Can't reconcile the permissions count

I’m having issues with a dashboard that I am getting the error: “You can only share with up to 100 identities”. However, I have tried to count the number of identities and it doesn’t seem to reach 100 in my count. I have counted:

  • 67 users who have had the dashboard directly shared with their user.
  • 25 users who have had the folder containing the dashboard shared with their user.
  • 5 users who have had the folder containing the folder containing the dashboard shared with their user.

This totals 97 identities. Our account doesn’t use groups (and never has) and I have verified the dashboard isn’t shared with any namespaces. Am I missing some identities? Does the identity count include users with permission to the analysis/dataset(s)/datasource(s)? Or is this a bug?

To note as well, my count is taking the largest count I can get. For instance, there are several users who have been counted multiple times because they have direct permissions for the dashboard and inherited permissions from the folder. My user, for instance, has permissions for the dashboard, folder, and parent folder, and therefore accounts for 3 of the 97 identities.

Any help would be greatly appreciated.

Hi @Sean_Middlehurst - Can you share the dashboard and see the number of users and groups have the permission like below screenshot.

To understand the complete dashboard usage and its permission , you can also write a custom python code using QuickSight Boto3 - describe_dashboard_permissions - Boto3 1.26.117 documentation and extract the details.

For the upper limit, I am also not finding any documentation around this, tagging @Karthik_Tharmarajan , @Max and @David_Wong for their feedback.

Regards - Sanjeeb

Hi @Sanjeeb2022,

Unfortunately because we have multiple namespaces in our Quicksight account, a screenshot of the console isn’t particularly helpful, as this just shows the permissions in that specific namespace. If I go into my user’s namespace, I can only see myself among the users, but most of the permissions are within a different namespace:

Since we have about 30 namespaces, it would be tedious to go into each individual one and check 30 screenshots.

The numbers I got from my first comment were achieved similarly to how you described (custom PHP code connecting to the cmd and interacting with the CLI, terribly inefficient but it does the job):

  • The 67 were obtained from describe-dashboard-permissions.
  • The 25 were obtained from describe-folder-permissions on the folder directly containing the dashboard.
  • The 5 were obtained from describe-folder-permissions on the folder containing the folder containing the dashboard.

Thanks for your assistance

1 Like

Thanks @Sean_Middlehurst . Boto3 API is very powerful, all we need to develop python code and extract the right details, yes it is a iterative process and learning curve. Glad your issue is resolved, can you please marked the suggestion as solution so that it will help other community members.

Have a great week ahead.

Regards - Sanjeeb

Hi @Sanjeeb2022,

Unfortunately, this doesn’t resolve my issue. I’m still getting a total identity count of 97, as described above, when the errors displayed still say “You can only share with up to 100 identities”. I have no idea where it’s counting these extra identities from to determine that the dashboard has been shared with 100 entities.

Hi @Sean_Middlehurst - No problem, can you please provide the exact command you are trying to execute, when the number of entries greater than 100, you can use next token approach to get the next 100 records. The same discussion happened in the blog - How to to get all UserNames from aws quicksight list-users cli - #5 by igiraldo.

Please have a look, hope this will help you.

Regards - Sanjeeb

Hi @Sanjeeb2022

The commands I use are as follows:

aws quicksight describe-dashboard-permissions --aws-account-id XXXXXXXXXXXX --dashboard-id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

Naturally I have used our AWS Account ID and the correct Dashboard ID where appropriate. This first command yields 67 identities.

aws quicksight describe-folder-permissions --aws-account-id XXXXXXXXXXXX --folder-id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

For this, I have used the Folder ID for the only folder containing the dashboard. This command yields 25 identities.

aws quicksight describe-folder-permissions --aws-account-id XXXXXXXXXXXX --folder-id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

For this, I have used the Folder ID for the only folder containing the previous folder. This command yields 5 identities.

As you can see, these are the only commands I can think of which lists any permissions for the dashboard in question. I’m confident that the dashboard is not contained within any other folders in our account. We do not have any groups if that’s any concern, nor have we used the Share All function for any namespace.

