Enable full object access for admin

There has been multiple customer requests to provide a script that enables admin to see all the objects in their account (data sources, data sets, analyses, dashboards, themes etc) from UI.

The below python script iterates through all the objects in the account and opens up full access for admin user. This doesn’t cover Q topics currently. I will update this script once Q APIs are available. Folders are not included since admin who creates the top level shared folder automatically has access to all child folders created therein.

With great power comes great responsibility - Use this script carefully :slight_smile:

import boto3, botocore

def UpdatePermissionsForAll(entityType, entityTypeCollection, ListFunc, UpdateFunc ):
    moreEntitiesExist = True
    nextToken = ''
    while moreEntitiesExist:
        if nextToken:
            response = ListFunc(AwsAccountId = awsAccountId, MaxResults = 100, NextToken = nextToken)
        else:
            response = ListFunc(AwsAccountId = awsAccountId, MaxResults = 100)

        if 'NextToken' in list(response.keys()):
            nextToken = response['NextToken']
        else:
            nextToken = ''
            moreEntitiesExist = False

        for entity in response[entityTypeCollection]:
            UpdateFunc(entity[entityType+'Id'])

def UpdateDataSourcePermissions(dataSourceId):
    try:
        qs.update_data_source_permissions(AwsAccountId = awsAccountId,
            DataSourceId = dataSourceId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:UpdateDataSourcePermissions",
                        "quicksight:DescribeDataSource",
                        "quicksight:DescribeDataSourcePermissions",
                        "quicksight:PassDataSource",
                        "quicksight:UpdateDataSource",
                        "quicksight:DeleteDataSource"
                    ]
                }
            ]
        )
        print('Updated permissions for Data Source Id - ' + dataSourceId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Data Source Id - ' + dataSourceId)
        print(e)
        print('----------------------------------------------------')

def UpdateDataSetPermissions(dataSetId):
    try:
        qs.update_data_set_permissions(AwsAccountId = awsAccountId,
            DataSetId = dataSetId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:UpdateDataSetPermissions",
                        "quicksight:DescribeDataSet",
                        "quicksight:DescribeDataSetPermissions",
                        "quicksight:PassDataSet",
                        "quicksight:DescribeIngestion",
                        "quicksight:ListIngestions",
                        "quicksight:UpdateDataSet",
                        "quicksight:DeleteDataSet",
                        "quicksight:CreateIngestion",
                        "quicksight:CancelIngestion"
                    ]
                }
            ]
        )
        print('Updated permissions for Data Set Id - ' + dataSetId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Data Set Id - ' + dataSetId)
        print(e)
        print('----------------------------------------------------')

def UpdateAnalysisPermissions(analysisId):
    try:
        qs.update_analysis_permissions(AwsAccountId = awsAccountId,
            AnalysisId = analysisId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:RestoreAnalysis",
                        "quicksight:UpdateAnalysisPermissions",
                        "quicksight:DeleteAnalysis",
                        "quicksight:DescribeAnalysisPermissions",
                        "quicksight:QueryAnalysis",
                        "quicksight:DescribeAnalysis",
                        "quicksight:UpdateAnalysis"
                    ]
                }
            ]
        )
        print('Updated permissions for Analysis Id - ' + analysisId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Analysis Id - ' + analysisId)
        print(e)
        print('----------------------------------------------------')

def UpdateDashboardPermissions(dashboardId):
    try:
        qs.update_dashboard_permissions(AwsAccountId = awsAccountId,
            DashboardId = dashboardId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:DescribeDashboard",
                        "quicksight:ListDashboardVersions",
                        "quicksight:UpdateDashboardPermissions",
                        "quicksight:QueryDashboard",
                        "quicksight:UpdateDashboard",
                        "quicksight:DeleteDashboard",
                        "quicksight:DescribeDashboardPermissions",
                        "quicksight:UpdateDashboardPublishedVersion"
                    ]
                }
            ]
        )
        print('Updated permissions for Dashboard Id - ' + dashboardId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Dashboard Id - ' + dashboardId)
        print(e)
        print('----------------------------------------------------')

