Hallo all,
I am trying to copy an analysis from one namespace into another. The analysis uses 4 datasets that are common between the two namespaces but they are RLS’d. Both namespaces have rows.
I copy the analysis with code below but then although it is successful the copied analysis shows no data. I think it has to do something with the RLS. The goal is that in the analysis everyone see its own data and only. Can anyone recommend how to solve this?
analysis_response = client.describe_analysis_definition(
AwsAccountId=account_id,
AnalysisId=source_analysis_id
)
# Debug print to see the response structure
print("Aanalysis Response Structure:")
# Create the dashboard in the target namespace
create_response = client.create_analysis(
AwsAccountId=account_id,
AnalysisId=f"{source_analysis_id}_copyTry",
Name=analysis_name,
Definition=analysis_response['Definition'],
Permissions=[
{
'Principal': f"arn:aws:quicksight:{AWS_REGION}:{AWS_ACCOUNT_ID}:user/{target_namespace}/{target_user}",
"Actions": [
"quicksight:RestoreAnalysis",
"quicksight:UpdateAnalysisPermissions",
"quicksight:DeleteAnalysis",
"quicksight:QueryAnalysis",
"quicksight:DescribeAnalysisPermissions",
"quicksight:DescribeAnalysis",
"quicksight:UpdateAnalysis"
]
},
]
)
Hello @Fotis_flex
Could you please verify a few things -
- The copied analysis may reference dataset IDs from the source namespace, which don’t exist in the target namespace.
- The RLS rules in the target namespace datasets must include the user or group accessing the copied analysis.
Thank you,
Shravya
@Fotis_flex
Thank you for confirming.
Since:
- The datasets exist in both namespaces, and
- The RLS rules include the target namespace and user correctly,
then the next thing to check is whether the RLS rules are filtering the data too restrictively.
Specifically:
- For the target user, e.g: the
value = 5 — does this actually allow them to see any rows in the dataset?
- If there are no matching rows for
value = 5 in the underlying dataset (after RLS is applied), the visuals will appear empty even though everything is correctly set up.
Quick test:
Try temporarily relaxing the RLS (or disabling it) for the target user and reloading the analysis — if you see data then, it confirms that the issue is with how the RLS filters are scoped.
If that’s the case, you’ll either need to:
- Broaden the RLS rule for that user, or
- Make sure there are matching data rows for the RLS value assigned to them.
Let me know what you find after that — we can troubleshoot further based on it.
Thank you,
Shravya
Hello @shravya ,
Ok I have already tried that. For e.g, I attempt to reproduce the same visuals from the “copied” analysis inside the target user’s namespace by using the same RLS’d dataset and I observe that data are displayed as expected. So yes, for the target user (value=5) RLS allows them to see rows in the dataset.
More important, I just tried to copy another analysis from another source namespace to the same target namespace and everything is displayed as expected!
So the problem lies on something else. Looks like when I copy the analysis from source namespace to the target one, QS “gets confused” on which data to show?
@Fotis_flex - Thank you for the information.
Could you please check this article to get some pointers on this if we may have missed any.- Understanding Namespaces, Groups, Users and Shared Folder in Amazon QuickSight
Thank you,
Shravya
@shravya Yes no pointers are missing here. As said, the first analysis I copied from one namespace to another is copied as expected. But some others do not display data… It’s very weird
@Fotis_flex - Okay that sounds weird for me too.
I would suggest raising a support ticket in this case so that the amazon support team can look internally what happened and could provide some resolution.
Thank you,
Shravya