I don’t believe the commands I’ve described above require a next token, and if they did, I would expect the token to be required after 100 entries, and none of those commands get near 100 entries. I understand the list-users command requires 100 entries and also requires a namespace, but I have not used this command as it isn’t required to show the number of identities with permissions for a dashboard or folder.

I feel like there must be some identities I’m failing to count, or some way AWS is counting these identities differently than my method. Either way, I’m counting as many as I can think of and only getting 97.

Hi @Sean_Middlehurst - There are 2 additional permissions are there w.r.t analysis and data sets in QuickSight. Sorry for my understanding, what is your end goal or problem statement. Can you please provide more details so that we can see what is the other options we can use to find the right solution.

Regards - Sanjeeb

Hi @Sanjeeb2022

I have ran two further commands on your recommendation:

aws quicksight describe-analysis-permissions --aws-account-id XXXXXXXXXXXX --analysis-id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

For this, I have used the Analysis ID for the analysis that the dashboard is published from. This command yields 3 identities.

aws quicksight describe-data-set-permissions --aws-account-id XXXXXXXXXXXX --data-set-id XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX

For this, I have used the Data Set ID for the only data set that the analysis uses. This command yields 1 identity.

If we’re also delving into the permissions for analyses and data sets, would we also need to consider the data source too? And perhaps the folders that contain the analysis and data set?

My ultimate issue is that I cannot share this dashboard with any more users because I’m getting the error that “You can only share with up to 100 identities”. Since these 100 identities are not obvious to pinpoint, my end goal is to understand how Quicksight is getting this value of 100 from.

Unfortunately, I won’t have any time to do any testing on adding/removing permissions to see how that affects the error until Tuesday, but I will make sure to put some time aside to see if removing analysis/data set/folder permissions will remove the error.

1 Like

Hi @Sean_Middlehurst - I do agree, can you please provide the exact requirement so that we can explore what is the easiest and quickest way to achieve that?

Tagging @Jesse @Max @David_Wong for their expert advise.

Regards - Sanjeeb

1 Like

Hi @Sean_Middlehurst - you only need to pay attention to the dashboard and folder level permissions. You do not need to inspect the analysis, dataset and data source permissions - they do not need to be explicitly shared with users who just need access to the dashboard. Permissions on the other objects would just be if you want them to be able to build their own analyses using those (for authors).

I dont have an explanation of why it only adds to 97 - would need further inspection, but I think the overall goal of reducing the number of entities what we should focus on. If this is indeed a bug and there are just 97 vs 100, I imagine someday you will need to share with more than 3 more users. I suggest you add your users to some groups to reduce the 100 entities into a fewer number of groups. You can create Groups in the QuickSight admin console or using the API/CLI, then share the dashboard with those groups instead.


Hi @Sanjeeb2022, I’m not sure what further explanation I can provide other than what I’ve already said. I thought my description of the problem has been pretty thorough.

Hi @Jesse, thanks for confirming that data source/dataset/analysis permissions don’t contribute to the identity count. That helps narrow down what the issue could be. Overall, I agree that the solution of moving users into groups would work well, since it’s almost certain we’d need more than 3 extra users to see that dashboard and others like it. I will make sure to look into that to avoid the 100 identity cap.

Functionally, I know the workaround for this issue would be to use groups, but the only thing I can’t get my head around is the 97 vs 100 issue. It would be great to know how the identity count is calculating both for personal satisfaction and to identify if there is a bug with the count or not.

Thanks both for helping. This issue now has very low priority as we have found a solution to the main issue, but to know the cause of the count reconciliation being off would be very satisfying.

Thank you for letting us know. I would recommend filing a case with AWS Support where we can dive into the details so that we can help you further. Here are the steps to open a support case.
If your company has someone who manages your AWS account, you might not have direct access to AWS Support and will need to raise an internal ticket to your IT team or whomever manages your AWS account.
They should be able to open an AWS Support case on your behalf. Hope this helps!