# Managing LF-Tag expressions for metadata access control
<a name="managing-tag-expressions"></a>

 LF-Tag expressions are logical expressions composed of one or more LF-Tags (key-value pairs) used to grant permissions on AWS Glue Data Catalog resources. LF-Tag expressions allow you to define rules that govern access to your data resources based on their metadata tags. You can save these expressions and reuse them across multiple permission grants, ensuring consistency and making it straight-forward to manage changes to the tag ontology over time. 

Within a given LF-Tag expression, the tag keys are combined using the AND operation, while the values are combined using the OR operation. For example, the tag expression `content_type:Sales AND location:US` represents resources related to sales data in the US.

You can create up to 1000 LF-Tag expressions in an AWS account. These expressions provide a flexible and scalable way to manage permissions based on metadata tags, ensuring that only authorized users or applications can access specific data resources based on the defined tag rules.

LF-Tag expressions offer the following benefits: 
+ **Reusability **– By defining and saving LF-Tag expressions, you no longer need to manually replicate the same expressions when assigning permissions to other resources or principals.
+ **Consistency **– Reusing LF-Tag expressions across multiple permission grants ensures consistency in how permissions are granted and managed.
+ **Tag ontology management** – LF-Tag expressions help manage changes to the tag ontology over time, as you can update the saved expressions instead of modifying individual permission grants. 

For more information about tag-based access control, please refer to the [Lake Formation tag-based access control](tag-based-access-control.md). 

**LF-Tag expression creators**  
LF-Tag expression creator is a principal who has permissions to create and manage LF-Tag expressions. Data lake administrators can add LF-Tag expression creators using the Lake Formation console, CLI, API, or SDK. LF-Tag expression creators have implicit Lake Formation permissions to create, update, and delete LF-Tag expressions, and to grant LF-Tag expression permissions to other principals.

LF-Tag expression creators that are not data lake administrators receive implicit `Alter`, `Drop`, `Describe`, and `Grant with LF-Tag expression` permissions only for expressions they created. 

Data lake administrators can also grant LF-Tag expression creators grantable `Create LF-Tag expression` permissions. Then, the LF-Tag expression creator can grant the permission to create LF-Tag expressions to other principals.

**Topics**
+ [IAM permissions required to create LF-Tag expressions](#tag-expression-creator-permissions)
+ [Add LF-Tag expression creators](#add-lf-tag-expression-creator)
+ [Creating LF-Tag expressions](TBAC-creating-tag-expressions.md)
+ [Updating LF-Tag expressions](TBAC-updating-expressions.md)
+ [Deleting LF-Tag expressions](TBAC-deleting-expressions.md)
+ [Listing LF-Tag expressions](TBAC-listing-expressions.md)

**See also**  
[Managing LF-Tag value permissions](TBAC-granting-tags.md)
[Granting data lake permissions using the LF-TBAC method](granting-catalog-perms-TBAC.md)
[Lake Formation tag-based access control](tag-based-access-control.md)

## IAM permissions required to create LF-Tag expressions
<a name="tag-expression-creator-permissions"></a>

 You must configure permissions to allow a Lake Formation principal to create LF-Tag expressions. Add the following statement to the permissions policy for the principal that needs to be an LF-Tag expression creator.

**Note**  
Although data lake administrators have implicit Lake Formation permissions to create, update, and delete LF-Tags and LF-Tag expressions, to assign LF-Tags to resources, and to grant LF-Tags and LF-Tag expression permission to principals, data lake administrators also need the following IAM permissions.

For more information, see [Lake Formation personas and IAM permissions reference](permissions-reference.md).

```
{
"Sid": "Transformational",
"Effect": "Allow",
    "Action": [
        "lakeformation:AddLFTagsToResource",
        "lakeformation:RemoveLFTagsFromResource",
        "lakeformation:GetResourceLFTags",
        "lakeformation:ListLFTags",
        "lakeformation:CreateLFTag",
        "lakeformation:GetLFTag",
        "lakeformation:UpdateLFTag",
        "lakeformation:DeleteLFTag",
        "lakeformation:SearchTablesByLFTags",
        "lakeformation:SearchDatabasesByLFTags",
        "lakeformation:CreateLFTagExpression",
        "lakeformation:DeleteLFTagExpression",
        "lakeformation:UpdateLFTagExpression",
        "lakeformation:GetLFTagExpression",
        "lakeformation:ListLFTagExpressions",
        "lakeformation:GrantPermissions",
        "lakeformation:RevokePermissions",
        "lakeformation:BatchGrantPermissions",
        "lakeformation:BatchRevokePermissions"
     ]
 }
```