def UpdateThemePermissions(themeId):
    try:
        qs.update_theme_permissions(AwsAccountId = awsAccountId,
            ThemeId = themeId,
            GrantPermissions = [
                {
                    "Principal": userArn,
                    "Actions": [
                        "quicksight:UpdateThemeAlias",
                        "quicksight:ListThemeVersions",
                        "quicksight:DescribeThemeAlias",
                        "quicksight:UpdateThemePermissions",
                        "quicksight:DeleteThemeAlias",
                        "quicksight:DeleteTheme",
                        "quicksight:ListThemeAliases",
                        "quicksight:DescribeTheme",
                        "quicksight:CreateThemeAlias",
                        "quicksight:UpdateTheme",
                        "quicksight:DescribeThemePermissions"
                    ]
                }
            ]
        )
        print('Updated permissions for Theme Id - ' + themeId)
    except Exception as e:
        print('----------------------------------------------------')
        print('Permissions could not be updated for Theme Id - ' + themeId)
        print(e)
        print('----------------------------------------------------')

print('----------------------------------------------------')
print(' This program will take a user Arn as input and open up full access to all objects for this user.')
print(' You can get the user arn by doing a describe-user / list-users api call')
print(' Or construct it by following the below format')
print(' arn:aws:quicksight:<identity region>:<aws account number>:user/<namespace>/<username>')
print(' Note - For federated users, role name is part of username. ie - <rolename>/<session name>')
print('----------------------------------------------------')

userArnAvailable = False
#Collect user Arn from user and get confirmation
while not(userArnAvailable):
    userArn = input('Please enter arn of user to be made super admin - ')
    region = input('Please enter region where you want the script run (eg us-east-1) - ')
    print('----------------------------------------------------')
    print ('You entered user '+str(userArn))
    print ('and region '+str(region))
    userResponse = input('Please confirm if this is correct; No turning back once you enter yes [yes/no] - ')
    if userResponse.upper() == 'YES':
        userArnAvailable = True

identityRegion = userArn.split(':')[3]
awsAccountId = userArn.split(':')[4]
namespace = userArn.split(':')[5].split('/')[1]
userName = userArn.split(':')[5][len(namespace)+6:]

qsid = boto3.client('quicksight',region_name = identityRegion)
qs = boto3.client('quicksight',region_name = region)

#Check if user arn is valid
response = qsid.describe_user(AwsAccountId = awsAccountId, Namespace = namespace, UserName = userName)
if response['User']['Role'] == 'ADMIN':
    UpdatePermissionsForAll('DataSource', 'DataSources', qs.list_data_sources, UpdateDataSourcePermissions )
    UpdatePermissionsForAll('DataSet', 'DataSetSummaries', qs.list_data_sets, UpdateDataSetPermissions )
    UpdatePermissionsForAll('Analysis', 'AnalysisSummaryList', qs.list_analyses, UpdateAnalysisPermissions )
    UpdatePermissionsForAll('Dashboard', 'DashboardSummaryList', qs.list_dashboards, UpdateDashboardPermissions )
    UpdatePermissionsForAll('Theme', 'ThemeSummaryList', qs.list_themes, UpdateThemePermissions )

7 Likes

Hi
Can you please write the updated script, to use for a specific user (not admin)? Including folders.
I want to be granted full permission (co-owner) to all quicksight objects.
Thanks,
Arie

How do I run this phyton script? Could someone help? Thanks

Hi Arie,

Only admins should have full object access. It wouldn’t be safe to allow this script to be run for authors as it will grant them full rights to even delete assets created by other authors.
That being said, you best know your use case and if you feel it justified & safe for your use case, feel free to tweak the script for your use. If you encounter any challenges with it, send me a private note with your specific questions.

Regards,
Arun

Hi Raul,

To run this script from local, you can save it in a file - say MakeSuperAdmin.py and invoke from command line as argument to python.

python MakeSuperAdmin.py

Note that you will need to have boto3 installed (Quickstart — Boto3 Docs 1.24.57 documentation) and should have AWS credentials set either via named profiles (Named profiles for the AWS CLI - AWS Command Line Interface) or environment variables (Environment variables to configure the AWS CLI - AWS Command Line Interface).

Regards,
Arun Santhosh