFormationCrossAccountManager` AWS managed policy.
Data lake administrators need those same permissions for granting cross-account permissions, plus the AWS Resource Access Manager (AWS RAM) permission to enable granting permissions to organizations. For more information, see [Data lake administrator permissions](permissions-reference.md#persona-dl-admin).
**The administrative user**
A principal with administrative permissions—for example, with the `AdministratorAccess` AWS managed policy—has permissions to grant Lake Formation permissions and create data lake administrators. To deny a user or role access to Lake Formation administrator operations, attach or add into its policy a `Deny` statement for administrator API operations.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"lakeformation:GetDataLakeSettings",
"lakeformation:PutDataLakeSettings"
],
"Effect": "Deny",
"Resource": [
"*"
]
}
]
}
```
------
**Important**
To prevent users from adding themselves as an administrator with an extract, transform, and load (ETL) script, make sure that all non-administrator users and roles are denied access to these API operations. The `AWSLakeFormationDataAdmin` AWS managed policy contains an explict deny for the Lake Formation API operation, `PutDataLakeSetting` that prevents users from adding new data lake administrators.
# Granting data permissions using the named resource method
The named Data Catalog resource method is a way of granting permissions to AWS Glue Data Catalog objects, such as catalogs, databases, tables, columns, and views, using a centralized approach. It allows you to define resource-based policies that control access to specific resources within your data lake.
When you use the named resource method to grant permissions, you can specify the resource type and the permissions that you want to grant or revoke for that resource. You can also revoke the permission later if needed, thereby removing the permissions from the associated resources.
You can grant permissions by using the AWS Lake Formation console, APIs, or the AWS Command Line Interface (AWS CLI).
**Topics**
+ [Granting catalog permissions using the named resource method](granting-multi-catalog-permissions.md)
+ [Granting database permissions using the named resource method](granting-database-permissions.md)
+ [Granting table permissions using the named resource method](granting-table-permissions.md)
+ [Granting permissions on views using the named resource method](granting-view-permissions.md)
# Granting catalog permissions using the named resource method
The following steps explain how to grant catalog permissions by using the named resource method.
------
#### [ Console ]
Use the **Grant permissions** page on the Lake Formation console. The page is divided into the following sections:
+ **Principal type** – You can grant permissions to specific principals or use attribute tags.
+ **Principals** – The IAM users, roles, IAM Identity Center users and groups, SAML users and groups, AWS accounts, organizations, or organizational units to grant permissions.
**Principal by attributes** – Add tag key-value pairs from IAMroles or IAM session tags. Principals with matching attributes receive access to the specified resource.
+ **LF-Tags or catalog resources** – The catalogs, databases, tables, views, or resource links to grant permissions on.
+ **Permissions** – The Lake Formation permissions to grant.
**Note**
To grant permissions on a database resource link, see [Granting resource link permissions](granting-link-permissions.md).
1. Open the **Grant permissions** page.
Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the catalog creator, or an IAM user who has **Grantable permissions** on the catalog.
Do one of the following:
+ In the navigation pane, under **Permissions**, choose **Data permissions**. Then choose **Grant**.
+ In the navigation pane, choose **Catalogs** under **Data Catalog**. Then, on the **Catalogs** page, choose a catalog, and from the **Actions** menu, under **Permissions**, choose **Grant**.
**Note**
You can grant permissions on a catalog through its resource link. To do so, on the **Catalogs** page, choose a catalog link container, and on the **Actions** menu, choose **Grant on target**. For more information, see [How resource links work in Lake Formation](resource-links-about.md).
1. Next, in the **Principal type** section, choose principals or specify attributes attached to the principals.
![\[The principal type section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Principals and Principals by attributes.Below the title are the principals.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-catalog-principal-type.png)
****Specify principals****
**IAM users and roles**
Choose one or more users or roles from the **IAM users and roles** list.
**IAM Identity Center**
Choose one or more users or groups from the **Users and groups** list. Select **Add** to add more users or groups.
**SAML users and groups**
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon Quick users or groups. Press Enter after each ARN.
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).
Lake Formation integration with Quick is supported only for Quick Enterprise Edition.
**External accounts**
For **AWS account, AWS organization**, or **IAM Principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or ARN for the IAM user or role. Press **Enter** after each ID.
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.
****Principals by attributes****
**Attributes**
Add the IAM tag key-value pairs from the IAM role.
**Permission scope**
Specify if you're granting permissions to principals with matching attributes in the same account or in another account.
1. In the **LF-Tags or catalog resources** section, choose **Named data catalog resources**.
![\[The LF-Tags or catalog resources section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Resources matched by LF-Tags, and Named data catalog resources. Below the tiles are two dropdown lists: Database and Table. The Database dropdown list has a tile beneath it containing the selected database name.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-resources-catalog.png)
1. Choose one or more catalogs from the **Catalogs** list. You can also choose one or more **Databases**, **Tables**, and/or **Data filters**.
1. In the **Catalog permissions** section, select permissions and grantable permissions. Under **Catalog permissions**, select one or more permissions to grant.
![\[The Permissions section the catalog permissions tile. Below the tiles is a group of check boxes for catalog permissions to grant. Check boxes include Super user, Create catalog, Create database, Alter, Drop, Describe, and Super. Below that group is another group of the same check boxes for grantable permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-catalog-permissions-section.png)
Choose **Super user** to grant unrestricted administrative privileges to perform any operation on all resources within the catalog (databases, tables, and views).
**Note**
After granting `Create database` or `Alter` on a catalog that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see [Granting data location permissions](granting-location-permissions.md).
1. (Optional) Under **Grantable permissions**, select the permissions that the grant recipient can grant to other principals in their AWS account. This option is not supported when you are granting permissions to an IAM principal from an external account.
1. Choose **Grant**.
The **Data permissions** page shows the permission details. If you used **Principals by attribute** option to grant permissions, you can view the permission grant to `ALLPrincipals` in the list.
------
#### [ AWS CLI ]
For granting catalog permissions using AWS CLI, see [Creating Amazon Redshift federated catalogs](create-ns-catalog.md).
------
# Granting database permissions using the named resource method
The following steps explain how to grant database permissions by using the named resource method.
------
#### [ Console ]
Use the **Grant permissions** page on the Lake Formation console. The page is divided into the following sections:
+ **Principal type** – The **Principals** section include the IAM users, roles, IAM Identity Center users and groups, SAML users and groups, AWS accounts, organizations, or organizational units to grant permissions. In the **Principals by attributes** section, you can specify the key and values for the attributes attached to the IAM roles.
+ **LF-Tags or catalog resources** – The databases, tables, views, or resource links to grant permissions on.
+ **Permissions** – The Lake Formation permissions to grant.
**Note**
To grant permissions on a database resource link, see [Granting resource link permissions](granting-link-permissions.md).
1. Open the **Grant permissions** page.
Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the database creator, or an IAM user who has **Grantable permissions** on the database.
Do one of the following:
+ In the navigation pane, under **Permissions**, choose **Data permissions**. Then choose **Grant**.
+ In the navigation pane, choose **Databases** under **Data Catalog**. Then, on the **Databases** page, choose a database, and from the **Actions** menu, under **Permissions**, choose **Grant**.
**Note**
You can grant permissions on a database through its resource link. To do so, on the **Databases** page, choose a resource link, and on the **Actions** menu, choose **Grant on target**. For more information, see [How resource links work in Lake Formation](resource-links-about.md).
1. In the **Principal type** section, specify principals or grant permissions to principals using attributes.
![\[The Principals section contains four tiles. Each tile contains a option button and text.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/identity-center-grant-perm.png)
**IAM users and roles**
Choose one or more users or roles from the **IAM users and roles** list.
**IAM Identity Center**
Choose one or more users or groups from the **Users and groups** list. Select **Add** to add more users or groups.
**SAML users and groups**
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon Quick users or groups. Press Enter after each ARN.
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).
Lake Formation integration with Quick is supported only for Quick Enterprise Edition.
**External accounts**
For **AWS account, AWS organization**, or **IAM Principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or ARN for the IAM user or role. Press **Enter** after each ID.
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.
Principals by attributes
Specify the attribute key and value(s). If you choose more than one value, you are creating an attribute expression with an OR operator. This means that if any of the attribute tag values assigned to an IAM role or user match, the role/user gains access permissions on the resource.
Choose the permission scope by specifying if you're granting permissions to principals with matching attributes in the same account or in another account.
1. In the **LF-Tags or catalog resources** section, choose **Named data catalog resources**.
![\[The LF-Tags or catalog resources section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Resources matched by LF-Tags, and Named data catalog resources. Below the tiles are two dropdown lists: Database and Table. The Database dropdown list has a tile beneath it containing the selected database name.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-resources-section-2.png)
1. Choose one or more databases from the **Database** list. You can also choose one or more **Tables** and/or **Data filters**.
1. In the **Permissions** section, select permissions and grantable permissions. Under **Database permissions**, select one or more permissions to grant.
![\[The Permissions section contains two tiles, arranged horizontally. Each tile contains a option button and text. The Database permissions tile is selected. The other tile, Column-based permissions, is disabled, because it relates to table permissions. Below the tiles is a group of check boxes for database permissions to grant. Check boxes include Create Table, Alter, Drop, Describe, and Super. Below that group is another group of the same check boxes for grantable permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-db-permissions-section.png)
**Note**
After granting `Create Table` or `Alter` on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see [Granting data location permissions](granting-location-permissions.md).
1. (Optional) Under **Grantable permissions**, select the permissions that the grant recipient can grant to other principals in their AWS account. This option is not supported when you are granting permissions to an IAM principal from an external account.
1. Choose **Grant**.
------
#### [ AWS CLI ]
You can grant database permissions by using the named resource method and the AWS Command Line Interface (AWS CLI).
**To grant database permissions using the AWS CLI**
+ Run a `grant-permissions` command, and specify a database or the Data Catalog as the resource, depending on the permission being granted.
In the following examples, replace ** with a valid AWS account ID.
**Example – Grant to create a database**
This example grants `CREATE_DATABASE` to user `datalake_user1`. Because the resource on which this permission is granted is the Data Catalog, the command specifies an empty `CatalogResource` structure as the `resource` parameter.
```
1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam:::user/datalake_user1 --permissions "CREATE_DATABASE" --resource '{ "Catalog": {}}'
```
**Example – Grant to create tables in a designated database**
The next example grants `CREATE_TABLE` on the database `retail` to user `datalake_user1`.
```
1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam:::user/datalake_user1 --permissions "CREATE_TABLE" --resource '{ "Database": {"Name":"retail"}}'
```
**Example – Grant to an external AWS account with the Grant option**
The next example grants `CREATE_TABLE` with the grant option on the database `retail` to external account 1111-2222-3333.
```
1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "CREATE_TABLE" --permissions-with-grant-option "CREATE_TABLE" --resource '{ "Database": {"Name":"retail"}}'
```
**Example – Grant to an organization**
The next example grants `ALTER` with the grant option on the database `issues` to the organization `o-abcdefghijkl`.
```
1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:organizations::111122223333:organization/o-abcdefghijkl --permissions "ALTER" --permissions-with-grant-option "ALTER" --resource '{ "Database": {"Name":"issues"}}'
```
**Example - Grant to `ALLIAMPrincipals` in the same account**
The next example grants `CREATE_TABLE` permission on the database `retail` to all principals in the same account. This option enables every principal in the account to create a table in the database and create a table resource link allowing integrated query engines to access shared databases and tables. This option is especially useful when a principal receives a cross-account grant, and does not have the permission to create resource links. In this scenario, the data lake administrator can create a placeholder database and grant `CREATE_TABLE` permission to the `ALLIAMPrincipal` group, enabling every IAM principal in the account to create resource links in the placeholder database.
```
1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "CREATE_TABLE" --resource '{ "Database": {"Name":"temp","CatalogId":"111122223333"}}'
```
**Example - Grant to `ALLIAMPrincipals` in an external account**
The next example grants `CREATE_TABLE` on the database `retail` to all principals in an external account. This option enables every principal in the account to create a table in the database.
```
1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333:IAMPrincipals --permissions "CREATE_TABLE" --resource '{ "Database": {"Name":"retail","CatalogId":"123456789012"}}'
```
**Note**
After granting `CREATE_TABLE` or `ALTER` on a database that has a location property that points to a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see [Granting data location permissions](granting-location-permissions.md).
------
**See also**
[Lake Formation permissions reference](lf-permissions-reference.md)
[Granting permissions on a database or table shared with your account](regranting-shared-resources.md)
[Accessing and viewing shared Data Catalog tables and databases](viewing-shared-resources.md)
# Granting table permissions using the named resource method
You can use the Lake Formation console or AWS CLI to grant Lake Formation permissions on Data Catalog tables. You can grant permissions on individual tables, or with a single grant operation, you can grant permissions on all tables in a database.
If you grant permissions on all tables in a database, you are implicitly granting the `DESCRIBE` permission on the database. The database then appears on the **Databases** page on the console, and is returned by the `GetDatabases` API operation. This automatic `DESCRIBE` permission grant doesn't apply when using attribute-based access control (ABAC). When granting permissions on all tables in a database using attributes, Lake Formation doesn't implicitly grant `DESCRIBE` permission to the database.
When you choose `SELECT` as the permission to grant, you have the option to apply a column filter, row filter, or cell filter.
------
#### [ Console ]
The following steps explain how to grant table permissions by using the named resource method and the **Grant data lake permissions** page on the Lake Formation console. The page is divided into these sections:
+ **Principals types** – The users, roles, AWS accounts, organizations, or organizational units to grant permissions to. You can also grant permissions to principals with matching attributes.
+ **LF-Tags or catalog resources** – The databases, tables, or resource links to grant permissions on.
+ **Permissions** – The Lake Formation permissions to grant.
