Enabling CLS via CLI

Karthika_G · April 28, 2025, 10:40am

Hi,

I’m trying to apply Column Level Security (CLS) to a large number of datasets (over 200) using the CLI.

I’m facing a few challenges:

Preparing update-data-set files:
For each dataset, I need to create an update file that includes the CLS permissions. Generating this manually for 200+ datasets is very time-consuming.
Handling grouped columns in analyses:
If a column is used inside a group in an analysis, CLS cannot be applied. To fix this, I would need to manually move all such columns from “Groups” to “Values” — again, very tedious for so many datasets.

Is there any more efficient way to apply CLS across all datasets?
Maybe a script-based solution, or a way to bulk edit the datasets and analyses?

Any guidance or best practices would be greatly appreciated!

Xclipse · April 28, 2025, 3:09pm

Hi @Karthika_G

Using QuickSight Boto3 API:

You can use list_data_sets to retrieve dataset Ids, describe_data_set to pull the schema (columns), and loop through each dataset to define and restrict columns automatically using update_data_set under the ColumnLevelPermissionRules section.

Using AWS CLI:

Similarly, you can use QuickSight CLI list-data-sets, describe-data-set, and update-data-set with the [--column-level-permission-rules <value>] option to apply CLS.

Please refer to the below documentation this might be helpful for you.

Karthika_G · April 29, 2025, 4:18am

Yeah Thank you @Xclipse!
But how can I handle the analysis?
The dimensions shouldn’t be in the group, right? Moving them to the Values section requires a manual process, correct?
Also, if I have any calculated fields in the Values section, other text columns get aggregated as “Count.” I’m unable to change the format.
For example, I have a calculated field called # Visits. When I move the Name column to the Values section, it gets aggregated as Name (Count).
How can I tackle this problem?

Xclipse · April 30, 2025, 7:31am

Hi @Karthika_G

Apologies for the delayed response.

Could you please try the following approach. A practical way to infer whether a field is used as a dimension or a measure is by checking its data type.

Fields with type DECIMAL or INTEGER are typically used as measures
Fields with type STRING or DATETIME are typically used as dimensions
Cross-check the fields against their data types from describe_data_set.
Use describe_analysis to extract the FieldWells configuration for each visual.
Update the analysis using update_analysis, moving fields between GroupBy and Values as needed — for example, shifting text fields out of the Values section where they’re auto-aggregated as “Count”.

This method can help automate cleanup and ensure compatibility with Column Level Security rules.

Please refer the below QuickSight documentation and community post this might be helpful for you.