Considerations in setting up a QuickSight Account

There are various considerations to be made while setting up a QuickSight account for your organization. In this article, we will walk you through these to enable you in making the configuration choices that are best aligned to your landscape. We have also provided a decision making flow chart at end of this article to tie all aspects together.

Prerequisites

As you would expect, elevated privileges are needed for the initial setup of QuickSight account.
If you are the AWS account admin with full administrator rights, you don’t have to worry about this and can skip over to next section.
Otherwise, ensure that you have the minimum permissions as specified here before proceeding further.

Edition

QuickSight has two editions for you to consider - Enterprise and Enterprise+Q.

If Natural Language Query (letting users ask questions in plain English and having QuickSight generate visual responses) is of interest, choose Enterprise+Q edition. If that is not a priority right now, go with Enterprise edition. You can always add Q to your Enterprise edition later on as well.

Authentication scheme

QuickSight offers three authentication methods. Table below gives the feature comparison between these methods. More details on the features are provided further below. For most part, this selection can’t be changed without recreating your account.

Configuration needed for admin’s initial access

IAM federated identities (with/without QuickSight-managed users) - You are already authenticated to AWS with an admin/elevated privilege role. If connected as a federated user to AWS, QuickSight will create your user as RoleName/SessionName (eg - admin/JaneDoe) and bring you in as an admin user. If you are signed in as an IAM user, QuickSight will associate the internal identity to that user and you will be able to get into QuickSight via AWS console or directly from QuickSight sign in page with IAM user credentials.

Active directory - As AWS admin/elevated privilege user, you can specify the Active Directory / AD connector to be used and proceed with the account setup. Once account is created, you will have access to a limited capability admin screen wherein you can map AD groups to Author, Admin and Reader personas. If you are part of one of the AD groups mapped to admin persona, you can then connect to QuickSight with your AD credentials and get access to the full admin panel therein.

Configuration needed for other user’s initial access

IAM Federated identities - Other users with access to AWS console will be able to launch QuickSight from there and will be brought in as admin/author/reader depending on whether their roles have quicksight:CreateAdmin/CreateUser/CreateReader permissions.
Likewise, other IAM users can come into QuickSight, via AWS console or directly, and will be registered as admin/author/reader depending on their permissions (same as with federated users)

Active directory - As mentioned earlier, the AWS admin can map AD groups that should be allowed to access QuickSight as an admin, author or reader. Once that configuration is done, users from these AD groups will be able to sign-in to QuickSight with their AD credentials.

Single Sign on

(applicable only to IAM federated identities - with/without QuickSight-managed users - options)

If you have an IdP configured to work with AWS console, you can easily provide those details in QuickSight SSO configuration screen (in Manage QuickSight page) and enable service provider initiated flow. Users can then come directly to QuickSight and be let into QuickSight console if already logged in with IdP. If not, they will be redirected to IdP and will be brought back to QuickSight console once their login with IdP is successful.

QuickSight-managed users

(applicable only to IAM federated identities with QuickSight-managed users option)

If you want to share dashboards with a set of (internal/external) users who doesn’t have access to AWS console, you can invite them directly to QuickSight using their emails. You can specify whether to bring them in as admin, author or reader. They will get an invite email and will be able to set their QuickSight credentials.

Multitenancy support

(applicable only to IAM federated identities - with/without QuickSight-managed users - options)

You will be setup with a default namespace and have option to create multiple namespaces to onboard users who need to be isolated from other users. Use of secondary namespaces is fully supported for federated identities and IAM users only. QuickSight managed users can be registered into secondary namespaces too. However, such users will be able to use QuickSight only in embedded context and not directly via console.

Custom permissions

(applicable only to IAM federated identities - with and without QuickSight-managed users - options)

QuickSight provides three user personas by default
Reader - Can consume dashboards/topics(if Q enabled) shared by an author/admin
Author - Can create content (data source connections, data sets, analyses, dashboards, themes, topics etc)
Admin - Can create content like authors and can administer QuickSight account.
Custom permissions lets you tone down the access levels of the above personas as desired. (For eg - if you want authors to be able to create visuals but not be allowed to bring in new data)

Identity Provider groups

(Applicable only to Active directory option)

Active directory groups are visible to QuickSight, when configured with Active Directory authentication option, and can be used for sharing assets or in specifying data security (row and column level) rules.

QuickSight groups

(applicable only to IAM federated identities - with and without QuickSight-managed users - options)

Groups can be defined within QuickSight and these can be used in sharing assets or in specifying data security (row and column level) rules. If you have groups in your IdP and you want to use them with QuickSight account that uses federated identities authentication option, you can create equivalent QuickSight groups and sync that state of your IdP groups with these internal groups. This sync is not automatic currently. You will need to create a program that runs on-schedule/demand that does this utilizing the group APIs provided. In circumstances wherein the entitlements change way too frequently, you can do sync at user level right when the user is signing in as well (via a custom built authorization flow).

Region selection

During account setup, you got to select a region for your account. This selection will persist for the entire life of your account and drives the following aspects of your account.

Default region - When using generic QuickSight url ( https://quicksight.aws.amazon.com ), users will land in the region you selected during account creation.

SPICE capacity allocation - QuickSight has an internal data cache layer called SPICE. Each author your add to your QuickSight account comes with 10GB of free SPICE capacity that gets added to a common pool. This free SPICE capacity will be allocated to the region you selected during account creation. So, be sure to select the region where all/majority of your data workloads exist. You can of course purchase as much SPICE capacity as you want in any of the QuickSight regions. Still pointing out the free SPICE allocation so that you don’t end up having to purchase SPICE capacity, when you have a ton of SPICE sitting unused in another region, just because you didn’t think about this while selecting the region during account setup.

Identity region - QuickSight manages users and groups in special regions designated as Identity regions. Based on your region selection, QuickSight will pick appropriate identity region for your account. This has no direct impact on your setup. Just keep in mind that when doing user/group management or editing security & permission settings, you will need to switch over to the identity region. (You will be prompted to do so in the UI and API responses)

Account name

Only one QuickSight account can be created within each AWS account. This QuickSight account will be able to cater to the BI needs of your entire organization. Pick an account name that aligns with your organization, business unit, department or team, based on how you intend to use the QuickSight account for the long term, rather than with the specific analytics use case at hand.

Note - Account name can’t be modified after setting up the account.

Setup access to other AWS services

QuickSight will setup the role/s it needs for accessing other AWS services like S3, Redshift, RDS etc.
You can manage this through UI via QuickSight management panel’s security & permission section.
Alternatively, you can choose to configure QuickSight to use a custom role to control QuickSight’s access at a finer grain, set permission boundaries or have same policies applied programmatically across several accounts. This selection can be changed at a later point as well.

In this article, we have touched upon the most important aspects you got to consider while setting up a QuickSight account. The following flowchart will help tie it all together (The configurations that can’t be changed after initial setup are marked in darker shade of grey). Hope you find this article useful and are better prepared to proceed with your account creation.

Setup considerations flow chart

image2414×1272 341 KB

What about QuickSight Standard Edition? Should customers consider this?

@justiono_putro ,

Our recommendation is to use Enterprise version. Standard edition is good for personal use and some smaller use cases.

Regards,
Arun Santhosh