Column-level security using Group is not working


User A in a group is unable to access the restricted column.
But if User A is granted without using group, it is working.
Is this QuickSight bug?

Hi @lbl

I did a small test where I restricted access to a column by providing access to a Group to which I don’t belong.

When I checked the analysis where this column was referenced I get the following error

I went back and modfied the column level access and provided access to the group to which I belong and went back and checked the analysis and the visual worked and I could see the column.

It appears probably there is something more going on in your case. By any chance do yo have any additional rules applied that may be conflicting with this?

Regards,
Giri

hi @Giridhar.Prabhu
I only have this 1 column-level security. User is not IAM user.
Does it work for you?

Thanks.

Hi @lbl

By default all users have access to all fields.

So, you setup a rule for the bonusamount column so a specific user group can access and all others should not have access to the column. The bonusViewer is a user group in your system and User A belongs to this user group. But with this setup you are saying the user A can not access the column.

I would expect this to work as I tried with a simple case and it seems to work.

Can you share more details like the user, user group setup and your error in the dashboard?

Regards,
Giri

hi @Giridhar.Prabhu
I thought this is straightforward and do not understand why it is not working.
Group bonusViewer contains User A (non-IAM user) and column is restricted by bonusViewer.
But User A is unable to view the column. Error is same as yours i.e. You can’t access this visual because this field is restricted: xxxx.

Have you tried with non-IAM user?

Thanks.

Hi @lbl,
Judging by the feedback provided by Giri that he tested this out and it worked in his case, there may be a bug with your scenario and as were unable to access private account information to assist further, I would suggest creating a support ticket to get additional assistance from the AWS team.

@Brett
Can you / Giri confirm with me whether it is working for non-IAM users?
Thank you

Hi @lbl,
I have not tested so I am not able to confirm; @Giridhar.Prabhu, are you able to confirm?

Hi @lbl

I tried with a Non-IAM user.

If I give access to the user group to which the user belonged the visual rendered without issues. So I don’t need to provide access at the individual user level.

However, thinking aloud this column level security implementation has a bug and I don’t think it is practically usable.

For example I don’t want to show Salary column in a Employee table for Non-HR department users. So, I implement column level security allowing access to the column only for HR Department (User group) users.

  1. HR User group users can see the table without issues
  2. All other users will get the error “You can’t access this visual because some of the information is restricted”

I would assume that you want the users to see the table but the Salary column and any other calculated field that references this field disappears from the table, while the rest of the columns should still be available to the users. It should not error out.

@Brett,
Do you agree with my point above? If Yes, can you provide this feedback to the product team?

@Giridhar.Prabhu
I am ok with error when user is not supposed to see the column in a chart/table.

My issue here is even if non-IAM user A is included in group which has access to sensitive column, that user A will get error for the chart/table. Do you mean you do not have this issue?

Thanks!

Hi @lbl

Yes. I don’t have that issue.

When the user is in the group to which I have given access the user was able to see the visual without issues.

Regards,
Giri