I’ve enabled Quicksght with IAM Identity Center integration so I can manage the permissions directly from the quicksight console.
But I don’t understand the following:
What happens if I grant permissions to the PermissionSet (for example, quicksight:*) but then to the same group I grant ReadOnly in Quicksight?
I’m a little confused about this behavior between the IAM policies in SSO and the permissions granted in Quicksight.
Hope you can help me.
Hi @mgaleano and welcome to the QuickSight community!
When you assign the permission in IAM, you’re essentially granting overall access to the QuickSight resource, but does not set what they can access within QuickSight.
There are also different group types in QuickSight that determine what capabilities a user has within.
For example, ‘Read Only’ gives users the ability to only view QuickSight resources (that have been shared with them), not the ability to alter them. Author allows users to also edit those resources.
Here’s a clearer breakdown of the user roles for you to review.
Let me know if you have any additional questions!
Thanks @Brett for your answer!
I believe I understand what you are saying but it brings me another question:
When I see the available actions in IAM/IdentityCenter, they are very similar (or the same) to the actions I can perform within Quicksight. For example, I could belong to an Identity Center Group with this permission: ‘quicksight:CreateDataSource’ but then I also belong to the ‘Read Only’ group in quicksight. So what is the behavior in that scenario? I mean, will I be able to create data sources since I have the right permission in Identity Center or will I be denied since I have ‘Read Only’ permissions?
Clearly I’m misunderstanding something here.
Hi @mgaleano
The Reader/Author/Admin are user licenses that have hardwired allowed/disallowed characteristics. You can restrict access to capabilities allowed by the license.
Here’s the link for the documentation.
Regards,
Giri
Hi @mgaleano,
It’s been awhile since we last heard from you; following up to see if you had any additional questions regarding your initial post?
If we do not hear back within the next 3 business days, I’ll close out this topic.
Thank you!
Hi @mgaleano,
Since we have not heard back, I’ll go ahead and close out this topic. However, if you have any additional questions, feel free to create a new post in the community and link this discussion for relevant information if needed.
Thank you!