**Note**
To grant permissions on a table resource link, see [Granting resource link permissions](granting-link-permissions.md).
1. Open the Grant permissions page.
Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the table creator, or a user who has been granted permissions on the table with the grant option.
Do one of the following:
+ In the navigation pane, choose **Data permissions** under **Permissions**. Then choose **Grant**.
+ In the navigation pane, choose **Tables**. Then, on the **Tables** page, choose a table, and on the **Actions** menu, under **Permissions**, choose **Grant**.
**Note**
You can grant permissions on a table through its resource link. To do so, on the **Tables** page, choose a resource link, and on the **Actions** menu, choose **Grant on target**. For more information, see [How resource links work in Lake Formation](resource-links-about.md).
1. Next, in the **Principal types** section, specify principals or principals with matching attrubutes to grant permissions.
**IAM users and roles**
Choose one or more users or roles from the **IAM users and roles** list.
**IAM Identity Center**
Choose one or more users or groups from the **Users and groups** list.
**SAML users and groups**
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Quick users or groups. Press Enter after each ARN.
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).
Lake Formation integration with Quick is supported for Quick Enterprise Edition only.
**External accounts**
For **AWS account , AWS organization**, or **IAM Principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or the ARN for the IAM user or role. Press **Enter** after each ID.
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" character and 8 to 32 additional lowercase letters or digits.
Principals by attributes
Specify the attribute key and value(s). If you choose more than one value, you are creating an attribute expression with an OR operator. This means that if any of the attribute tag values assigned to an IAM role or user match, the role/user gains access permissions on the resource
Choose the permission scope by specifying if you're granting permissions to principals with matching attributes in the same account or in another account.
1. In the **LF-Tags or catalog resources** section, choose a database. Then choose one or more tables, or **All tables**.
![\[The LF-Tags or catalog resources section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Resources matched by LF-Tags, and Named data catalog resources. Named data catalog resources is selected. Below the tiles are two dropdown lists: Database and Table. The Database dropdown list has a tile beneath it containing the selected database name. The Table dropdown list has a tile beneath it containing the selected table name.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-target-resources-tables-section-2.png)
1.
**Specify the permissions with no data filtering.**
In the **Permissions** section, select the table permissions to grant, and optionally select grantable permissions.
![\[The Table and column permissions section has two subsections: Table permissions and Grantable permissions. Each subsection has a check box for each possible Lake Formation permission: Alter, Insert, Drop, Delete, Select, Describe, and Super. The Super permission is set off to the right of the other permissions, and has a description: "This permission allows the principal to grant any of the permissions to the left, and supersedes those grantable permissions."\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-table-permissions-section-no-filter.png)
If you grant **Select**, the **Data permissions** section appears beneath the **Table and column permissions** section, with the **All data access** option selected by default. Accept the default.
![\[The section contains three tiles, arranged horizontally, each with an option button and a description. The option buttons are: All data access (selected), Simple column-based access, and Advanced cell-level filters.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-select-all-data-access.png)
1. Choose **Grant**.
1.
**Specify the **Select** permission with data filtering**
Select the **Select** permission. Don't select any other permissions.
The **Data permissions** section appears beneath the **Table and column permissions** section.
1. Do one of the following:
+ Apply simple column filtering only.
1. Choose **Simple column-based access**.
![\[The top section is the Table and column permissions section. It is described in the preceding screenshot. It contains check boxes for table permissions and grantable permissions. The bottom section, Data permissions, has three tiles arranged horizontally, where each tile has an option button and description. The options are All data access, Simple column-based access, and Advanced cell-level filters. The Simple column-based access option is selected. Beneath the tiles is an option button group with the label Choose permission filter. The options are Include columns and Exclude columns. Beneath the option group is a Select columns dropdown list, and beneath that is a Grantable permissions subsection, which contains a single check box labeled Select.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-table-permissions-section-column-filter.png)
1. Choose whether to include or exclude columns, and then choose the columns to include or exclude.
Only include lists are supported when granting permissions to an external AWS account or organization.
1. (Optional) Under **Grantable permissions**, turn on the grant option for the Select permission.
If you include the grant option, the grant recipient can grant permissions only on the columns that you grant to them.
**Note**
You can also apply column filtering only by creating a data filter that specifies a column filter and specifies all rows as the row filter. However, this requires more steps.
+ Apply column, row, or cell filtering.
1. Choose **Advanced cell-level filters**.
![\[This section, titled Data permissions, is beneath the Table permissions section. It has three tiles arranged horizontally, where each tile has an option button and description. The options are All data access, Simple column-based access, and Advanced cell-level filters. The Advanced cell-level filters option is selected. Beneath the tiles is the label View existing permissions with an exposure triangle to the left. The existing permissions are not exposed. Below that is a section entitled Data filters to grant. To the right of the title are three buttons: Refresh, Manage filters, and Create new filter. Below the title and buttons is a text field with the placeholder text "Find filter". Below that is a table of existing filters. Each row has a check box at the left. The column headings are Filter name, Table, Database, and Table catalog ID. There are two rows. The filter name in the first row is restrict-pharma. The name in the second row is no-pharma.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-table-permissions-section-cell-filter.png)
1. (Optional) Expand **View existing permissions**.
1. (Optional) Choose **Create new filter**.
1. (Optional) To view details for the listed filters, or to create new or delete existing filters, choose **Manage filters**.
The **Data filters** page opens in a new browser window.
When you are finished on the **Data filters** page, return to the **Grant permissions** page, and if necessary, refresh the page to view any new data filters that you created.
1. Select one or more data filters to apply to the grant.
**Note**
If there are no data filters in the list, it means that no data filters were created for the selected table.
1. Choose **Grant**.
------
#### [ AWS CLI ]
You can grant table permissions by using the named resource method and the AWS Command Line Interface (AWS CLI).
**To grant table permissions using the AWS CLI**
+ Run a `grant-permissions` command, and specify a table as the resource.
**Example – Grant on a single table - no filtering**
The following example grants `SELECT` and `ALTER` to user `datalake_user1` in AWS account 1111-2222-3333 on the table `inventory` in the database `retail`.
```
1. aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" "ALTER" --resource '{ "Table": {"DatabaseName":"retail", "Name":"inventory"}}'
```
If you grant the `ALTER` permission on a table that has its underlying data in a registered location, be sure to also grant data location permissions on the location to the principals. For more information, see [Granting data location permissions](granting-location-permissions.md).
**Example – Grant on All Tables with the Grant option - no filtering**
The next example grants `SELECT` with the grant option on all tables in database `retail`.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --permissions-with-grant-option "SELECT" --resource '{ "Table": { "DatabaseName": "retail", "TableWildcard": {} } }'
```
**Example – Grant with simple column filtering**
This next example grants `SELECT` on a subset of columns in the table `persons`. It uses simple column filtering.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" --resource '{ "TableWithColumns": {"DatabaseName":"hr", "Name":"persons", "ColumnNames":["family_name", "given_name", "gender"]}}'
```
**Example – Grant with a data filter**
This example grants `SELECT` on the `orders` table and applies the `restrict-pharma` data filter.
```
aws lakeformation grant-permissions --cli-input-json file://grant-params.json
```
The following are the contents of file `grant-params.json`.
```
{
"Principal": {"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1"},
"Resource": {
"DataCellsFilter": {
"TableCatalogId": "111122223333",
"DatabaseName": "sales",
"TableName": "orders",
"Name": "restrict-pharma"
}
},
"Permissions": ["SELECT"],
"PermissionsWithGrantOption": ["SELECT"]
}
```
------
**See also**
[Overview of Lake Formation permissions](lf-permissions-overview.md)
[Data filtering and cell-level security in Lake Formation](data-filtering.md)
[Lake Formation personas and IAM permissions reference](permissions-reference.md)
[Granting resource link permissions](granting-link-permissions.md)
[Accessing and viewing shared Data Catalog tables and databases](viewing-shared-resources.md)
# Granting permissions on views using the named resource method
The following steps explain how to grant permissions on views by using the named resource method and the **Grant permissions** page. The page is divided into the following sections:
+ **Principal types** – The IAM users, roles, IAM Identity Center users and groups, AWS accounts, organizations, or organizational units to grant permissions. You can also grant permissions to principals with matching attributes.
+ **LF-Tags or catalog resources** – The databases, tables, views, or resource links to grant permissions on.
+ **Permissions** – The data lake permissions to grant.
## Open the **Grant permissions** page
1. Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the database creator, or an IAM user who has **Grantable permissions** on the database.
1. Do one of the following:
+ In the navigation pane, under **Permissions**, choose **Data permissions**. Then choose **Grant**.
+ In the navigation pane, choose **Views** under **Data Catalog**. Then, on the **Views** page, choose a view, and from the **Actions** menu, under **Permissions**, choose **Grant**.
**Note**
You can grant permissions on a view through its resource link. To do so, on the **Views** page, choose a resource link, and on the **Actions** menu, choose **Grant on target**. For more information, see [How resource links work in Lake Formation](resource-links-about.md).
## Specify the principal types
In the **Principal types** section, either choose Principals or Principals by attributes. If you choose Principals, the following options are available:
**IAM users and roles**
Choose one or more users or roles from the **IAM users and roles** list.
**IAM Identity Center **
Choose one or more users or groups from the **Users and groups** list.
**SAML users and groups**
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Amazon Quick users or groups. Press Enter after each ARN.
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).
Lake Formation integration with Quick is supported only for Quick Enterprise Edition.
**External accounts**
For **AWS account, AWS organization**, or **IAM Principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or ARN for the IAM user or role. Press **Enter** after each ID.
An organization ID consists of "o-" followed by 10–32 lower-case letters or digits.
An organizational unit ID starts with "ou-" followed by 4–32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.
**See Also**
+ [Accessing and viewing shared Data Catalog tables and databases](viewing-shared-resources.md)
**Principals by attributes**
Specify the attribute key and value(s). If you choose more than one value, you are creating an attribute expression with an OR operator. This means that if any of the attribute tag values assigned to an IAM role or user match, the role/user gains access permissions on the resource
Choose the permission scope by specifying if you're granting permissions to principals with matching attributes in the same account or in another account.
## Specify the views
In the **LF-Tags or catalog resources** section, choose one or more views to grant permissions on.
1. Choose **Named data catalog resources**.
1. Choose one or more views from the **Views** list. You can also choose one or more catalogs, databases, tables, and/or data filters.
Granting data lake permissions to `All tables` within a database will result in the grantee having permissions on all tables and views within the database.
## Specify the permissions
In the **Permissions** section, select permissions and grantable permissions.
![\[The Permissions section has a group of check boxes for view permissions to grant. Check boxes include Select, Describe, Drop, and Super. Below that group is another group of the same check boxes for grantable permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/view-permissions.png)
1. Under **View permissions**, select one or more permissions to grant.
1. (Optional) Under **Grantable permissions**, select the permissions that the grant recipient can grant to other principals in their AWS account. This option is not supported when you are granting permissions to an IAM principal from an external account.
1. Choose **Grant**.
**See Also**
[Lake Formation permissions reference](lf-permissions-reference.md)
[Granting permissions on a database or table shared with your account](regranting-shared-resources.md)
# Lake Formation tag-based access control
Lake Formation tag-based access control (LF-TBAC) is an authorization strategy that defines permissions based on attributes. In Lake Formation, these attributes are called *LF-Tags*. You can attach LF-Tags to Data Catalog resources, and grant permissions to Lake Formation principals on those resources using these LF-Tags. Lake Formation allows operations on those resources when the principal has granted access to a tag value that matches the resource tag value.
LF-TBAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome.
LF-TBAC is the recommended method to use to grant Lake Formation permissions when there is a large number of Data Catalog objects including federated catalogs, databases, tables, and views. Lake Formation supports tag-based access control for federated catalogs of Amazon S3 tables, Amazon Redshift data warehouses, and federated data sources such as Amazon DynamoDB, SQL Server, and Snowflake.
**Note**
IAM tags are not the same as LF-Tags. These tags are not interchangeable. LF-Tags are used to grant Lake Formation permissions and IAM tags are used to define IAM policies.
## How Lake Formation tag-based access control works
Each LF-Tag is a key-value pair, such as `department=sales` or `classification=restricted`. A key can have multiple defined values, such as `department=sales,marketing,engineering,finance`.
To use the LF-TBAC method, data lake administrators and data engineers perform the following tasks.
| Task | Task details |
| --- | --- |
| 1. Define the properties and relationships of LF-Tags. | - |
| 2. Create the LF-Tag creators in Lake Formation. | [Adding LF-Tag creators](TBAC-adding-tag-creator.md) |
| 3. Create the LF-Tag in Lake Formation. | [Creating LF-Tags](TBAC-creating-tags.md) |
| 4. Assign LF-Tags to Data Catalog resources. | [Assigning LF-Tags to Data Catalog resources](TBAC-assigning-tags.md) |
| 5. Grant permissions to other principals to assign LF-Tags to resources, optionally with the grant option. | [Managing LF-Tag value permissions](TBAC-granting-tags.md) |
| 6. Grant LF-Tag expressions to principals, optionally with the grant option. | [Granting data lake permissions using the LF-TBAC method](granting-catalog-perms-TBAC.md) |
| 7. (Recommended) After verifying that principals have access to the correct resources through the LF-TBAC method, revoke permissions that were granted by using the named resource method. | - |
Consider the case where you must grant permissions to three principals on three databases and seven tables.
![\[Three figures of users are at the left, arranged vertically. At the right are three databases labeled A, B, and C, arranged vertically. Database A has two tables labeled A.1 and A.2, database B has tables labels B.1 and B.2, and Database C has three tables labeled C.1, C.2, and C.3. Seventeen arrows connect the users to the databases and tables, indicating grants on the databases and tables to the users.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/TBAC_example_discreet.png)
To achieve the permissions indicated in the preceding diagram by using the named resource method, you would have to make 17 grants, as follows (in pseudo-code).
