Dashboard Embedding with disabled URL parameters

Hello,

I have a Dashboard that has data for many people. I generate the URL for this in a Java based backend and use the QuickSight embedding SDK to add it into my website.

The Dashboard exposes a parameter which defines the person that you want to see data for. The backend appends a URL parameter to set this when it generates the embedding link. The behavior we want is that each user should only see their own data.

(Just for completeness I’ve also tried supplying the parameter via the QuickSight embedding JS call and it results in the same issue)

Everything works really well, I can see the dashboard for the given person.

But what is less good, is that if I go and look in the browser developer tools → network graph then I can see the raw quicksight URL.

I can then use this URL in another tab and see the dashboard. This ‘raw’ view uses the default parameter value. I can also append URL parameters to change the person who I’m viewing data for.

For us this is a big security issue which I’ve so far failed to find a solution to.

What I’d really like to do is to either:

  • Disable URL parameters for the QuickSight embed URL
  • Encode my parameter in the QuickSight URL so that it cannot be changed

As I mentioned previously, setting the parameters via the JavaScript code gives the same result.

I don’t think we can really use RLS as we only register the ‘logged in user’ (who can see a group of people) in QuickSight, not the individual person. Well perhaps we could, but the effort would be non trivial.

Any thoughts much appreciated.

Thanks

John

Hi @John
Parameters are not supposed to be used to filter the data based on user role. You have to use the row level security features to enable this, so that users cannot access the data that they should not.
You are probably using anonymous embedding. For anonymous embedding, please use session tags . It does not require you to register users with QuickSight but rather pass the necessary values to the field to reduce the data. This happens at the server side and end user will not be able to change it.

Regards
Vetri

3 Likes

Thanks Vetri, I’ll give that a try

1 Like

Hey @JohnW Let us know if @n_vetri’s solution works for you. If it does, we would love it if you could help out the community by marking this answer as a “Solution.” Thanks!

@n_vetri - Thanks, RLS is a cool feature in QuickSight , however if one data set is implemented as RLS, then same data set can not be used as a child data set in other data sets. So in our case, we created views and created AD groups ( with SSO) and restrict access at folder level and giving access… Hopefully there will be some product enhancement on RLS in the quicksight roadmap.

Regards - San

Hi @JohnW,

I have a blog post that specifically addresses what you are trying to do here. It is on how to implement URL parameters in Quicksight. Hope it helps!

1 Like

Thanks everyone for the helpful hints. Sadly I’ve now realised that we need a capacity based subscription not the cheap and cheerful one we currently have :frowning:

I’ll mark the reply provided by @n_vetri as the solution as convincing people to give us that extra money is going to take some time :slight_smile:

Hi @JohnW
You can implement RLS for user-based embedding also, using groups rather than individual users. For user-based embedding, you can stay with user-based pricing.
https://docs.aws.amazon.com/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.html

3 Likes