Hello! Trying to determine the best way to implement RLS
The account does not have AD integration but uses something similar to OKTA for SSO.
According to Using external identity federation and single sign-on with Amazon QuickSight - Amazon QuickSight OKTA groups are not able to be used in order to enforce RLS.
There will be N number of users from 20 different entities each having their own specific data ID
- Is the only solution to recreate the OKTA group structure within Quicksight Groups?
- Is there any way to add AD to an already existing Quicksight account?
- Is there a way to add users to a Group upon user creation?
- Export/Import asset bundle does not seem to support the export of these RLS datasets, is this something that could be added as a feature?
Currently the idea is to implement row level security using an S3 file with Quicksight group names mapping to certain ID vals.
Fairly new to QS user management and just want to get a feel for best practices on the matter.
Thank you
Hi Laconics,
-
Is the only solution to recreate the OKTA group structure within QuickSight Groups?
A.1> If your QuickSight account is integrated with IAM Identity Center (recommended), groups are not managed in the QuickSight application. Instead, groups are managed in IAM Identity Center or in the third-party identity provider (Okta) that you configured in IAM Identity Center. Groups are synced automatically between QuickSight and IAM Identity Center.
Simplify business intelligence identity management with Amazon QuickSight and AWS IAM Identity Center | AWS Business Intelligence Blog
-
Is there any way to add AD to an already existing QuickSight account?
A.2> At the time of provisioning QuickSight account you have to select option for authentication mechanism. If you have provisioned QuickSight account using federated identity you cannot change it to Active directory based authentication without recreating account again.
-
Is there a way to add users to a Group upon user creation?
A.3> You can use create group membership API call to add user to group. Or do it through QuickSight console.
aws quicksight create-group-membership --namespace default --aws-account-id AWSACCOUNTID --group-name GROUPNAME --member-name USERNAME
-
Export/Import asset bundle does not seem to support the export of these RLS datasets, is this something that could be added as a feature?
A.4> You can use create dataset API call and pass RLS permission dataset as parameter. --row-level-permission-data-set.Prior to create QuickSight RLS protected dataset you can create RLS permission dataset also through APIs. RLS permission dataset can be S3 files or database tables and you can use list-data-sets or describe-data-set APIs to identify definition of dataset porting. It is explain in this refernce link: Porting Content :: QuickSight DevOps
Note: I have given responses to the questions with limited context information. But you should review overall requirement to decide what options may best work for your setup.
Regards,
Anwar Ali
2 Likes
Thank you so much for the reply!
Appreciate the information given and will do a little more research on these topics.