```
GRANT CREATE_TABLE ON Database A TO PRINCIPAL 1
GRANT SELECT, INSERT ON Table A.1 TO PRINCIPAL 1
GRANT SELECT, INSERT ON Table A.2 TO PRINCIPAL 1
GRANT SELECT, INSERT ON Table B.2 TO PRINCIPAL 1
...
GRANT SELECT, INSERT ON Table A.2 TO PRINCIPAL 2
GRANT CREATE_TABLE ON Database B TO PRINCIPAL 2
...
GRANT SELECT, INSERT ON Table C.3 TO PRINCIPAL 3
```
Now consider how you would grant permissions by using LF-TBAC. The following diagram indicates that you've assigned LF-Tags to databases and tables, and has granted permissions on LF-Tags to principals.
In this example, the LF-Tags represent areas of the data lake that contain analytics for different modules of an enterprise resource planning (ERP) application suite. You can use them to control access to the analytics data for the various modules. All LF-Tags have the key `module` and possible values `Sales`, `Orders`, and `Customers`. An example LF-Tag looks like this:
```
module=Sales
```
The diagram shows only the LF-Tag values.
![\[Like the previous diagram, three figures of users are at the left, arranged vertically, and at the right are three databases labeled A, B, and C, arranged vertically. Database A has two tables labeled A.1 and A.2, database B has tables labels B.1 and B.2, and Database C has three tables labeled C.1, C.2, and C.3. There are no arrows between the users and the databases and tables. Instead, labeled "flags" next to the users indicate that user1 has been granted the LF-Tags Sales and Customers, user 2 has been granted the LF-Tag Orders, and user 3 has been granted the LF-Tag Customers. Flags next to the databases and tables indicate the following assignments ofLF-Tags to databases and tables: Database A: Sales. Table A1: A dimmed flag indicates that Sales was inherited from Database A. Table A2: Orders, but a dimmed flag indicates that Sales was inherited from Database A. Database B: Orders. Table B.1 and B.2 inherit Orders, and Table B.2 has Customers. Database C has Customers, and Tables C.1, C.2, and C.3 inherit Customers. The C tables don't have any other assignments.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/TBAC_example_tags.png)
**Tag assignments to Data Catalog resources and inheritance**
Tables inherit LF-Tags from databases and columns inherit LF-Tags from tables. Inherited values can be overridden. In the preceding diagram, dimmed LF-Tags are inherited.
Because of inheritance, the data lake administrator needs to make only the five following LF-Tag assignments to resources (in pseudo-code).
```
ASSIGN TAGS module=Sales TO database A
ASSIGN TAGS module=Orders TO table A.2
ASSIGN TAGS module=Orders TO database B
ASSIGN TAGS module=Customers TO table B.2
ASSIGN TAGS module=Customers TO database C
```
**Tag grants to principals**
After assigning LF-Tags to the databases and tables, the data lake administrator must make only four grants of LF-Tags to principals, as follows (in pseudo-code).
```
GRANT TAGS module=Sales TO Principal 1
GRANT TAGS module=Customers TO Principal 1
GRANT TAGS module=Orders TO Principal 2
GRANT TAGS module=Customers TO Principal 3
```
Now, a principal with the `module=Sales`LF-Tag can access Data Catalog resources with the `module=Sales` LF-Tag (for example, database A), a principal with the `module=Customers` LF-Tag can access resources with the `module=Customers` LF-Tag, and so on.
The preceding grant commands are incomplete. This is because although they indicate through LF-Tags the Data Catalog resources that the principals have permissions on, they don't indicate exactly which Lake Formation permissions (such as `SELECT`, `ALTER`) the principals have on those resources. Therefore, the following pseudo-code commands are a more accurate representation of how Lake Formation permissions are granted on Data Catalog resources through LF-Tags.
```
GRANT (CREATE_TABLE ON DATABASES) ON TAGS module=Sales TO Principal 1
GRANT (SELECT, INSERT ON TABLES) ON TAGS module=Sales TO Principal 1
GRANT (CREATE_TABLE ON DATABASES) ON TAGS module=Customers TO Principal 1
GRANT (SELECT, INSERT ON TABLES) ON TAGS module=Customers TO Principal 1
GRANT (CREATE_TABLE ON DATABASES) ON TAGS module=Orders TO Principal 2
GRANT (SELECT, INSERT ON TABLES) ON TAGS module=Orders TO Principal 2
GRANT (CREATE_TABLE ON DATABASES) ON TAGS module=Customers TO Principal 3
GRANT (SELECT, INSERT ON TABLES) ON TAGS module=Customers TO Principal 3
```
**Putting it together - Resulting permissions on resources**
Given the LF-Tags assigned to the databases and tables in the preceding diagram, and the LF-Tags granted to the principals in the diagram, the following table lists the Lake Formation permissions that the principals have on the databases and tables.
| Principal | Permissions Granted Through LF-Tags |
| --- | --- |
| Principal 1 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/lake-formation/latest/dg/tag-based-access-control.html) |
| Principal 2 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/lake-formation/latest/dg/tag-based-access-control.html) |
| Principal 3 | [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/lake-formation/latest/dg/tag-based-access-control.html) |
**Bottom line**
In this simple example, using five assignment operations and eight grant operations, the data lake administrator was able to specify 17 permissions. When there are tens of databases and hundreds of tables, the advantage of the LF-TBAC method over the named resource method becomes clear. In the hypothetical case of the need to grant every principal access to every resource, and where `n(P)` is the number of principals and `n(R)` is the number of resources:
+ With the named resource method, the number of grants required is `n(P)` ✕ `n(R)`.
+ With the LF-TBAC method, using a single LF-Tag, the total of the number of grants to principals and assignments to resources is `n(P)` \$1 `n(R)`.
**See also**
[Managing LF-Tags for metadata access control](managing-tags.md)
[Granting data lake permissions using the LF-TBAC method](granting-catalog-perms-TBAC.md)
**Topics**
+ [How Lake Formation tag-based access control works](#how-TBAC-works)
+ [Managing LF-Tags for metadata access control](managing-tags.md)
+ [Managing LF-Tag expressions for metadata access control](managing-tag-expressions.md)
+ [Managing LF-Tag value permissions](TBAC-granting-tags.md)
# Managing LF-Tags for metadata access control
To use the Lake Formation tag-based access control (LF-TBAC) method to secure Data Catalog objects such as catalogs, databases, tables, views, and columns, you create LF-Tags, assign them to resources, and grant LF-Tag permissions to principals.
Before you can assign LF-Tags to Data Catalog objects or grant permissions to principals, you need to define LF-Tags. Only a data lake administrator or a principal with LF-Tag creator permissions can create LF-Tags.
**LF-Tag creators**
LF-Tag creator is a non-admin principal who has permissions to create and manage LF-Tags. Data lake administrators can add LF-Tag creators using the Lake Formation console or CLI. LF-Tag creators have implicit Lake Formation permissions to update, and delete LF-Tags, to assign LF-Tags to resources, and to grant LF-Tag permissions and LF-Tag value permissions to other principals.
With LF-Tag creator roles, data lake administrators can delegate tag management tasks such as creating and updating tag keys and values to non-admin principals. Data lake administrators can also grant LF-Tag creators grantable `Create LF-Tag` permissions. Then, the LF-Tag creator can grant the permission to create LF-Tags to other principals.
You can grant two types of permissions on LF-Tags:
+ LF-Tag permissions - `Create LF-Tag`, `Alter`, and `Drop`. These permissions are required to create, update, and delete LF-Tags.
Data lake administrators and LF-Tag creators implicitly have these permissions on the LF-Tags they create and can grant these permissions explicitly to principals to manage tags in the data lake.
+ LF-Tag key-value pair permissions - `Assign`, `Describe`, and `Grant with LF-Tag expressions`. These permissions are required to assign LF-Tags to Data Catalog objects, and to grant permissions on the resources to principals using Lake Formation tag-based access control. LF-Tag creators implicitly receive these permissions when creating LF-Tags.
After receiving the `Create LF-Tag` permission and successfully creating LF-Tags, the LF-Tag creator can assign LF-Tags to resources and grant LF-Tag permissions (`Create LF-Tag`, `Alter`, `Drop`, and ) to other non-administrative principals to manage tags in the data lake. You can manage LF-Tags by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
**Note**
Data lake administrators have implicit Lake Formation permissions to create, update, and delete LF-Tags, to assign LF-Tags to resources, and to grant LF-Tag permissions to principals.
For best practices and considerations, see [Lake Formation tag-based access control best practices and considerations](lf-tag-considerations.md)
**Topics**
+ [Adding LF-Tag creators](TBAC-adding-tag-creator.md)
+ [Creating LF-Tags](TBAC-creating-tags.md)
+ [Updating LF-Tags](TBAC-updating-tags.md)
+ [Deleting LF-Tags](TBAC-deleting-tags.md)
+ [Listing LF-Tags](TBAC-listing-tags.md)
+ [Assigning LF-Tags to Data Catalog resources](TBAC-assigning-tags.md)
+ [Viewing LF-Tags assigned to a resource](TBAC-view-resource-tags.md)
+ [Viewing the resources that a LF-Tag is assigned to](TBAC-view-tag-resources.md)
+ [Life cycle of a LF-Tag](#lf-tag-life-cycle)
+ [Comparison of Lake Formation tag-based access control to IAM attribute-based access control](#TBAC-comparison-ABAC)
**See also**
[Managing LF-Tag value permissions](TBAC-granting-tags.md)
[Granting data lake permissions using the LF-TBAC method](granting-catalog-perms-TBAC.md)
[Lake Formation tag-based access control](tag-based-access-control.md)
# Adding LF-Tag creators
By default, data lake administrators can create, update, and delete LF-Tags, assign tags to Data Catalog objects, and grant tag permissions to principals. If you wish to delegate the tag creation and management operations to non-admin principals, the data lake administrator can create LF-Tag creator roles and grant Lake Formation `Create LF-Tag` permission to the roles. With grantable `Create LF-Tag` permission, LF-Tag creators can delegate tag creation and maintenance tasks to other non-administrative principals.
For data lake administrators to assign LF-Tags to Data Catalog resources, they are required to grant themselves associate permissions on LF-Tags that were not created by them.
**Note**
Cross-account permission grants can include only `Describe` and `Associate` permissions. You can't grant `Create LF-Tag`, `Drop`, `Alter`, and `Grant with LFTag expressions` permissions to principals in a different account.
**Topics**
+ [IAM permissions required to create LF-Tags](#tag-creator-permissions)
+ [Add LF-Tag creators](#add-lf-tag-creator)
**See also**
[Managing LF-Tag value permissions](TBAC-granting-tags.md)
[Granting data lake permissions using the LF-TBAC method](granting-catalog-perms-TBAC.md)
[Lake Formation tag-based access control](tag-based-access-control.md)
## IAM permissions required to create LF-Tags
You must configure permissions to allow a Lake Formation principal to create LF-Tags. Add the following statement to the permissions policy for the principal that needs to be a LF-Tag creator.
**Note**
Although data lake administrators have implicit Lake Formation permissions to create, update, and delete LF-Tags, to assign LF-Tags to resources, and to grant LF-Tags to principals, data lake administrators also need the following IAM permissions.
For more information, see [Lake Formation personas and IAM permissions reference](permissions-reference.md).
```
{
"Sid": "Transformational",
"Effect": "Allow",
"Action": [
"lakeformation:AddLFTagsToResource",
"lakeformation:RemoveLFTagsFromResource",
"lakeformation:GetResourceLFTags",
"lakeformation:ListLFTags",
"lakeformation:CreateLFTag",
"lakeformation:GetLFTag",
"lakeformation:UpdateLFTag",
"lakeformation:DeleteLFTag",
"lakeformation:SearchTablesByLFTags",
"lakeformation:SearchDatabasesByLFTags"
]
}
```
Principals who assign LF-Tags to resources and grant LF-Tags to principals must have the same permissions, except for the `CreateLFTag`, `UpdateLFTag`, and `DeleteLFTag` permissions.
## Add LF-Tag creators
A LF-Tag creator can create a LF-Tag, update tag key and values, delete tags, associate tags to Data Catalog resources, and grant permissions on Data Catalog resources to principals using LF-TBAC method. The LF-Tag creator can also grant these permissions to principals.
You can create LF-Tag creator roles by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ console ]
**To add a LF-Tag creator**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a datalake administrator.
1. In the navigation pane, under **Permissions**, choose **LF-Tags and permissions**.
On the **LF-Tags and permissions** page, choose **LF-Tag creators** section and choose **Add LF-Tag creators**.
![\[LF-Tag creator details form with IAM user selection and permission options.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/add-lf-tag-creator.png)
1. On the **Add LF-Tag creators** page, choose an IAM role or user who has the required permissions to create LF-Tags.
1. Enable `Create LF-Tag` permission check box.
1. (Optional) To enable the selected principals to grant `Create LF-Tag` permission to principals, choose Grantable `Create LF-Tag` permission.
1. Choose **Add**.
------
#### [ AWS CLI ]
```
aws lakeformation grant-permissions --cli-input-json file://grantCreate
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::123456789012:user/tag-manager"
},
"Resource": {
"Catalog": {}
},
"Permissions": [
"CreateLFTag"
],
"PermissionsWithGrantOption": [
"CreateLFTag"
]
}
```
------
The following are the permissions available for a LF-Tag creator role:
| Permission | Description |
| --- | --- |
| Drop | A principal with this permission on a LF-Tag can delete a LF-Tag from the data lake. The principal gets implicit Describe permission on all tag values of a LF-Tag resource. |
| Alter | A principal with this permission on a LF-Tag can add or remove tag value from a LF-Tag. The principal gets implicit Alter permission on all tag values of a LF-Tag. |
| Describe | A principal with this permission on a LF-Tag can view the LF-Tag and its values when they assign LF-Tags to resources or grant permissions on LF-Tags. You can grant Describe on all key values or on specific values. |
| Associate | A principal with this permission on a LF-Tag can assign the LF-Tag to a Data Catalog resource. Granting Associate implicitly grants Describe. |
| Grant with LF-Tag expression | A principal with this permission on a LF-Tag can grant permissions on a Data Catalog resources using the LF-Tag key and values. Granting Grant with LF-Tag expression implicitly grants Describe. |
These permissions are grantable. A principal who has been granted these permissions with the grant option can grant them to other principals.
