Can you apply custom permissions profile to assets rather than users?

I created a dashboard that contains a table the users can export to a csv, alter values, and re-upload to S3. Then the dashboard refreshes every 15 minutes and includes their uploads.

My ETL requires them to upload CSVs not XLSX files. Because of this I created a custom permission that restricts users from exporting to excel, and applied it to my readers using the AWS CLI.

I am running into a couple issues now.

  1. We are working on creating more dashboards some where the same users will need the ability to export visuals excel. Currently they won’t be able to do that because I have the restriction applied to the user.

  2. As our user base grows we are working on setting up a way to get reader accounts set up without me manually creating them. If that happens the restrict excel permission wouldn’t be applied to the new users so they could potentially cause problems for my ETL on the dashboard that requires only CSV files.

The only solution I could think of to both problems off the top of my head would be to apply the “restrict-excel” custom permission to the individual dashboard, rather than to the user themself.
That way it would automatically apply to anyone accessing that specific dashboard, without preventing any users from having the ability to export to excel on other dashboards where they might need to.

Is there currently an option to apply custom permission profiles to assets (such as a dashboard) in quicksight rather than users? Also how about groups?

Thanks!
Ryane

This is not available now.

I can mark it as a feature request.

1 Like

That would be great, thanks Max!

1 Like

custom permission cannot apply to user group or assets now.
May I know how do you automate the user creation process? I am thinking whether you may use API to register new user and assign custom permission to those users

Register user API RegisterUser - Amazon QuickSight

Update user API UpdateUser - Amazon QuickSight

Hi Roy,

We don’t have it set up yet to automate user creation, but I have been made aware that is the direction the company would like to go.

I am happy to see custom permissions can be applied during the creation process with the API. Up to this point I have been creating users first in the console then applying the custom permissions after.

I did have one concern, I noticed in the documentation link you posted it mentions custom permissions only being used for 4 things.

"Customized permissions allows you to control a user’s access by restricting access the following operations:

Create and update data sources

Create and update datasets

Create and update email reports

Subscribe to email reports"

Since the custom permission I have created does not apply to any of those 4 things, will I still be able to apply it through the RegisterUser API?

Thanks.

The Update user API [UpdateUser - Amazon QuickSight ] is to assign Custom Permission to a user. It is same as the one you are using in CLI. Therefore, it can be applied to disable Excel export.
(UpdateUser - Amazon QuickSight)

2 Likes