Automatic Group Assignment when using IAM Identity Center

Raphael_Franco · November 29, 2023, 1:57pm

I’m interested to know if by using IAM Identity Center for identity management, I’m able to configure group assignments automatically. I know that this is not possible with IAM Identity Federation (this question talks about it, but I also tested it myself) but I was wondering if it would be possible when using Identity Center.

I read this article and it says that you can map an Identity Center group to a QuickSight ROLE (but not group), that is, you can only assign the user to one of the three default roles (READER, AUTHOR, ADMIN). Which doesn’t help much since the user would still have no access to shared folders since those are shared with groups instead. Is my understanding correct?

By reading other questions, the “best” solution I found was to use CloudTrail Events + Lambda trigger to then perform the group assignment. Is that what the QuickSight team recommends?

Also, is there anything on the roadmap to add this functionallity (for both Identity Center and Identity Federation integrations)? This would be extremely helpful and other big players already do that.

Koushik_Muthanna · November 29, 2023, 4:13pm

@Raphael_Franco ,

Yes the groups provisioning should happen automatically if you are just using IAM Identity center as your IDP ( Manage your identity source - AWS IAM Identity Center ) ( Manage identities in IAM Identity Center - AWS IAM Identity Center )

Groups and users are then managed in IAM Identity center . You would have a group for Admin, Author and Reader . Add individual users based on the role required to respective groups.

Kind regards,
Koushik

gillepa · November 29, 2023, 4:18pm

Hi @Raphael_Franco

I need to make a correction.

If you create the custom groups in IdC (not in QuickSight!) then the same groups will be recreated and synced in QuickSight. So, a new user who in Identity Center is assigned a Quicksight Role and added to a custom Group (again, in Identity Center), will automatically be authenticated in QuickSight with the assigned Role and belonging to the Custom group (now created in Quicksight as well).

I am marking this as, “Solution,” but let us know if this is not resolved. Thanks for posting your questions on the QuickSight Community Q&A Forum!

GL

Raphael_Franco · December 4, 2023, 6:56pm

Hi @gillepa

Okay, but a user can be part of multiple Groups in Identity Center, how that works in the end? Will all groups a user is part of in IdC be created in QuickSight? Also, does it work for existing groups as well?

So let’s say user is part of group A in IdC and then he gets access to QuickSight, which also has a group called A. Will the user be automatically assigned to this group?

Is there any AWS documentation on this? I only found one article about it: Simplify business intelligence identity management with Amazon QuickSight and AWS IAM Identity Center | AWS Business Intelligence Blog and it does not mention group mapping. Also, the official QuickSight documentation on Identity Center integration is pretty vague: Configure your Amazon QuickSight account with IAM Identity Center - Amazon QuickSight

gillepa · December 5, 2023, 2:36pm

Hi @Raphael_Franco

yes, the user assigned to Group A in IdC will automatically be assigned to Group A in QuickSight as well.

Documentation is coming. Not sure there is one addressing this issue specifically.

Hope it helps,
GL