# Creating LF-Tags
All LF-Tags must be defined in Lake Formation before they can be used. A LF-Tag consists of a key and one or more possible values for the key.
After the data lake administrator has setup the required IAM permissions and Lake Formation permissions for the LF-Tag creator role, the principal can create a LF-Tag. The LF-Tag creator gets implicit permission to update or remove any tag value from the LF-Tag and delete the LF-Tag.
You can create LF-Tags by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ Console ]
**To create a LF-Tag**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a principal with LF-Tag creator permissions or as data lake administrator.
1. In the navigation pane, under **Permissions**, **LF-Tags and permissions**, choose **LF-Tags**.
The **LF-Tags** page appears.
![\[The page has a 4-column table with column headings Key, Values, Owner account ID, and LF-Tag permissions. The table has 2 rows. Above the table are 4 buttons arranged horizontally: Delete (dimmed), Edit (dimmed), Grant permissions (dimmed) and Add tag. The page also has a search field with the placeholder text "Find tag". To the right of the search field is a page selector, showing the value "1" between left and right buttons, and a Settings icon.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/policy-tags-page-2.png)
1. Choose **Add LF-Tag**.
1. In the **Add LF-Tag** dialog box, enter a key and one or more values.
Each key must have at least one value. To enter multiple values, either enter a comma-delimited list and then press **Enter**, or enter one value at a time and choose **Add** after each one. The maximum number of values permitted is 1000.
1. Choose **Add tag**.
------
#### [ AWS CLI ]
**To create a LF-Tag**
+ Enter a `create-lf-tag` command.
The following example creates a LF-Tag with key `module` and values `Customers` and `Orders`.
```
aws lakeformation create-lf-tag --tag-key module --tag-values Customers Orders
```
------
As tag creator , the principal gets `Alter` permission on this LF-Tag and can update or remove any tag value from this LF-Tag. The LF-Tag creator principal can also grant `Alter` permission to another principal to update and remove tag values on this LF-Tag.
# Updating LF-Tags
You update a LF-Tag that you have the `Alter` permission on by adding or deleting permitted key values. You can't change the LF-Tag key. To change the key, delete the LF-Tag and add one with the required key. In addition to `Alter` permission, you also need the `lakeformation:UpdateLFTag` IAM permission to update values.
When you delete a LF-Tag value, no check is performed for the presence of that LF-Tag value on any Data Catalog resource. If the deleted LF-Tag value is associated with a resource, it is no longer visible for the resource, and any principals that were granted permissions on that key-value pair no longer have the permissions.
Before deleting a LF-Tag value, you can optionally use the [`remove-lf-tags-from-resource` command](TBAC-assigning-tags.md#remove-tag-command) command to remove the LF-Tag from Data Catalog resources that have the value that you want to delete, and then retag the resource with the values that you want to keep.
Only data lake administrators, the LF-Tag creator, and principals that have `Alter` permissions on the LF-Tag can update a LF-Tag.
You can update a LF-Tag by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ Console ]
**To update a LF-Tag (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a data lake administrator, LF-Tag creator or a principal with `Alter` permission on the LF-Tag.
1. In the navigation pane, under **Permissions**, **LF-Tags and permissions**, choose **LF-Tags**.
1. On the **LF-Tags** page, select a LF-Tag, and then choose **Edit**.
1. In the **Edit LF-Tag** dialog box, add or remove LF-Tag values.
To add multiple values, in the **Values** field, either enter a comma-delimited list and press **Enter**, or enter one value at a time or choose **Add** after each one.
1. Choose **Save**.
------
#### [ AWS CLI ]
**To update a LF-Tag (AWS CLI)**
+ Enter an `update-lf-tag` command. Provide one or both of the following arguments:
+ `--tag-values-to-add`
+ `--tag-values-to-delete`
**Example**
The following example replaces the value `vp` with the value `vice-president` for the LF-Tag key `level`.
```
aws lakeformation update-lf-tag --tag-key level --tag-values-to-add vice-president
--tag-values-to-delete vp
```
------
# Deleting LF-Tags
You can delete LF-Tags that are no longer in use. No check is performed for the presence of the LF-Tag on a Data Catalog resource. If the deleted LF-Tag is associated with a resource, it is no longer visible for the resource, and any principals that were granted permissions on that LF-Tag no longer have the permissions.
Before deleting a LF-Tag, you can optionally use the [`remove-lf-tags-from-resource`](TBAC-assigning-tags.md#remove-tag-command) command to remove the LF-Tag from all resources.
Only data lake administrators, the LF-Tag creator, or a principal that has `Drop` permission on the LF-Tag can delete a LF-Tag. In addition to the `Drop` permission, the principal also need `lakeformation:DeleteLFTag` IAM permission to delete a LF-Tag.
You can delete a LF-Tag by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ Console ]
**To delete a LF-Tag (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a data lake administrator.
1. In the navigation pane, under **Permissions**, **LF-Tags and permissions**, choose **LF-Tags**.
1. On the **LF-Tags** page, select a LF-Tag, and then choose **Delete**.
1. In the **Delete tag environment?** dialog box, to confirm the deletion, enter the LF-Tag key value in the designated field and then choose **Delete**.
------
#### [ AWS CLI ]
**To delete a LF-Tag (AWS CLI)**
+ Enter a `delete-lf-tag` command. Provide the key of the LF-Tag to delete.
**Example**
The following example deletes the LF-Tag with the key `region`.
```
aws lakeformation delete-lf-tag --tag-key region
```
------
# Listing LF-Tags
You can list the LF-Tags that you have the `Describe` or `Associate` permissions on. The values listed with each LF-Tag key are the values that you have permissions on.
LF-Tag creator has implicit permissions to see the LF-Tags they have created.
Data lake administrators can see all LF-Tags that are defined in the local AWS account and all LF-Tags for which the `Describe` and `Associate` permissions have been granted to the local account from external accounts. The data lake administrator can see all values for all LF-Tags.
You can list LF-Tags by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ Console ]
**To list LF-Tags (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as the LF-Tag creator, as a data lake administrator, or as a principal that has been granted permissions on LF-Tags and that has the `lakeformation:ListLFTags` IAM permission.
1. In the navigation pane, under **Permissions**, **LF-Tags and permissions**, choose **LF-Tags**.
The **LF-Tags** page appears.
![\[The page has a 3-column table with column headings Key, Values, and Owner account ID. The table has 2 rows. Above the table are 4 buttons arranged horizontally: Reload page, Delete (dimmed), Edit (dimmed), and Add tag. The page also has a search field with the placeholder text "Find tag". To the right of the search field is a page selector, showing the value "1" between left and right buttons, and a Settings icon.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/policy-tags-page-2.png)
Check the **Owner account ID** column to determine the LF-Tags that were shared with your account from an external account.
------
#### [ AWS CLI ]
**To list LF-Tags (AWS CLI)**
+ Run the following command as a data lake administrator or as a principal that has been granted permissions on LF-Tags and that has the `lakeformation:ListLFTags` IAM permission.
```
aws lakeformation list-lf-tags
```
The output is similar to the following.
```
{
"LFTags": [
{
"CatalogId": "111122223333",
"TagKey": "level",
"TagValues": [
"director",
"vp",
"c-level"
]
},
{
"CatalogId": "111122223333",
"TagKey": "module",
"TagValues": [
"Orders",
"Sales",
"Customers"
]
}
]
}
```
To also see LF-Tags that were granted from external accounts, include the command option `--resource-share-type ALL`.
```
aws lakeformation list-lf-tags --resource-share-type ALL
```
The output is similar to the following. Note the `NextToken` key, which indicates that there is more to list.
```
{
"LFTags": [
{
"CatalogId": "111122223333",
"TagKey": "level",
"TagValues": [
"director",
"vp",
"c-level"
]
},
{
"CatalogId": "111122223333",
"TagKey": "module",
"TagValues": [
"Orders",
"Sales",
"Customers"
]
}
],
"NextToken": "eyJleHBpcmF0aW...ZXh0Ijp0cnVlfQ=="
}
```
Repeat the command, and add the `--next-token` argument to view any remaining local LF-Tags and LF-Tags that were granted from external accounts. LF-Tags from external accounts are always on a separate page.
```
aws lakeformation list-lf-tags --resource-share-type ALL
--next-token eyJleHBpcmF0aW...ZXh0Ijp0cnVlfQ==
```
```
{
"LFTags": [
{
"CatalogId": "123456789012",
"TagKey": "region",
"TagValues": [
"central",
"south"
]
}
]
}
```
------
#### [ API ]
You can use the SDKs available for Lake Formation to lists the tags that the requester has permission to view.
```
import boto3
client = boto3.client('lakeformation')
...
response = client.list_lf_tags(
CatalogId='string',
ResourceShareType='ALL',
MaxResults=50'
)
```
This command returns a `dict` object with the following structure:
```
{
'LFTags': [
{
'CatalogId': 'string',
'TagKey': 'string',
'TagValues': [
'string',
]
},
],
'NextToken': 'string'
}
```
------
For more information about the required permissions, see [Lake Formation personas and IAM permissions reference](permissions-reference.md).
# Assigning LF-Tags to Data Catalog resources
You can assign LF-Tags to Data Catalog resources (databases, tables, and columns) to control access to those resources. Only principals that are granted matching LF-Tags (and principals that are granted access with the named resource method) can access the resources.
If a table inherits a LF-Tag from a database or a column inherits a LF-Tag from a table, you can override the inherited value by assigning a new value to the LF-Tag key.
The maximum number of LF-Tags that you can assign to a resource is 50.
**Topics**
+ [Requirements for managing tags assigned to resources](#manage-tags-reqs)
+ [Assign LF-Tags to a table column](#assign-tag-column)
+ [Assign LF-Tags to a Data Catalog resource](#assign-tag-catalog-resource)
+ [Updating LF-Tags for a resource](#update-tags)
+ [Removing LF-Tag from a resource](#remove-tag)
## Requirements for managing tags assigned to resources
To assign a LF-Tag to a Data Catalog resource, you must:
+ Have the Lake Formation `ASSOCIATE` permission on the LF-Tag.
+ Have the IAM `lakeformation:AddLFTagsToResource` permission.
+ Have glue:GetDatabase permission on a Glue database.
+ Be the resource owner (creator), have the `Super` Lake Formation permission on the resource with the `GRANT` option, or have the following permissions with the `GRANT` option:
+ For databases in the same AWS account: `DESCRIBE`, `CREATE_TABLE`, `ALTER`, and `DROP`
+ For databases in an external account: `DESCRIBE`, `CREATE_TABLE` and `ALTER`
+ For tables (and columns): `DESCRIBE`, `ALTER`, `DROP`, `INSERT`, `SELECT`, and `DELETE`
In addition, the LF-Tag and the resource that it is being assigned to must be in the same AWS account.
To remove a LF-Tag from a Data Catalog resource, you must meet these requirements, and also have the `lakeformation:RemoveLFTagsFromResource` IAM permission.
## Assign LF-Tags to a table column
**To assign LF-Tags to a table column (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a user who meets the requirements listed above.
1. In the navigation pane, choose **Tables**.
1. Choose a table name (not the option button next to the table name).
1. On the table details page, in the **Schema** section, choose **Edit schema**.
1. On the **Edit schema** page, select one or more columns, and then choose **Edit LF-Tags**.
**Note**
If you intend to add or delete columns and save a new version, do that first. Then edit the LF-Tags.
The **Edit LF-Tags** dialog box appears, and displays any LF-Tags that are inherited from the table.
![\[The image is a screenshot of the Edit LF-Tags dialog window. The top part of the windows shows two inherited keys. The first inherited key has the key "level" and the value "director (inherited)". The second inherited key has the key "module" and the value "Orders (inherited)". Below those fields is an "Assign new LF-Tag" button. Below and to the right are the Cancel and Save buttons.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/edit-policy-tags-for-columns-2a.png)
1. (Optional) For the **Values** list next to an **Inherited keys** field, choose a value to override the inherited value.
1. (Optional) Choose **Assign new LF-Tag**. Then for **Assigned keys**, choose a key, and for **Values**, choose a value for the key.
![\[The image is a screenshot of the Edit LF-Tags dialog window. The top part of the windows shows two inherited keys. The first inherited key has the key "level" and the value "director (inherited)". The second inherited key has the key "module" and the value "Orders (inherited)". Below this section, aligned horizontally, are these fields and controls : "Assigned keys" field, "Values" field, and a Remove button. The Assigned keys field contains the text "environment". The Values field is a drop-down list, with the values "Production" (highlighted) and "Customers". An "Assign new LF-Tag" button appears below the Assigned keys field. In the bottom right of the window are the Cancel and Save buttons.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/edit-policy-tags-for-columns-2b.png)
1. (Optional) Choose **Assign new LF-Tag** again to add another LF-Tag.
1. Choose **Save**.
## Assign LF-Tags to a Data Catalog resource
------
#### [ Console ]
**To assign LF-Tags to a Data Catalog database or table**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a user who meets the requirements listed earlier.
1. In the navigation pane, under **Data catalog**, do one of the following:
+ To assign LF-Tags to databases, choose **Databases**.