## Add LF-Tag expression creators
<a name="add-lf-tag-expression-creator"></a>

LF-Tag expression creators can create and save reusable LF-Tag expressions, update tag key and values, delete expressions, and grant permissions on Data Catalog resources to principals using LF-TBAC method. The LF-Tag expression creator can also grant these permissions to principals.

You can create LF-Tag expression creator roles by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

------
#### [ console ]

**To add an LF-Tag expression creator**

1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

   Sign in as a data lake administrator.

1. In the navigation pane, under **Permissions**, choose **LF-Tags and permissions**.

1. Choose the **LF-Tag expressions** tab.

1. In the **LF-Tag expression creators** section, choose **Add LF-Tag expression creators**.  
![\[Form to add LF-Tag expression creators with IAM user selection and permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/add-lf-tag-expression-creator.png)

1. On the **Add LF-Tag expression creators** page, choose an IAM role or user who has the required permissions to create LF-Tag expressions.

1. Select `Create LF-Tag expression` permission check box.

1. (Optional) To enable the selected principals to grant `Create LF-Tag expression` permission to principals, choose Grantable `Create LF-Tag expression` permission.

1. Choose **Add**.

------
#### [ AWS CLI ]

```
aws lakeformation grant-permissions --cli-input-json file://grantCreate
{
    "Principal": {
        "DataLakePrincipalIdentifier": "arn:aws:iam::123456789012:user/tag-manager"
    },
    "Resource": {
        "Catalog": {}
    },
    "Permissions": [
        "CreateLFTagExpression"
    ],
    "PermissionsWithGrantOption": [
        "CreateLFTagExpression"
    ]
}
```

------

The LF-Tag expression creator role gets the ability to create, update, or delete LF-Tag expressions. 


| Permission | Description | 
| --- | --- | 
| Create | A principal with this permission can add LF-Tag expressions in the data lake. | 
| Drop | A principal with this permission on an LF-Tag expression can delete an LF-Tag expression from the data lake.  | 
| Alter | A principal with this permission on an LF-Tag expression can update the expression body of an LF-Tag expression. | 
| Describe | A principal with this permission on an LF-Tag expression can view the contents of an LF-Tag expression.  | 
| Grant with LF-Tag expression | This permission allows the recipient to use the tag expression as the resource when granting data or metadata access permissions. Granting Grant with LF-Tag expression implicitly grants Describe. | 
| Super | For LF-Tag expressions, the Super permission grants the ability to Describe, Alter, Drop, and grant permissions on the tag expression to other principals. | 

These permissions are grantable. A principal who has been granted these permissions with the grant option can grant them to other principals.

# Creating LF-Tag expressions
<a name="TBAC-creating-tag-expressions"></a>

You need to define all LF-Tags in Lake Formation, and assign them to Data Catalog resources before they can be used to create expressions. An LF-Tag expression consists of one more keys and one or more possible values for each key.

 After the data lake administrator has set up the required IAM permissions and Lake Formation permissions for the LF-Tag expression creator role, the principal can create reusable LF-Tag expressions. The LF-Tag expression creator gets implicit permissions to update the expression body, and delete the LF-Tag expression.

You can create LF-Tag expressions by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

------
#### [ Console ]

**To create an LF-Tag expression**

1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

   Sign in as a principal with LF-Tag expression creator permissions or as data lake administrator.

1. In the navigation pane, under **Permissions****, choose LF-Tags and permissions**.

1. Choose **LF-Tag expressions**. The **Add LF-Tag expressions** page appears.  
![\[The page has fields to add a name, description, and a drop down to select expression body. Users can also have the option to grant permissions.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/add-tag-expression.png)

1. Enter the following information:
   + Name – Enter a unique name for the expression. You can't update the expression name. 
   + Description – Provide an optional description for the expression with the details of the expression.
   + Expression – Create the expression by specifying tag keys and their associated values. You can add up to 50 keys per expression. You must have `Grant with LF-Tags` Lake Formation permission on all tags in expression body.

