Grant Permissions

As part of this exercise, we will treat emr-developer (the account you created in the Auth0/Okta account) as a developer, who has access to only a few tables and columns. You can create additional users in Auth0/Okta and define different permissions in AWS Lake Formation

To set permissions for this user, login into AWS console as the lf-admin user (default password: Password1!). You can get a console login URL from CloudFormation template output as shown below.
Follow these steps to update Lake Formation permissions for IdP user.
  1. On the AWS Lake Formation console, click on the Data permissions section.
  2. Then click on the Grant button.
  3. From the Target resources section, choose tpc for the database and select the following two tables:
    • dl_tpc_web_page
    • dl_tpc_web_sales
    Please ignore the tables that start with an underscore, those are temp tables.
  4. From the Principals section, select SAML users and groups. Enter the SAML user ARN in the SAML and Amazon QuickSight users and groups field based on your IdP provider. Replace account-id with your AWS account id.

    For Auth0
    arn:aws:iam::account-id:saml-provider/auth0SAMLProvider:user/emr-developer

    For Okta
    arn:aws:iam::account-id:saml-provider/oktaSAMLProvider:user/emr-developer

    For AD FS
    arn:aws:iam::account-id:saml-provider/ADFSSAMLProvider:user/emr-developer

    5. Replace account-id with your AWS account id..

  5. From the Permissions section, select Table permissions. From the list of permissions, check Select option and click on the Grant button.
  6. Repeat Step 1 and 2 and select dl_tpc_customer table this time. Enter SAML details and proceed to Permissions section. Select Column-based permissions and select Include columns from the permission filter. Now, from the column drop-down, select the following 4 columns:
    • c_first_sales_date_sk
    • c_first_name
    • c_last_name
    • c_first_shipto_date_sk
  7. Leave the Grantable permissions unselected and click on the Grant button.