+ To assign LF-Tags to tables, choose **Tables**.
1. Choose a database or table, and on the **Actions** menu, choose **Edit LF-Tags**.
The **Edit LF-Tags: *resource-name*** dialog box appears.
If a table inherits LF-Tags from its containing database, the window displays the inherited LF-Tags. Otherwise, it displays the text "There are no inherited LF-Tags associated with the resource."
![\[The image is a screenshot of the "Edit LF-Tags: inventory" dialog window. At the top are the fields "Inherited keys" (dimmed) and "Values". The Inherited keys field has the value "level" and the Values field has the value "director (inherited)". Below this section, aligned horizontally, are these fields and controls : "Assigned keys" field, "Values" field, and a Remove button. The Assigned keys field contains the text "module". The Values field is a drop-down list, with the values "Orders", "Sales", and "Customers" (highlighted). An "Assign new LF-Tag" button is below the Assigned keys field. In the bottom right of the window are Cancel and Save buttons.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/edit-policy-tags-for-tables-2.png)
1. (Optional) If a table has inherited LF-Tags, for the **Values** list next to an **Inherited keys** field, you can choose a value to override the inherited value.
1. To assign new LF-Tags, perform these steps:
1. Choose **Assign new LF-Tag**.
1. In the **Assigned keys** field, choose a LF-Tag key, and in the **Values** field, choose a value.
1. (Optional) Choose **Assign new LF-Tag** again to assign an additional LF-Tag.
1. Choose **Save**.
------
#### [ AWS CLI ]
**To assign LF-Tags to a Data Catalog resource**
+ Run the `add-lf-tags-to-resource` command.
The following example assigns the LF-Tag `module=orders` to the table `orders` in the database `erp`. It uses the shortcut syntax for the `--lf-tags` argument. The `CatalogID` property for `--lf-tags` is optional. If not provided, the catalog ID of the resource (in this case, the table) is assumed.
```
aws lakeformation add-lf-tags-to-resource --resource '{ "Table": {"DatabaseName":"erp", "Name":"orders"}}' --lf-tags CatalogId=111122223333,TagKey=module,TagValues=orders
```
The following is the output if the command succeeds.
```
{
"Failures": []
}
```
This next example assigns two LF-Tags to the `sales` table, and uses the JSON syntax for the `--lf-tags` argument.
```
aws lakeformation add-lf-tags-to-resource --resource '{ "Table": {"DatabaseName":"erp", "Name":"sales"}}' --lf-tags '[{"TagKey": "module","TagValues": ["sales"]},{"TagKey": "environment","TagValues": ["development"]}]'
```
This next example assigns the LF-Tag `level=director` to the `total` column of the table `sales`.
```
aws lakeformation add-lf-tags-to-resource --resource '{ "TableWithColumns": {"DatabaseName":"erp", "Name":"sales", "ColumnNames":["total"]}}' --lf-tags TagKey=level,TagValues=director
```
------
## Updating LF-Tags for a resource
**To update a LF-Tag for a Data Catalog resource (AWS CLI)**
+ Use the `add-lf-tags-to-resource` command, as described in the previous procedure.
Adding a LF-Tag with the same key as an existing LF-Tag, but with a different value updates the existing value.
## Removing LF-Tag from a resource
**To remove a LF-Tag for a Data Catalog resource (AWS CLI)**
+ Run the `remove-lf-tags-from-resource` command.
If a table has a LF-Tag value that overrides the value that is inherited from the parent database, removing that LF-Tag from the table restores the inherited value. This behavior also applies to a column that overrides key values inherited from the table.
The following example removes the LF-Tag `level=director` from the `total` column of the `sales` table. The `CatalogID` property for `--lf-tags` is optional. If not provided, the catalog ID of the resource (in this case, the table) is assumed.
```
aws lakeformation remove-lf-tags-from-resource
--resource ' { "TableWithColumns":
{ "DatabaseName": "erp", "Name": "sales", "ColumnNames":[ "total"]}}'
--lf-tags CatalogId=111122223333,TagKey=level,TagValues=director
```
# Viewing LF-Tags assigned to a resource
You can view the LF-Tags that are assigned to a Data Catalog resource. You must have the `DESCRIBE` or `ASSOCIATE` permission on a LF-Tag to view it.
------
#### [ Console ]
**To view the LF-Tags that are assigned to a resource (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as the data lake administrator, the resource owner, or a user who has been granted Lake Formation permissions on the resource.
1. In the navigation pane, under the heading **Data catalog**, do one of the following:
+ To view LF-Tags assigned to a database, choose **Databases**.
+ To view LF-Tags assigned to a table, choose **Tables**.
1. On the **Tables** or **Databases** page, choose the name of the database or table. Then on the details page, scroll down to the **LF-Tags** section.
The following screenshot shows the LF-Tags assigned to a `customers` table, which is contained in the `retail` database. The `module` LF-Tag is inherited from the database. The `credit_limit` column has the `level=vp` LF-Tag assigned.
![\[The image is a screenshot of the LF-Tags section of the customers table detail page. The LF-Tags section contains a table with the following columns: Resource, Key, Value, and Inherited from. The table has 3 rows. Above the table is a text entry field with the "Find tags" placeholder text, and an Edit tags button. The paragraph that precedes the image describes the table values shown in the screenshot.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/tags-for-resource-2.png)
------
#### [ AWS CLI ]
**To view the LF-Tags that are assigned to a resource (AWS CLI)**
+ Enter a command similar to the following.
```
aws lakeformation get-resource-lf-tags --show-assigned-lf-tags --resource '{ "Table": {"CatalogId":"111122223333", "DatabaseName":"erp", "Name":"sales"}}'
```
The command returns the following output.
```
{
"TableTags": [
{
"CatalogId": "111122223333",
"TagKey": "module",
"TagValues": [
"sales"
]
},
{
"CatalogId": "111122223333",
"TagKey": "environment",
"TagValues": [
"development"
]
}
],
"ColumnTags": [
{
"Name": "total",
"Tags": [
{
"CatalogId": "111122223333",
"TagKey": "level",
"TagValues": [
"director"
]
}
]
}
]
}
```
This output shows only LF-Tags that are explicitly assigned, not inherited. If you want to see all LF-Tags on all columns, including inherited LF-Tags, omit the `--show-assigned-lf-tags` option.
------
# Viewing the resources that a LF-Tag is assigned to
You can view all the Data Catalog resources that a particular LF-Tag key is assigned to. To do so, you need the following Lake Formation permissions:
+ `Describe` or `Associate` on the LF-Tag.
+ `Describe` or any other Lake Formation permission on the resource.
In addition, you need the following AWS Identity and Access Management (IAM) permissions:
+ `lakeformation:SearchDatabasesByLFTags`
+ `lakeformation:SearchTablesByLFTags`
------
#### [ Console ]
**To view the resources that a LF-Tag is assigned to (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a data lake administrator or as a user who meets the requirements listed earlier.
1. In the navigation pane, under **Permissions** and **LF-Tags and permissions**, choose **LF-Tags**.
1. Choose a LF-Tag key (not the option button next to the key name).
The LF-Tag details page displays a list of resources that the LF-Tag has been assigned to.
![\[The image is a screenshot of the LF-Tag detail page for the key "module". The LF-Tag detail page has two sections. The top section displays the LF-Tag key and values. The bottom section displays the resources associated with that LF-Tag in a table with the following columns: Key, Values, Resource type, and Resource. The table has 12 rows, but only 7 are shown in the screenshot. The table rows show that the LF-Tag is assigned to a database, two of the tables in the database, and by inheritance, the columns of those tables.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/resources-on-tags-2.png)
------
#### [ AWS CLI ]
**To view the resources that a LF-Tag is assigned to**
+ Run a `search-tables-by-lf-tags` or `search-databases-by-lf-tags` command.
**Example**
The following example lists tables and columns that have the `level=vp` LF-Tag assigned. For each table and column listed, all assigned LF-Tags for the table or column are output, not just the search expression.
```
aws lakeformation search-tables-by-lf-tags --expression TagKey=level,TagValues=vp
```
------
For more information about the required permissions, see [Lake Formation personas and IAM permissions reference](permissions-reference.md).
## Life cycle of a LF-Tag
1. The LF-Tag creator Michael creates a LF-Tag `module=Customers`.
1. Michael grants `Associate` on the LF-Tag to the data engineer Eduardo. Granting `Associate` implicitly grants `Describe`.
1. Michael grants `Super` on the table `Custs` to Eduardo with the grant option, so that Eduardo can assign LF-Tags to the table. For more information, see [Assigning LF-Tags to Data Catalog resources](TBAC-assigning-tags.md).
1. Eduardo assigns the LF-Tag `module=customers` to the table `Custs`.
1. Michael makes the following grant to data engineer Sandra (in pseudo-code).
```
GRANT (SELECT, INSERT ON TABLES) ON TAGS module=customers TO Sandra WITH GRANT OPTION
```
1. Sandra makes the following grant to data analyst Maria.
```
GRANT (SELECT ON TABLES) ON TAGS module=customers TO Maria
```
Maria can now run queries on the `Custs` table.
**See also**
[Metadata access control](access-control-metadata.md)
## Comparison of Lake Formation tag-based access control to IAM attribute-based access control
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called *tags*. You can attach tags to IAM resources, including IAM entities (users or roles) and to AWS resources. You can create a single ABAC policy or small set of policies for your IAM principals. These ABAC policies can be designed to allow operations when the principal's tag matches the resource tag. ABAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome.
Cloud security and governance teams use IAM to define access policies and security permissions for all resources including Amazon S3 buckets, Amazon EC2 instances and any resources you can reference with an ARN. The IAM policies define broad (coarse-grained) permissions to your data lake resources, for example, to allow or deny access at Amazon S3 bucket or prefix level or database level. For more information about IAM ABAC, see [What is ABAC for AWS?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) in the *IAM User Guide*.
For example, you can create three roles with the `project-access` tag key. Set the tag value of the first role to `Dev`, the second to `Marketing`, and the third to `Support`. Assign tags with the appropriate value to resources. You can then use a single policy that allows access when the role and the resource are tagged with the same value for `project-access`.
Data governance teams use Lake Formation to define fine-grained permissions to specific data lake resources. LF-Tags are assigned to Data Catalog resources (databases, tables, and columns) and are granted to principals. A principal with LF-Tags that match the LF-Tags of a resource can access that resource. Lake Formation permissions are secondary to IAM permissions. For example, if IAM permissions don't allow a user access to a data lake, Lake Formation doesn't grant access to any resource within that data lake to that user, even if the principal and resource have matching LF-Tags.
Lake Formation tag-based access control (LF-TBAC) works with IAM ABAC to provide additional levels of permissions for your Lake Formation data and resources.
+ **Lake Formation TBAC permissions scale with innovation.** It's no longer necessary for an administrator to update existing policies to allow access to new resources. For example, assume that you use an IAM ABAC strategy with the `project-access` tag to provide access to specific databases within Lake Formation. Using LF-TBAC, the LF-Tag `Project=SuperApp` is assigned to specific tables or columns, and the same LF-Tag is granted to a developer for that project. Through IAM, the developer can access the database, and LF-TBAC permissions grant the developer further access to specific tables or columns within tables. If a new table is added to the project, the Lake Formation administrator only needs to assign the tag to the new table for the developer to be given access to the table.
+ **Lake Formation TBAC requires fewer IAM policies.** Because you use IAM policies to grant high level access to Lake Formation resources and Lake Formation TBAC for managing more precise data access, you create fewer IAM policies.
+ **Using Lake Formation TBAC, teams can change and grow quickly.** This is because permissions for new resources are automatically granted based on attributes. For example, if a new developer joins the project, it's easy to grant this developer access by associating the IAM role to the user and then assigning the required LF-Tags to the user. You don't have to change the IAM policy to support a new project or to create new LF-Tags.
+ **Finer-grained permissions are possible using Lake Formation TBAC.** IAM policies grant access to the top-level resources, such as Data Catalog databases or tables. Using **Lake Formation TBAC**, you can grant access to specific tables or columns that contain specific data values.
**Note**
IAM tags are not the same as LF-Tags. These tags are not interchangeable. LF-Tags are used to grant Lake Formation permissions and IAM tags are used to define IAM policies.
# Managing LF-Tag expressions for metadata access control
LF-Tag expressions are logical expressions composed of one or more LF-Tags (key-value pairs) used to grant permissions on AWS Glue Data Catalog resources. LF-Tag expressions allow you to define rules that govern access to your data resources based on their metadata tags. You can save these expressions and reuse them across multiple permission grants, ensuring consistency and making it straight-forward to manage changes to the tag ontology over time.
Within a given LF-Tag expression, the tag keys are combined using the AND operation, while the values are combined using the OR operation. For example, the tag expression `content_type:Sales AND location:US` represents resources related to sales data in the US.
You can create up to 1000 LF-Tag expressions in an AWS account. These expressions provide a flexible and scalable way to manage permissions based on metadata tags, ensuring that only authorized users or applications can access specific data resources based on the defined tag rules.
LF-Tag expressions offer the following benefits:
+ **Reusability **– By defining and saving LF-Tag expressions, you no longer need to manually replicate the same expressions when assigning permissions to other resources or principals.
+ **Consistency **– Reusing LF-Tag expressions across multiple permission grants ensures consistency in how permissions are granted and managed.
+ **Tag ontology management** – LF-Tag expressions help manage changes to the tag ontology over time, as you can update the saved expressions instead of modifying individual permission grants.
For more information about tag-based access control, please refer to the [Lake Formation tag-based access control](tag-based-access-control.md).
**LF-Tag expression creators**
LF-Tag expression creator is a principal who has permissions to create and manage LF-Tag expressions. Data lake administrators can add LF-Tag expression creators using the Lake Formation console, CLI, API, or SDK. LF-Tag expression creators have implicit Lake Formation permissions to create, update, and delete LF-Tag expressions, and to grant LF-Tag expression permissions to other principals.