      Each key must have at least one value. To enter multiple values, either enter a comma-delimited list and then press **Enter**, or enter one value at a time and choose **Add** after each one. The maximum number of values permitted per key is 1000.

      Lake Formation uses the AND/OR logic to combine multiple keys and values in an expression. Within a single (key : list of values) pair, the values are combined using the logical OR operator. For example, if the pair is (Department : [Sales, Marketing]), it means the tag matches if the resource has the Department tag with value Sales OR Marketing. 

      When you specify multiple keys, the keys are joined by an AND logical operator. So if the full expression is (Department : [Sales, Marketing]) AND (Location : [US, Canada]), it matches resources that have the Department tag with value Sales OR Marketing, AND also have the Location tag with value US OR Canada. The following is another example with multiple keys and values:

     LF-Tag expression: (ContentType : [Video, Audio]) AND (Region : [Europe, Asia]) AND (Department : [Engineering, ProductManagement]).

     This expression would match resources that have: - The ContentType tag with value Video OR Audio AND - The Region tag with value Europe OR Asia AND - The Department tag with value Engineering OR ProductManagement. 

    You can also save a tag expression when granting data lake permissions using LF-Tags. Choose the key and value pairs and choose the **Save as new expression** option. Enter a name that describes the expression.   
![\[The page has fields to select expression body and a filed to enter a name.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/save-expression-grant.png)

1.  (Optional) Next, choose the users/roles, and the permissions on the expression that you want to grant to them in the account. You can also choose grantable permissions that allows the users to grant these permissions to other users in the account. You can't grant cross account permissions on the tag expressions.  
![\[The page shows the fields to select permission to grant to other principals.\]](http://docs.aws.amazon.com/lake-formation/latest/dg/images/grant-expression-permissions.png)

1. Choose **Add **.

------
#### [ AWS CLI ]

**To create an LF-Tag expression**
+ Enter a `create-lf-tag-expression` command.

  The following example creates an LF-Tag expression with the tag `Department` with values `Sales` and `Marketing`, AND the tag `Location` with the value `US`.

  ```
  aws lakeformation create-lf-tag-expression \
  -- name "my-tag-expression" \
  -- catalog-id "123456789012" \
  -- expression '{"Expression":[{"TagKey":"Department","TagValues":["Sales","Marketing"]},{"TagKey":"Location","TagValues":["US"]}]}'
  ```

   This CLI command creates a new LF-Tag expression in the AWS Glue Data Catalog. The expression can be used grant permissions to Data Catalog resources such as databases, tables, views or columns based on their associated tags. In this example, the expression will match resources that have the `Department` key with values `Sales` or `Marketing`, and the `Location` key with the value `US`. 

------

 As a tag expression creator , the principal gets `Alter` permission on this LF-Tag expression and can update or remove the expression. The LF-Tag expression creator principal can also grant `Alter` permission to another principal to update and remove this expression. 

# Updating LF-Tag expressions
<a name="TBAC-updating-expressions"></a>

Only data lake administrators, the LF-Tag expression creator, and principals that have `Alter` or `Super` permission on the LF-Tag expression can update an LF-Tag expression. In addition to `Alter` permission, you also need the `lakeformation:UpdateLFTagExpression` IAM permission and `Grant with LF-Tag` permission on all underlying keys-values on the new expression body to update expressions.

You update an LF-Tag expression by updating the description, expression body and permissions granted on the expression. You can't change the name of the LF-Tag expression. To change the name, delete the LF-Tag expression and add one with the required parameters. 

You can update an LF-Tag expression by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

------
#### [ Console ]

**To update an LF-Tag expression**

1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

   Sign in as a data lake administrator, the LF-Tag creator or a principal with `Alter` permission on the LF-Tag.

1. In the navigation pane, under permissions, choose **LF-Tags and permissions**.

1. Choose **LF-Tag expressions** tab.

1. On the **LF-Tag expressions** section, select an LF-Tag expression, and then choose **Edit**.

1. In the **Edit LF-Tag expression** dialog box, update the description and update the expression body by adding or removing keys and values.

   To add multiple values, in the **Values** field, choose the values from the drop down.

