Enable full object access for admin

There has been multiple customer requests to provide a script that enables admin to see all the objects in their account (data sources, data sets, analyses, dashboards, themes etc) from UI.

The below python script iterates through all the objects in the account and opens up full access for admin user. This doesn’t cover Q topics currently. I will update this script once Q APIs are available. Folders are not included since admin who creates the top level shared folder automatically has access to all child folders created therein.

With great power comes great responsibility - Use this script carefully :slight_smile:

import boto3, botocore

def UpdatePermissionsForAll(entityType, entityTypeCollection, ListFunc, UpdateFunc ):
    moreEntitiesExist = True
    nextToken = ''
    while moreEntitiesExist:
        if nextToken:
            response = ListFunc(AwsAccountId = awsAccountId, MaxResults = 100, NextToken = nextToken)
        else:
            response = ListFunc(AwsAccountId = awsAccountId, MaxResults = 100)

        if 'NextToken' in list(response.keys()):
            nextToken = response['NextToken']
        else:
            nextToken = ''
            moreEntitiesExist = False

        for entity in response[entityTypeCollection]:
            UpdateFunc(entity[entityType+'Id'])

def UpdateDataSourcePermissions(dataSourceId):
    try:
        qs.update_data_source_permissions(AwsAccountId = awsAccountId,
            DataSourceId = dataSourceId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:UpdateDataSourcePermissions",
                        "quicksight:DescribeDataSource",
                        "quicksight:DescribeDataSourcePermissions",
                        "quicksight:PassDataSource",
                        "quicksight:UpdateDataSource",
                        "quicksight:DeleteDataSource"
                    ]
                }
            ]
        )
        print('Updated permissions for Data Source Id - ' + dataSourceId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Data Source Id - ' + dataSourceId)
        print(e)
        print('----------------------------------------------------')

def UpdateDataSetPermissions(dataSetId):
    try:
        qs.update_data_set_permissions(AwsAccountId = awsAccountId,
            DataSetId = dataSetId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:UpdateDataSetPermissions",
                        "quicksight:DescribeDataSet",
                        "quicksight:DescribeDataSetPermissions",
                        "quicksight:PassDataSet",
                        "quicksight:DescribeIngestion",
                        "quicksight:ListIngestions",
                        "quicksight:UpdateDataSet",
                        "quicksight:DeleteDataSet",
                        "quicksight:CreateIngestion",
                        "quicksight:CancelIngestion"
                    ]
                }
            ]
        )
        print('Updated permissions for Data Set Id - ' + dataSetId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Data Set Id - ' + dataSetId)
        print(e)
        print('----------------------------------------------------')

def UpdateAnalysisPermissions(analysisId):
    try:
        qs.update_analysis_permissions(AwsAccountId = awsAccountId,
            AnalysisId = analysisId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:RestoreAnalysis",
                        "quicksight:UpdateAnalysisPermissions",
                        "quicksight:DeleteAnalysis",
                        "quicksight:DescribeAnalysisPermissions",
                        "quicksight:QueryAnalysis",
                        "quicksight:DescribeAnalysis",
                        "quicksight:UpdateAnalysis"
                    ]
                }
            ]
        )
        print('Updated permissions for Analysis Id - ' + analysisId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Analysis Id - ' + analysisId)
        print(e)
        print('----------------------------------------------------')

def UpdateDashboardPermissions(dashboardId):
    try:
        qs.update_dashboard_permissions(AwsAccountId = awsAccountId,
            DashboardId = dashboardId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:DescribeDashboard",
                        "quicksight:ListDashboardVersions",
                        "quicksight:UpdateDashboardPermissions",
                        "quicksight:QueryDashboard",
                        "quicksight:UpdateDashboard",
                        "quicksight:DeleteDashboard",
                        "quicksight:DescribeDashboardPermissions",
                        "quicksight:UpdateDashboardPublishedVersion"
                    ]
                }
            ]
        )
        print('Updated permissions for Dashboard Id - ' + dashboardId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Dashboard Id - ' + dashboardId)
        print(e)
        print('----------------------------------------------------')

def UpdateThemePermissions(themeId):
    try:
        qs.update_theme_permissions(AwsAccountId = awsAccountId,
            ThemeId = themeId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:UpdateThemeAlias",
                        "quicksight:ListThemeVersions",
                        "quicksight:DescribeThemeAlias",
                        "quicksight:UpdateThemePermissions",
                        "quicksight:DeleteThemeAlias",
                        "quicksight:DeleteTheme",
                        "quicksight:ListThemeAliases",
                        "quicksight:DescribeTheme",
                        "quicksight:CreateThemeAlias",
                        "quicksight:UpdateTheme",
                        "quicksight:DescribeThemePermissions"
                    ]
                }
            ]
        )
        print('Updated permissions for Theme Id - ' + themeId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Theme Id - ' + themeId)
        print(e)
        print('----------------------------------------------------')

print('----------------------------------------------------')
print(' This program will take a user Arn as input and open up full access to all objects for this user.')
print(' You can get the user arn by doing a describe-user / list-users api call')
print(' Or construct it by following the below format')
print(' arn:aws:quicksight:<identity region>:<aws account number>:user/<namespace>/<username>')
print(' Note - For federated users, role name is part of username. ie - <rolename>/<session name>')
print('----------------------------------------------------')

userArnAvailable = False
#Collect user Arn from user and get confirmation
while not(userArnAvailable):
    userArn = input('Please enter arn of user to be made super admin - ')
    region = input('Please enter region where you want the script run (eg us-east-1) - ')
    print('----------------------------------------------------')
    print ('You entered user '+str(userArn))
    print ('and region '+str(region))
    userResponse = input('Please confirm if this is correct; No turning back once you enter yes [yes/no] - ')
    if userResponse.upper() == 'YES':
        userArnAvailable = True

identityRegion = userArn.split(':')[3]
awsAccountId = userArn.split(':')[4]
namespace = userArn.split(':')[5].split('/')[1]
userName = userArn.split(':')[5][len(namespace)+6:]

qsid = boto3.client('quicksight',region_name = identityRegion)
qs = boto3.client('quicksight',region_name = region)

#Check if user arn is valid
response = qsid.describe_user(AwsAccountId = awsAccountId, Namespace = namespace, UserName = userName)
if response['User']['Role'] == 'ADMIN':
    UpdatePermissionsForAll('DataSource', 'DataSources', qs.list_data_sources, UpdateDataSourcePermissions )
    UpdatePermissionsForAll('DataSet', 'DataSetSummaries', qs.list_data_sets, UpdateDataSetPermissions )
    UpdatePermissionsForAll('Analysis', 'AnalysisSummaryList', qs.list_analyses, UpdateAnalysisPermissions )
    UpdatePermissionsForAll('Dashboard', 'DashboardSummaryList', qs.list_dashboards, UpdateDashboardPermissions )
    UpdatePermissionsForAll('Theme', 'ThemeSummaryList', qs.list_themes, UpdateThemePermissions )

7 Likes