LF-Tag expression creators that are not data lake administrators receive implicit `Alter`, `Drop`, `Describe`, and `Grant with LF-Tag expression` permissions only for expressions they created.
Data lake administrators can also grant LF-Tag expression creators grantable `Create LF-Tag expression` permissions. Then, the LF-Tag expression creator can grant the permission to create LF-Tag expressions to other principals.
**Topics**
+ [IAM permissions required to create LF-Tag expressions](#tag-expression-creator-permissions)
+ [Add LF-Tag expression creators](#add-lf-tag-expression-creator)
+ [Creating LF-Tag expressions](TBAC-creating-tag-expressions.md)
+ [Updating LF-Tag expressions](TBAC-updating-expressions.md)
+ [Deleting LF-Tag expressions](TBAC-deleting-expressions.md)
+ [Listing LF-Tag expressions](TBAC-listing-expressions.md)
**See also**
[Managing LF-Tag value permissions](TBAC-granting-tags.md)
[Granting data lake permissions using the LF-TBAC method](granting-catalog-perms-TBAC.md)
[Lake Formation tag-based access control](tag-based-access-control.md)
## IAM permissions required to create LF-Tag expressions
You must configure permissions to allow a Lake Formation principal to create LF-Tag expressions. Add the following statement to the permissions policy for the principal that needs to be an LF-Tag expression creator.
**Note**
Although data lake administrators have implicit Lake Formation permissions to create, update, and delete LF-Tags and LF-Tag expressions, to assign LF-Tags to resources, and to grant LF-Tags and LF-Tag expression permission to principals, data lake administrators also need the following IAM permissions.
For more information, see [Lake Formation personas and IAM permissions reference](permissions-reference.md).
```
{
"Sid": "Transformational",
"Effect": "Allow",
"Action": [
"lakeformation:AddLFTagsToResource",
"lakeformation:RemoveLFTagsFromResource",
"lakeformation:GetResourceLFTags",
"lakeformation:ListLFTags",
"lakeformation:CreateLFTag",
"lakeformation:GetLFTag",
"lakeformation:UpdateLFTag",
"lakeformation:DeleteLFTag",
"lakeformation:SearchTablesByLFTags",
"lakeformation:SearchDatabasesByLFTags",
"lakeformation:CreateLFTagExpression",
"lakeformation:DeleteLFTagExpression",
"lakeformation:UpdateLFTagExpression",
"lakeformation:GetLFTagExpression",
"lakeformation:ListLFTagExpressions",
"lakeformation:GrantPermissions",
"lakeformation:RevokePermissions",
"lakeformation:BatchGrantPermissions",
"lakeformation:BatchRevokePermissions"
]
}
```
## Add LF-Tag expression creators
LF-Tag expression creators can create and save reusable LF-Tag expressions, update tag key and values, delete expressions, and grant permissions on Data Catalog resources to principals using LF-TBAC method. The LF-Tag expression creator can also grant these permissions to principals.
You can create LF-Tag expression creator roles by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ console ]
**To add an LF-Tag expression creator**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a data lake administrator.
1. In the navigation pane, under **Permissions**, choose **LF-Tags and permissions**.
1. Choose the **LF-Tag expressions** tab.
1. In the **LF-Tag expression creators** section, choose **Add LF-Tag expression creators**.
![\[Form to add LF-Tag expression creators with IAM user selection and permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/add-lf-tag-expression-creator.png)
1. On the **Add LF-Tag expression creators** page, choose an IAM role or user who has the required permissions to create LF-Tag expressions.
1. Select `Create LF-Tag expression` permission check box.
1. (Optional) To enable the selected principals to grant `Create LF-Tag expression` permission to principals, choose Grantable `Create LF-Tag expression` permission.
1. Choose **Add**.
------
#### [ AWS CLI ]
```
aws lakeformation grant-permissions --cli-input-json file://grantCreate
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::123456789012:user/tag-manager"
},
"Resource": {
"Catalog": {}
},
"Permissions": [
"CreateLFTagExpression"
],
"PermissionsWithGrantOption": [
"CreateLFTagExpression"
]
}
```
------
The LF-Tag expression creator role gets the ability to create, update, or delete LF-Tag expressions.
| Permission | Description |
| --- | --- |
| Create | A principal with this permission can add LF-Tag expressions in the data lake. |
| Drop | A principal with this permission on an LF-Tag expression can delete an LF-Tag expression from the data lake. |
| Alter | A principal with this permission on an LF-Tag expression can update the expression body of an LF-Tag expression. |
| Describe | A principal with this permission on an LF-Tag expression can view the contents of an LF-Tag expression. |
| Grant with LF-Tag expression | This permission allows the recipient to use the tag expression as the resource when granting data or metadata access permissions. Granting Grant with LF-Tag expression implicitly grants Describe. |
| Super | For LF-Tag expressions, the Super permission grants the ability to Describe, Alter, Drop, and grant permissions on the tag expression to other principals. |
These permissions are grantable. A principal who has been granted these permissions with the grant option can grant them to other principals.
# Creating LF-Tag expressions
You need to define all LF-Tags in Lake Formation, and assign them to Data Catalog resources before they can be used to create expressions. An LF-Tag expression consists of one more keys and one or more possible values for each key.
After the data lake administrator has set up the required IAM permissions and Lake Formation permissions for the LF-Tag expression creator role, the principal can create reusable LF-Tag expressions. The LF-Tag expression creator gets implicit permissions to update the expression body, and delete the LF-Tag expression.
You can create LF-Tag expressions by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ Console ]
**To create an LF-Tag expression**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a principal with LF-Tag expression creator permissions or as data lake administrator.
1. In the navigation pane, under **Permissions****, choose LF-Tags and permissions**.
1. Choose **LF-Tag expressions**. The **Add LF-Tag expressions** page appears.
![\[The page has fields to add a name, description, and a drop down to select expression body. Users can also have the option to grant permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/add-tag-expression.png)
1. Enter the following information:
+ Name – Enter a unique name for the expression. You can't update the expression name.
+ Description – Provide an optional description for the expression with the details of the expression.
+ Expression – Create the expression by specifying tag keys and their associated values. You can add up to 50 keys per expression. You must have `Grant with LF-Tags` Lake Formation permission on all tags in expression body.
Each key must have at least one value. To enter multiple values, either enter a comma-delimited list and then press **Enter**, or enter one value at a time and choose **Add** after each one. The maximum number of values permitted per key is 1000.
Lake Formation uses the AND/OR logic to combine multiple keys and values in an expression. Within a single (key : list of values) pair, the values are combined using the logical OR operator. For example, if the pair is (Department : [Sales, Marketing]), it means the tag matches if the resource has the Department tag with value Sales OR Marketing.
When you specify multiple keys, the keys are joined by an AND logical operator. So if the full expression is (Department : [Sales, Marketing]) AND (Location : [US, Canada]), it matches resources that have the Department tag with value Sales OR Marketing, AND also have the Location tag with value US OR Canada. The following is another example with multiple keys and values:
LF-Tag expression: (ContentType : [Video, Audio]) AND (Region : [Europe, Asia]) AND (Department : [Engineering, ProductManagement]).
This expression would match resources that have: - The ContentType tag with value Video OR Audio AND - The Region tag with value Europe OR Asia AND - The Department tag with value Engineering OR ProductManagement.
You can also save a tag expression when granting data lake permissions using LF-Tags. Choose the key and value pairs and choose the **Save as new expression** option. Enter a name that describes the expression.
![\[The page has fields to select expression body and a filed to enter a name.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/save-expression-grant.png)
1. (Optional) Next, choose the users/roles, and the permissions on the expression that you want to grant to them in the account. You can also choose grantable permissions that allows the users to grant these permissions to other users in the account. You can't grant cross account permissions on the tag expressions.
![\[The page shows the fields to select permission to grant to other principals.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-expression-permissions.png)
1. Choose **Add **.
------
#### [ AWS CLI ]
**To create an LF-Tag expression**
+ Enter a `create-lf-tag-expression` command.
The following example creates an LF-Tag expression with the tag `Department` with values `Sales` and `Marketing`, AND the tag `Location` with the value `US`.
```
aws lakeformation create-lf-tag-expression \
-- name "my-tag-expression" \
-- catalog-id "123456789012" \
-- expression '{"Expression":[{"TagKey":"Department","TagValues":["Sales","Marketing"]},{"TagKey":"Location","TagValues":["US"]}]}'
```
This CLI command creates a new LF-Tag expression in the AWS Glue Data Catalog. The expression can be used grant permissions to Data Catalog resources such as databases, tables, views or columns based on their associated tags. In this example, the expression will match resources that have the `Department` key with values `Sales` or `Marketing`, and the `Location` key with the value `US`.
------
As a tag expression creator , the principal gets `Alter` permission on this LF-Tag expression and can update or remove the expression. The LF-Tag expression creator principal can also grant `Alter` permission to another principal to update and remove this expression.
# Updating LF-Tag expressions
Only data lake administrators, the LF-Tag expression creator, and principals that have `Alter` or `Super` permission on the LF-Tag expression can update an LF-Tag expression. In addition to `Alter` permission, you also need the `lakeformation:UpdateLFTagExpression` IAM permission and `Grant with LF-Tag` permission on all underlying keys-values on the new expression body to update expressions.
You update an LF-Tag expression by updating the description, expression body and permissions granted on the expression. You can't change the name of the LF-Tag expression. To change the name, delete the LF-Tag expression and add one with the required parameters.
You can update an LF-Tag expression by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ Console ]
**To update an LF-Tag expression**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a data lake administrator, the LF-Tag creator or a principal with `Alter` permission on the LF-Tag.
1. In the navigation pane, under permissions, choose **LF-Tags and permissions**.
1. Choose **LF-Tag expressions** tab.
1. On the **LF-Tag expressions** section, select an LF-Tag expression, and then choose **Edit**.
1. In the **Edit LF-Tag expression** dialog box, update the description and update the expression body by adding or removing keys and values.
To add multiple values, in the **Values** field, choose the values from the drop down.
1. Choose **Save**.
------
#### [ AWS CLI ]
The update-lf-tag-expression command in Lake Formation allows you to update an existing LF-Tag expression.
```
aws lakeformation update-lf-tag-expression \
-- name expression_name\
-- description new_description \
-- catalog-id catalog_id \
-- expression '{"Expression": [{"TagKey": "tag_key", "TagValues": ["tag_value1", "tag_value2", ...]}]}'
```
Here's what the parameters in the provided command mean:
+ name – The name of the existing named tag expression that you want to update.
+ description – A new description for the expression.
catalog-id – The ID of the Data Catalog where the named tag expression resides.
+ expression – The new tag expression string that you want to update the expression with.
------
# Deleting LF-Tag expressions
You can delete LF-Tag expressions that are no longer in use. If you have granted permissions to principals on Data Catalog resources using the LF-Tag expression, they will no longer have the permissions.
Only data lake administrators, the LF-Tag expression creator, or a principal with `Drop` permission on the LF-Tag expression can delete an LF-Tag expression. In addition to the `Drop` permission, the principal also needs `lakeformation:DeleteLFTagExpression` IAM permission to delete an LF-Tag expression.
You can delete an LF-Tag expression by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ Console ]
**To delete an LF-Tag expression (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as a data lake administrator, the LF-Tag expression creator, or a principal that has permissions to delete the expression.
1. In the navigation pane, under **Permissions**, choose **LF-Tags and permissions**.
1. Choose the **LF-Tag expression** tab.
1. On the **LF-Tag expressions** section, select an LF-Tag expression, and then choose **Delete**.
1. In the **Delete LF-Tag expression?** dialog box, to confirm the deletion, enter the LF-Tag expression name in the designated field and then choose **Delete**.
------
#### [ AWS CLI ]
**To delete an LF-Tag (AWS CLI)**
+ Enter a `delete-lf-tag-expression` command. Provide the expression name and catalog ID to delete.
**Example**
The following example deletes the LF-Tag expression with the name `my-tag-expression` from the Data Catalog with ID `123456789012`. The `catalog-id` parameter is optional if you're using the same account as your AWS CLI configuration. After deleting an LF-Tag expression, Lake Formation cleans up the associated permission records for that expression. This includes both individual permission records and aggregate permission records that contain the deleted expression.
```
aws lakeformation delete-lf-tag-expression \
--name "my-tag-expression" \
--catalog-id "123456789012"
```
------
# Listing LF-Tag expressions
You can list the LF-Tag expressions that you have the Describe permissions on. Data lake administrators, LF-Tag expression creators, and Read-only administrators implicitly can see all tag expressions in their account.
You can list LF-Tag expressions by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
------
#### [ Console ]
**To list LF-Tag expressions (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as the LF-Tag expression creator, as a data lake administrator, or as a principal that has been granted permissions on LF-Tag expressions and that has the `lakeformation:ListLFTagExpressions` IAM permission.
1. In the navigation pane, under ** Permissions**, **LF-Tags and permissions**.
1. Choose **LF-Tag expressions** tab to see the expressions. This section shows the information about the existing LF-Tag expressions, including the expression name, the expression itself with links to the included tags, and options to create, edit, or delete expressions.
------
#### [ AWS CLI ]
**To list LF-Tags (AWS CLI)**
+ To list LF-Tag expressions using the AWS CLI, you can use the list-lf-tag-expressions command. The request syntax is:
```
aws lakeformation list-lf-tag-expressions \
-- catalog-id "123456789012" \
-- max-items "100" \
-- next-token "next-token"
```
Where:
+ `catalog-id` is the AWS account ID of the Data Catalog you want to list tag expressions for .
+ `max-items` specifies the maximum number of tag expressions to return. If this parameter is not used, the default value is 100.
