Grant Permissions
As part of this exercise, we will treat
emr-developer (the account you created in the Auth0/Okta account) as a developer, who has access to only a few tables and columns. You can create additional users in Auth0/Okta and define different permissions in AWS Lake Formation
To set permissions for this user, login into AWS console as the
lf-admin user (default password: Password1!). You can get a console login URL from CloudFormation template output as shown below.
Follow these steps to update Lake Formation permissions for IdP user.
- On the AWS Lake Formation console, click on the Data permissions section.

- Then click on the Grant button.

- On the window that pops up, fill out SAML and Amazon QuickSight users and groups field based on your IdP provider.
For Auth0
arn:aws:iam::account-id:saml-provider/auth0SAMLProvider:user/emr-developer
For Okta
arn:aws:iam::account-id:saml-provider/oktaSAMLProvider:user/emr-developer
For AD FS
arn:aws:iam::account-id:saml-provider/ADFSSAMLProvider:user/emr-developer
Note: Replace account-id with your AWS account id.
Replace account-id with your AWS account id..
- Choose tpc for the database and select the following two tables with Select as the only Table permissions:
- dl_tpc_web_page
- dl_tpc_web_sales
Please ignore the tables that start with an underscore, those are temp tables.
- Leave the Grantable permissions unselected and click on the Grant button.
- Repeat Step 1 and 2 but this time give the user SELECT permission to only four columns on the dl_tpc_customer table as shown in the below screen.
- c_first_sales_date_sk
- c_first_name
- c_last_name
- c_first_shipto_date_sk

- Leave the Grantable permissions unselected and click on the Grant button.