Grant Permissions

As part of this exercise, we will treat emr-developer (the account you created in the Auth0/Okta account) as a developer, who has access to only a few tables and columns. You can create additional users in Auth0/Okta and define different permissions in AWS Lake Formation

To set permissions for this user, login into AWS console as the lf-admin user (default password: Password1!). You can get a console login URL from CloudFormation template output as shown below.
Follow these steps to update Lake Formation permissions for IdP user.
  1. On the AWS Lake Formation console, click on the Data permissions section.
  2. Then click on the Grant button.
  3. On the window that pops up, fill out SAML and Amazon QuickSight users and groups field based on your IdP provider.

    For Auth0
    arn:aws:iam::account-id:saml-provider/auth0SAMLProvider:user/emr-developer

    For Okta
    arn:aws:iam::account-id:saml-provider/oktaSAMLProvider:user/emr-developer

    For AD FS
    arn:aws:iam::account-id:saml-provider/ADFSSAMLProvider:user/emr-developer

    Note: Replace account-id with your AWS account id.
  4. Replace account-id with your AWS account id..

  5. Choose tpc for the database and select the following two tables with Select as the only Table permissions:
    • dl_tpc_web_page
    • dl_tpc_web_sales

    Please ignore the tables that start with an underscore, those are temp tables.
  6. Leave the Grantable permissions unselected and click on the Grant button.
  7. Repeat Step 1 and 2 but this time give the user SELECT permission to only four columns on the dl_tpc_customer table as shown in the below screen.
    • c_first_sales_date_sk
    • c_first_name
    • c_last_name
    • c_first_shipto_date_sk
  8. Leave the Grantable permissions unselected and click on the Grant button.