+ `next-token` is a continuation token if the results were truncated in a previous request.
The response will include a list of LF-Tag expressions and a next token if applicable.
------
# Managing LF-Tag value permissions
You can grant the `Drop`, `Alter` permissions on LF-Tags to principals to manage LF-Tag value expressions. You can also grant `Describe`, `Associate`, and `Grant with LF-Tag expressions` permissions on LF-Tags to principals to view the LF-Tags and assign them to Data Catalog resources (databases, tables, and columns). When LF-Tags are assigned to Data Catalog resources, you can use the Lake Formation tag-based access control (LF-TBAC) method to secure those resources. For more information, see [Lake Formation tag-based access control](tag-based-access-control.md).
You can grant these permissions with the grant option so that other principals can grant them. The `Grant with LF-Tag expressions`, `Describe`, and `Associate` permissions are explained in [Add LF-Tag creators](TBAC-adding-tag-creator.md#add-lf-tag-creator).
You can grant the `Describe` and `Associate` permissions on a LF-Tag to an external AWS account. A data lake administrator in that account can then grant those permissions to other principals in the account. Principals to whom the data lake administrator in the external account grants the `Associate` permission can then assign LF-Tags to Data Catalog resources that you shared with their account.
When granting to an external account, you must include the grant option.
You can grant permissions on LF-Tags by using the Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
**Topics**
+ [Listing LF-Tag permissions using the console](TBAC-listing-tag-perms-console.md)
+ [Granting LF-Tag permissions using the console](TBAC-granting-tags-console.md)
+ [Managing LF-Tag permissions using the AWS CLI](TBAC-granting-revoking-tags-cli.md)
For more information see [Managing LF-Tags for metadata access control](managing-tags.md) and [Lake Formation tag-based access control](tag-based-access-control.md).
# Listing LF-Tag permissions using the console
You can use the Lake Formation console to view the permissions granted on LF-Tags. You must be a LF-Tag creator, a data lake administrator, or have the `Describe` or `Associate` permission on a LF-Tag to see it.
**To list LF-Tag permissions (console)**
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as the LF-Tag creator, a data lake administrator, or as a user to whom the `Drop`, `Alter`, `Associate`, or `Describe` permissions on LF-Tags have been granted.
1. In the navigation pane, under **Permissions**, choose **LF-Tags and permissions**, and choose **LF-Tag permissions** section.
The **LF-Tag permissions** section shows a table that contains principal, tag keys, values, and permissions.
![\[The page includes a table of permissions with the following columns: Principal, Principal type, Keys, Values, Permissions, and Grantable. There are five rows. To the left of each row is a radio button. Above the table are a search field and these buttons: Refresh, View, Revoke, and Grant. Because no row is initially selected, the View and Revoke buttons are disabled. The values in the first row are: Principal=arn:aws:iam::111122223333:user/datalake_admin, Principal type=IAM user, Keys=environment, Values=All values, Permissions=DESCRIBE, Grantable=DESCRIBE.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/list-tag-permissions-page.png)
# Granting LF-Tag permissions using the console
The following steps explain how to grant permissions on LF-Tags by using the **Grant LF-Tag permissions** page on the Lake Formation console. The page is divided into these sections:
+ **Permission types** – The type of permission to grant.
+ **Principals** – The IAM users or roles, or SAML users or roles to grant permissions to.
+ **LF-Tag key-value pair permissions** permissions – The LF-Tag key-value pairs to grant permissions on.
+ **LF-Tag permissions** – The LF-Tags to grant permissions on.
+ **LF-Tag expression permissions** permissions – The LF-Tags to grant permissions on.
+ **Permissions** – The permissions to grant.
## Open the **Grant LF-Tag permissions** page
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).
Sign in as the LF-Tag creator, a data lake administrator, or as a user LF-Tag permissions or LF-Tag key-value pair permissions on LF-Tags have been granted with the `Grant` option.
1. In the navigation pane, choose **LF-Tags and permissions**, choose **LF-Tag permissions** section.
1. Choose **Grant permissions**.
## Specify the permissions type
In the **Permissions type** section, choose a permissions type.
LF-Tag permissions
Choose the **LF-Tag permissions** to allow principals to update LF-Tag values or delete LF-Tags.
LF-Tag key-value pair permissions
Choose the **LF-Tag key-value pair permissions** to allow principals to assign LF-Tags to Data Catalog resources, view LF-Tags and values, and grant LF-Tags based permissions on Data Catalog resources to principals.
The options available in the following sections depend on the **Permissions type**.
LF-Tag expression permissions
Choose the **LF-Tag expression permissions** to allow principals to update expressions or delete expressions.
## Specify the principals
**Note**
You can't grant LF-Tag permissions (`Alter` and `Drop`) to external accounts or principals in another account.
In the **Principals** section, choose a principal type and specify principals to grant permissions to.
![\[The principals section contains three tiles that are named in the following text. Each tile contains an option button and text. The IAM users and roles tile is selected, and an IAM users and roles dropdown list is below the tiles.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-tags-principals-section.png)
**IAM users and roles**
Choose one or more users or roles from the **IAM users and roles** list.
**SAML users and groups**
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Quick users or groups. Press **Enter** after each ARN.
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).
Lake Formation integration with Quick is supported for Quick Enterprise Edition only.
**External accounts**
For **AWS account**, enter one or more valid AWS account IDs. Press **Enter** after each ID.
An organization ID consists of "o-" followed by 10 to 32 lower-case letters or digits.
An organizational unit ID starts with "ou-" followed by 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.
For IAM principal, enter the ARN for the IAM user or role.
## Specify the LF-Tags
To grant permissions on LF-Tags, in the **LF-Tag permissions** section, specify the LF-Tags to grant permissions on.
![\[The LF-Tags section shows two rows of fields, where each row, going from left to right, has a Key field, a Value field, and a Remove button. The Value field is a drop-down list. Beneath the two rows of fields is an Add LF-Tag button. The first row shows "module" in the Key field, and beneath the Values field are two small tiles that contain Orders and Sales, respectively, indicating that the use has chosen Orders and Sales as the values for the key module. Each tile has an X that you can click (like a close box) to delete the tile. The second row if fields is empty.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-tags-tags-section-2.png)
+ Choose one or more LF-Tag using the drop-down.
## Specify the LF-Tag key-value pairs
1. To grant permissions on LF-Tag key-value pairs, (you need to first choose choose **LF-Tag key-value pair permissions** as the **Permission type**) choose **Add LF-Tag key-value pair** to reveal the first row of fields for specifying LF-Tag key and values.
![\[Interface for adding LF-Tag key-value pairs and setting associated permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/tag-key-value-pair.png)
1. Position the cursor in the **Key** field, optionally start typing to narrow down the selection list, and select a LF-Tag key.
1. In the **Values** list, select one or more values, and then press **Tab** or click or tap outside the field to save the selected values.
**Note**
If one of the rows in the **Values** list has focus, pressing **Enter** selects or clears the check box.
The selected values appear as tiles below the **Values** list. Choose the ✖ to remove a value. Choose **Remove** to remove the entire LF-Tag.
1. To add another LF-Tag, choose **Add LF-Tag** again, and repeat the previous two steps.
## Specify the LF-Tag expressions
1. To grant permissions on LF-Tag expressions, (you need to first choose choose **LF-Tag expression permissions** as the **Permission type**).
![\[Permission type selection interface with LF-Tag expression permissions highlighted.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/tag-expression.png)
1. Choose a LF-Tag expression.
1. The selected expressions appear as tiles below the **LF-Tag expressions** list. Choose the ✖ to remove an expression.
1. To add another LF-Tag expression, choose another expression.
## Specify the permissions
This section shows either the **LF-Tag permissions** or the **LF-Tag value permissions** based on the **Permission type** you chose in the previous step.
Depending on the **Permission type** you chose to grant, select the **LF-Tag permissions** or **LF-Tag key-value pair permissions**, and grantable permissions.
1. Under **LF-Tag permissions**, select the permissions to grant.
Granting **Drop** and **Alter** implicitly grants **Describe**.
You need to grant **Alter** and **Drop** permissions on all tag values.
1. Under **LT-Tag key-value value permissions**, select the permissions to grant.
Granting **Associate** implicitly grants **Describe**. Choose **Grant with LF-Tag expression** to allow the grant recipient to grant or revoke access permissions on Data Catalog resources using LF-TBAC method.
1. Under **LF-Tag expression permissions**, select the permissions to grant.
Granting **Drop** and **Alter** implicitly grants **Describe**.
Granting **Super** permission, grants all available permissions.
1. (Optional) Under **Grantable permissions**, select the permissions that the grant recipient can grant to other principals in their AWS account.
1. Choose **Grant**.
# Managing LF-Tag permissions using the AWS CLI
You can grant, revoke, and list permissions on LF-Tags by using the AWS Command Line Interface (AWS CLI).
**To list LF-Tag permissions (AWS CLI)**
+ Enter a `list-permissions` command. You must be the LF-Tag creator, a data lake administrator, or have the `Drop`, `Alter`, `Describe`, `Associate`, `Grant with LF-Tag permissions` permission on a LF-Tag to see it.
The following command requests all LF-Tags that you have permissions on.
```
aws lakeformation list-permissions --resource-type LF_TAG
```
The following is sample output for a data lake administrator, who sees all LF-Tags granted to all principals. Non-administrative users see only LF-Tags granted to them. LF-Tag permissions granted from an external account appear on a separate results page. To see them, repeat the command and supply the `--next-token` argument with the token returned from the previous command run.
```
{
"PrincipalResourcePermissions": [
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_admin"
},
"Resource": {
"LFTag": {
"CatalogId": "111122223333",
"TagKey": "environment",
"TagValues": [
"*"
]
}
},
"Permissions": [
"ASSOCIATE"
],
"PermissionsWithGrantOption": [
"ASSOCIATE"
]
},
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1"
},
"Resource": {
"LFTag": {
"CatalogId": "111122223333",
"TagKey": "module",
"TagValues": [
"Orders",
"Sales"
]
}
},
"Permissions": [
"DESCRIBE"
],
"PermissionsWithGrantOption": []
},
...
],
"NextToken": "eyJzaG91bGRRdWVy...Wlzc2lvbnMiOnRydWV9"
}
```
You can list all grants for a specific LF-Tag key. The following command returns all permissions granted on the LF-Tag `module`.
```
aws lakeformation list-permissions --resource-type LF_TAG --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
You can also list LF-Tag values granted to a specific principal for a specific LF-Tag. When supplying the `--principal` argument, you must supply the `--resource` argument. Therefore, the command can only effectively request the values granted to a specific principal for a specific LF-Tag key. The following command shows how to do this for the principal `datalake_user1` and the LF-Tag key `module`.
```
aws lakeformation list-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --resource-type LF_TAG --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
The following is sample output.
```
{
"PrincipalResourcePermissions": [
{
"Principal": {
"DataLakePrincipalIdentifier": "arn:aws:iam::111122223333:user/datalake_user1"
},
"Resource": {
"LFTag": {
"CatalogId": "111122223333",
"TagKey": "module",
"TagValues": [
"Orders",
"Sales"
]
}
},
"Permissions": [
"ASSOCIATE"
],
"PermissionsWithGrantOption": []
}
]
}
```
**To grant permissions on LF-Tags (AWS CLI)**
1. Enter a command similar to the following. This example grants to user `datalake_user1` the `Associate` permission on the LF-Tag with the key `module`. It grants permissions to view and assign all values for that key, as indicated by the asterisk (\$1).
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
Granting the `Associate` permission implicitly grants the `Describe` permission.
The next example grants `Associate` to the external AWS account 1234-5678-9012 on the LF-Tag with the key `module`, with the grant option. It grants permissions to view and assign only the values `sales` and `orders`.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=123456789012 --permissions "ASSOCIATE" --permissions-with-grant-option "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["sales", "orders"]}}'
```
1. Granting the `GrantWithLFTagExpression` permission implicitly grants the `Describe` permission.
The next example grants `GrantWithLFTagExpression` to a user on the LF-Tag with the key `module`, with the grant option. It grants permissions to view and grant permissions on Data Catalog resources using only the values `sales` and `orders`.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "GrantWithLFTagExpression" --permissions-with-grant-option "GrantWithLFTagExpression" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["sales", "orders"]}}'
```
1. The next example grants `Drop` permissions to a user on the LF-Tag with the key `module`, with the grant option. It grants permissions to delete the LF-Tag. To delete a LF-Tag, you need permissions on all values for that key.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "DROP" --permissions-with-grant-option "DROP" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
1. The next example grants `Alter` permissions to the user on the LF-Tag with the key `module`, with the grant option. It grants permissions to delete the LF-Tag. To update a LF-Tag, you need permissions on all values for that key.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=111122223333 --permissions "ALTER" --permissions-with-grant-option "ALTER" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
**To revoke permissions on LF-Tags (AWS CLI)**
+ Enter a command similar to the following. This example revokes the `Associate` permission on the LF-Tag with the key `module` from user `datalake_user1`.
```
aws lakeformation revoke-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "ASSOCIATE" --resource '{ "LFTag": {"CatalogId":"111122223333","TagKey":"module","TagValues":["*"]}}'
```
# Granting data lake permissions using the LF-TBAC method
You can grant the `DESCRIBE` and `ASSOCIATE` Lake Formation permissions on LF-Tags to principals so that they can view the LF-Tags and assign them to Data Catalog resources (databases, tables, views, and columns). When LF-Tags are assigned to Data Catalog resources, you can use the Lake Formation tag-based access control (LF-TBAC) method to secure those resources. For more information, see [Lake Formation tag-based access control](tag-based-access-control.md).