1. Choose **Save**.

------
#### [ AWS CLI ]

 The update-lf-tag-expression command in Lake Formation allows you to update an existing LF-Tag expression. 

```
aws lakeformation update-lf-tag-expression \
-- name expression_name\
-- description new_description \
-- catalog-id catalog_id \
-- expression '{"Expression": [{"TagKey": "tag_key", "TagValues": ["tag_value1", "tag_value2", ...]}]}'
```

Here's what the parameters in the provided command mean: 
+ name – The name of the existing named tag expression that you want to update. 
+ description – A new description for the expression.

  catalog-id – The ID of the Data Catalog where the named tag expression resides. 
+ expression – The new tag expression string that you want to update the expression with.

------

# Deleting LF-Tag expressions
<a name="TBAC-deleting-expressions"></a>

You can delete LF-Tag expressions that are no longer in use. If you have granted permissions to principals on Data Catalog resources using the LF-Tag expression, they will no longer have the permissions.

Only data lake administrators, the LF-Tag expression creator, or a principal with `Drop` permission on the LF-Tag expression can delete an LF-Tag expression. In addition to the `Drop` permission, the principal also needs `lakeformation:DeleteLFTagExpression` IAM permission to delete an LF-Tag expression.

You can delete an LF-Tag expression by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

------
#### [ Console ]

**To delete an LF-Tag expression (console)**

1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

   Sign in as a data lake administrator, the LF-Tag expression creator, or a principal that has permissions to delete the expression.

1. In the navigation pane, under **Permissions**, choose **LF-Tags and permissions**.

1. Choose the **LF-Tag expression** tab.

1. On the **LF-Tag expressions** section, select an LF-Tag expression, and then choose **Delete**.

1. In the **Delete LF-Tag expression?** dialog box, to confirm the deletion, enter the LF-Tag expression name in the designated field and then choose **Delete**.

------
#### [ AWS CLI ]

**To delete an LF-Tag (AWS CLI)**
+ Enter a `delete-lf-tag-expression` command. Provide the expression name and catalog ID to delete.  
**Example**  

  The following example deletes the LF-Tag expression with the name `my-tag-expression` from the Data Catalog with ID `123456789012`. The `catalog-id` parameter is optional if you're using the same account as your AWS CLI configuration. After deleting an LF-Tag expression, Lake Formation cleans up the associated permission records for that expression. This includes both individual permission records and aggregate permission records that contain the deleted expression.

  ```
  aws lakeformation delete-lf-tag-expression \
  --name "my-tag-expression" \
  --catalog-id "123456789012"
  ```

------

# Listing LF-Tag expressions
<a name="TBAC-listing-expressions"></a>

 You can list the LF-Tag expressions that you have the Describe permissions on. Data lake administrators, LF-Tag expression creators, and Read-only administrators implicitly can see all tag expressions in their account. 

You can list LF-Tag expressions by using the AWS Lake Formation console, the API, or the AWS Command Line Interface (AWS CLI).

------
#### [ Console ]

**To list LF-Tag expressions (console)**

1. Open the Lake Formation console at [https://console.aws.amazon.com/lakeformation/](https://console.aws.amazon.com/lakeformation/).

   Sign in as the LF-Tag expression creator, as a data lake administrator, or as a principal that has been granted permissions on LF-Tag expressions and that has the `lakeformation:ListLFTagExpressions` IAM permission.

1. In the navigation pane, under ** Permissions**, **LF-Tags and permissions**.

1. Choose **LF-Tag expressions** tab to see the expressions. This section shows the information about the existing LF-Tag expressions, including the expression name, the expression itself with links to the included tags, and options to create, edit, or delete expressions. 

------
#### [ AWS CLI ]

**To list LF-Tags (AWS CLI)**
+ To list LF-Tag expressions using the AWS CLI, you can use the list-lf-tag-expressions command. The request syntax is: 

  ```
  aws lakeformation list-lf-tag-expressions \
  -- catalog-id "123456789012" \
  -- max-items "100" \
  -- next-token "next-token"
  ```

   Where:
  + `catalog-id` is the AWS account ID of the Data Catalog you want to list tag expressions for .
  + `max-items` specifies the maximum number of tag expressions to return. If this parameter is not used, the default value is 100.
  + `next-token` is a continuation token if the results were truncated in a previous request.

  The response will include a list of LF-Tag expressions and a next token if applicable. 

------