Granular permissions

m0ltar · February 21, 2025, 4:44pm

Hi,

Is it possible to setup granular permissions for a dataset resource?

It seems like there’s only viewer or author permissions groups available.

We have some datasets that are fully managed thru code, but authors keep messing with them. I want disable that option, but still allow them to change refresh schedules and manually refresh the datasets.

Adedolapo · February 24, 2025, 3:38am

Hello,

You can implement granular access control through IAM policies to restrict specific dataset actions

Regards,

m0ltar · March 10, 2025, 12:49pm

AWS Support said it was impossible.

m0ltar · March 10, 2025, 12:50pm

So, want to confirm one last time, there’s really no way to prevent an author from modifying a dataset?

Seems like a glaring oversight.

Adedolapo · March 10, 2025, 9:21pm

Hello,

You can define the actions an author can can perform on a dataset using resource permissions- Actions, resources, and condition keys for Amazon QuickSight - Service Authorization Reference

For example, the below defines what actions the author user ( “Principal”: “arn:aws:quicksight:us-east-1:xxxxxxxxxx:user/default/xxxxxxxx.xxxxxxx@gmail.com”] can perform on the data set

aws quicksight update-data-set-permissions
–aws-account-id xxxxxxxxx
–data-set-id xxxxxxxxxxx
–grant-permissions '[{
“Principal”: “arn:aws:quicksight:us-east-1:xxxxxxxxxx:user/default/xxxxxxxx.xxxxxxx@gmail.com”,
“Actions”: [
“quicksight:DescribeDataSet”,
“quicksight:DescribeDataSetPermissions”,
“quicksight:PassDataSet”,
“quicksight:DescribeIngestion”,
“quicksight:ListIngestions”,
]
}]‘

You need to review Actions, resources, and condition keys for Amazon QuickSight - Service Authorization Reference and come up with the combinations of actions that suit your use case.

m0ltar · March 11, 2025, 4:26pm

But these permissions aren’t “granular”. The docs may lead you to believe they are, as each individual permission is separately listed. But, in fact, they are treated as a single group. When you add or remove any permissions from the group, CloudFormation will fail to deploy with a validation error saying that it’s not a valid set of permissions.

There are only two (known to me) valid sets of permissions that map directly to viewer and author.

So, thereby it’s not possible to allow, for example, viewer + refresh.

Also, there’s no way to restrict users from creating datasets using a specific naming convention, which could be possible with IAM. E.g. disallowing creation of datasets with a specific prefix.