At first, only the data lake administrator can grant these permissions. If the data lake administrator grants these permissions with the grant option, other principals can grant them. The `DESCRIBE` and `ASSOCIATE` permissions are explained in [Lake Formation tag-based access control best practices and considerations](lf-tag-considerations.md).
You can grant the `DESCRIBE` and `ASSOCIATE` permissions on a LF-Tag to an external AWS account. A data lake administrator in that account can then grant those permissions to other principals in the account. Principals to whom the data lake administrator in the external account grants the `ASSOCIATE` permission can then assign LF-Tags to Data Catalog resources that you shared with their account.
When granting to an external account, you must include the grant option.
You can grant permissions on LF-Tags by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).
**Note**
The following steps are not needed for S3 Tables catalogs. You can use LF-Tags to grant permissions on existing S3 Tables catalogs without deleting and recreating them.
**Enabling LF-Tags support for existing federated catalogs that uses Lake Formation permissions**
Follow these steps, if you have existing federated catalogs that are using Lake Formation permissions, such as Amazon Redshift or Amazon DynamoDB catalogs that were created before LF-Tags support was available for federated catalogs.
1. Delete the existing catalog – Call the `deleteCatalog` API operation to remove the existing federated catalog that uses Lake Formation permissions.
1. Create a new federated catalog – Create a new catalog and point the new catalog to your existing namespace/datashare.
Use a new name for the catalog – This process updates your pre-existing federated catalogs to support LF-Tag functionality. If you want to use the same catalog name, contact AWS support team for assistance.
**Topics**
+ [Granting Data Catalog permissions](#granting-cat-perms-TBAC-console)
**See also**
[Managing LF-Tag value permissions](TBAC-granting-tags.md)
[Managing LF-Tags for metadata access control](managing-tags.md)
[Lake Formation tag-based access control](tag-based-access-control.md)
## Granting Data Catalog permissions
Use the Lake Formation console or AWS CLI to grant Lake Formation permissions on Data Catalog databases, tables, views, and columns using the Lake Formation tag-based access control (LF-TBAC) method.
------
#### [ Console ]
The following steps explain how to grant permissions by using the Lake Formation tag-based access control (LF-TBAC) method and the **Grant data lake permissions** page on the Lake Formation console. The page is divided into the following sections:
+ **Principals** – The users, roles, and AWS accounts to grant permissions to.
+ **LF-Tags or catalog resources** – The databases, tables, or resource links to grant permissions on.
+ **Permissions** – The Lake Formation permissions to grant.
1.
**Open the Grant data lake permissions page.**
Open the AWS Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator or as a user who has been granted Lake Formation permissions on Data Catalog resources through LF-TBAC with the grant option.
In the navigation pane, under **Permissions**, choose **Data lake permissions**. Then choose **Grant**.
1.
**Specify the principals.**
In the **Principals** section, choose a principal type and then specify principals to grant permissions to.
![\[The Principals section contains four tiles that are named in the following text. Each tile contains a option button and text. The IAM Identity Center tile is selected, and users and groups dropdown list is below the tiles.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/identity-center-grant-perm.png)
**IAM users and roles**
Choose one or more users or roles from the **IAM users and roles** list.
**IAM Identity Center **
Choose one or more users or from the **Users and groups** list.
**SAML users and groups**
For **SAML and Quick users and groups**, enter one or more Amazon Resource Names (ARNs) for users or groups federated through SAML, or ARNs for Quick users or groups. Press Enter after each ARN.
For information about how to construct the ARNs, see [Lake Formation grant and revoke AWS CLI commands](lf-permissions-reference.md#perm-command-format).
Lake Formation integration with Quick is supported for Quick Enterprise Edition only.
**External accounts**
For **AWS accounts, AWS organization**, or **IAM principal** enter one or more valid AWS account IDs, organization IDs, organizational unit IDs, or ARN for the IAM user or role. Press **Enter** after each ID.
An organization ID consists of "o-" followed by 10 to 32 lower-case letters or digits.
An organizational unit ID starts with "ou-" followed by 4 to 32 lowercase letters or digits (the ID of the root that contains the OU). This string is followed by a second "-" dash and 8 to 32 additional lowercase letters or digits.
1.
**Specify the LF-Tags.**
Ensure that the **Resources matched by LF-Tags** option is chosen. Choose **LF-Tag key-value pairs** or **Saved LF-Tag expressions**.
1. If you choose the **LF-Tag key-value pairs** option, choose the keys and values.
If you choose more than one value, you are creating a LF-Tag expression with an `OR` operator. This means that if any of the LF-Tag values match a LF-Tag assigned to a Data Catalog resource, you are granted permissions on the resource.
![\[The LF-Tag or catalog resources section contains two tiles arranged horizontally, where each tile contains an option button and descriptive text. The options are Resources matched by LF-Tags (recommended), and Named data catalog resources. Resources matched by LF-Tags is selected. Below the tiles are a Key field and a Values field arranged horizontally. The Key field contains "module" and the Values field is a dropdown list that contains three entries: Orders, Sales, and Customers. Each entry has a check box associated. The check box for Customers is selected. To the right of these two fields is a Remove button. At the bottom is an Add LF-Tag button, indicating that you can add another row containing the Key and Values fields and a Remove button.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-data-permissions-tags-2.png)
1. (Optional) Choose **Add LF-Tag key-value pair** again to specify another LF-Tag.
If you specify more than one LF-Tag, you are creating a LF-Tag expression with an `AND` operator. The principal is granted permissions on a Data Catalog resource only if the resource was assigned a matching LF-Tag for each LF-Tag in the LF-Tag expression.
1. Choose **Save as a new expression** option to reuse the expression.
You need `Create LF-Tag expression` to save expressions.
For more information about LF-Tag expressions, see [Managing LF-Tag expressions for metadata access control](managing-tag-expressions.md).
1.
**Specify the permissions.**
Specify the permissions that you want to grant the principal on matching Data Catalog resources. Matching resources are those resources that were assigned LF-Tags that match one of the LF-Tag expressions granted to the principal.
You can specify the permissions to grant on matching databases, matching tables, and matching views.
![\[Two sections of the page are shown. The Database permissions section contains check boxes for database permissions and grantable permissions. Beneath the Database section, the Table permissions section shows the check boxes for table permissions and grantable permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-TBAC-DB-table-permissions.png)
Under **Database permissions**, select the database permissions to grant to the principal on matching databases.
Under **Table permissions**, select the table or view permissions to grant to the principal on matching tables and views.
You can also choose `Select`, `Describe`, and `Drop` permissions from the **Table permissions** to apply on views.
1. Choose **Grant**.
------
#### [ AWS CLI ]
You can use the AWS Command Line Interface (AWS CLI) and the Lake Formation tag-based access control (LF-TBAC) method to grant Lake Formation permissions on Data Catalog databases, tables, and columns.
**Granting data lake permissions using the AWS CLI and the LF-TBAC method**
+ Use the `grant-permissions` command.
**Example**
The following example grants the LF-Tag expression "`module=*`" (all values of the LF-Tag key `module`) to user `datalake_user1`. That user will have the `CREATE_TABLE` permission on all matching databases—databases that have been assigned the LF-Tag with the key `module`, with any value.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "CREATE_TABLE" --resource '{ "LFTagPolicy": {"CatalogId":"111122223333","ResourceType":"DATABASE","Expression":[{"TagKey":"module","TagValues":["*"]}]}}'
```
**Example**
The next example grants the LF-Tag expression "`(level=director) AND (region=west OR region=south)`" to user `datalake_user1`. That user will have the `SELECT`, `ALTER`, and `DROP` permissions with the grant option on matching tables—tables that have been assigned both `level=director` and (`region=west` or `region=south`).
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=arn:aws:iam::111122223333:user/datalake_user1 --permissions "SELECT" "ALTER" "DROP" --permissions-with-grant-option "SELECT" "ALTER" "DROP" --resource '{ "LFTagPolicy": {"CatalogId":"111122223333","ResourceType":"TABLE","Expression": [{"TagKey": "level","TagValues": ["director"]},{"TagKey": "region","TagValues": ["west", "south"]}]}}'
```
**Example**
This next example grants the LF-Tag expression "`module=orders`" to the AWS account 1234-5678-9012. The data lake administrator in that account can then grant the "`module=orders`" expression to principals in their account. Those principals will then have the `CREATE_TABLE` permission on matching databases owned by account 1111-2222-3333 and shared with account 1234-5678-9012 by using either the named resource method or the LF-TBAC method.
```
aws lakeformation grant-permissions --principal DataLakePrincipalIdentifier=123456789012 --permissions "CREATE_TABLE" --permissions-with-grant-option "CREATE_TABLE" --resource '{ "LFTagPolicy": {"CatalogId":"111122223333","ResourceType":"DATABASE","Expression":[{"TagKey":"module","TagValues":["orders"]}]}}'
```
------
# Attribute-based access control
In AWS Lake Formation, you can grant access on AWS Glue Data Catalog objects such as catalogs, databases, tables, and data filters using attributes that are IAM tags and session tags associated with IAM entities such as roles and users.
For more information about using session tags, see [assume-role](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html) in the AWS CLI user guide.
Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. AWS calls these attributes *tags*. You can use ABAC to grant access to principals within the same account or in another account on the Data Catalog resources. Any IAM principal with matching IAM tag or session tag keys and values gains access to the resource. You must have grantable permissions on the resources to make these grants.
ABAC allows you to grant access to multiple users at the same time. When new users join the organization, their access to data can be automatically determined based on their attributes, such as their job function or department, without requiring administrators to manually assign specific roles or permissions. By using attributes instead of roles, ABAC provides a more streamlined and maintainable way to manage data access across diverse systems and environments, ultimately enhancing data governance and compliance.
For more information about defining attributes, see [Define permissions based on attributes with ABAC authorization](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html).
For information on limitations, considerations, and supported AWS Regions, see [Attribute-based access control considerations, limitations, and supported regions](abac-considerations.md).
**Topics**
+ [Prerequisites for granting permissions using attributes](abac-prerequisites.md)
+ [Granting permissions using attribute-based access control](abac-granting-permissions.md)
# Prerequisites for granting permissions using attributes
To grant permissions using attribute-based access control (ABAC), you must complete the following prerequisites:
+ Update the **Data Catalog** **settings **to enable Lake Formation permissions for Data Catalog objects. For more information, see the [Change the default permission model or use hybrid access mode](https://docs.aws.amazon.com/lake-formation/latest/dg/initial-lf-config.html#setup-change-cat-settings) section.
+ Set the cross-account version settings to two or higher.
+ [Attach attributes](https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) to the IAM entities that require access.
+ Only a data lake administrator or an IAM user with the required permissions can grant access on Data Catalog objects. For more information on required permissions, see [IAM permissions](https://docs.aws.amazon.com/lake-formation/latest/dg/required-permissions-for-grant.html).
# Granting permissions using attribute-based access control
This topic describes the steps you need to follow to grant attribute-based access permissions on Data Catalog resources. You can use the Lake Formation console or the AWS Command Line Interface (AWS CLI).
## Granting permissions using ABAC (AWS Management Console)
1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/), and sign in as a data lake administrator, the resource creator, or an IAM user who has **Grantable permissions** on the resource.
1. Do one of the following:
+ In the navigation pane, under **Permissions**, choose **Data lake permissions**. Then choose **Grant**.
+ In the navigation pane, choose **Catalogs** under **Data Catalog**. Then, choose a catalog object (catalogs, databases, tables, and data filters), and from the **Actions** menu under **Permissions**, and choose **Grant**.
1. On the **Grant permissions** page, choose **Principals by attribute**.
1. Specify the attribute key and value(s). If you choose more than one value, you are creating an attribute expression with an `OR` operator. This means that if any of the attribute tag values assigned to an IAM role or user match, the role/user gains access permissions on the resource.
If you specify more than one attribute tag, you are creating an attribute expression with an `AND` operator. The principal is granted permissions on a Data Catalog resource only if the IAM role/user was assigned a matching tag for each attribute tag in the attribute expression.
Review the resulting Cedar policy expression shown in the console.
![\[In the Grant permissions dialog box, an attribute expression is created.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/abac-grant-permissions.png)
1. Choose the permission scope. If the grantees belong to an external account, choose **External account** and enter the AWS account ID.
1. Next, choose the Data Catalog account or in external accounts. You must have corresponding grantable permissions on the resources to successfully complete the permission grants.
1. Specify which actions you want to allow for principals (users or roles) that have matching attributes perform. Access is granted to IAM entities that have been assigned tags and values that match at least one of your specified attribute expressions. Review the Cedar policy expression in the console. For more information about Cedar, see [What is Cedar? \$1 Cedar Policy Language Reference GuideLink](https://docs.cedarpolicy.com/).
1. Next choose the Data Catalog resources to grant access. you can define these permissions for various Data Catalog resources, including catalogs, databases, tables, and data filters.
1. Choose **Grant**.
This approach allows you to control access based on attributes, ensuring that only users or roles with the appropriate tags can perform specific actions on the designated resources.
## Granting permissions using ABAC (AWS CLI)
The following example shows an attribute expression that must be met for receiving all available permissions on the resource. You can alternatively specify individual permissions such as `Select`, `Describe`, or `Drop`. The expression uses Cedar policy expression. For more information about Cedar, see [What is Cedar? \$1 Cedar Policy Language Reference GuideLink](https://docs.cedarpolicy.com/).
This condition checks if the IAM principal has a `department` tag, and the `department` tag value equals `sales`.
```
aws lakeformation grant-permissions
--principal '{"DataLakePrincipalIdentifier": "111122223333:IAMPrincipals"}' \
--resource '{"Database": {"CatalogId": 111122223333, "Name": "abac-db"}}' \
--permissions ALL \
--condition '{"Expression": "context.iam.principalTags.hasTag(\"department\") \
&& context.iam.principalTags.getTag(\"department\") == \"sales\""}'
```