I’m currently working to automate mapping of LDAP roles in my idP to Quicksight users. I’ve managed to do this via a Lambda wired to the CreateUser cloudtrail event for quicksight users.
The problem is that seems to be some kind of delay that varies between when my users get assigned permissions and when they can actually SEE the data assigned to the folder. It’s variable and usually after they click around for a good 10+ minutes it shows up. What can I do to avoid this delay? Seems like a caching bug from our perspective.
Thanks for sharing your challenge with the community. To be able to guide you further, it would be very helpful if you are able to share a concrete flow of actions (e.g., events, API calls executed, observed changes in the UI, etc.) + example timings that you observe across the flow.
If you are not able to provide this here, I would recommend filing a case with AWS Support where we can dive into the details so that we can help you further. Here are the steps to open a support case. If your company has someone who manages your AWS account, you might not have direct access to AWS Support and will need to raise an internal ticket to your IT team or whomever manages your AWS account. They should be able to open an AWS Support case on your behalf. Hope this helps!
Hi @msheiny,
I’m just checking in on this question, as we have not heard back from you. We’d still like to help. If we do not hear back in the next 3 days, we will archive the question.
Many Thanks,
Andrew
To be able to guide you further, it would be very helpful if you are able to share a concrete flow of actions (e.g., events, API calls executed, observed changes in the UI, etc.) + example timings that you observe across the flow.
So in Cloudformation I’m calling the following long-before the user actually signs in:
createGroup
createFolder
Then I have a lambda that is hooked onto the CreateUser cloudtrail event from eventbridge. This lambda uses the create_group_membership boto3 call to add the user to the relevant group based on what IAM role they are coming in from the idp.
Now the lambda call happens almost immediately after that createuser call - but obviously i can see how its not fast enough to catch the first time the user tries to call the APIs calls to list assets. The problem is the user will have to reload multiple times and have to wait anywhere from 5-10+ minutes for it to clear through. I’m thinking it’s being cached on the browser or on the API call on your end? So right now I just tell my customers to sign in once and then come back in 30 minutes to confirm they can see assets from the folder