Is it possible to setup granular permissions for a dataset resource?
It seems like there’s only viewer or author permissions groups available.
We have some datasets that are fully managed thru code, but authors keep messing with them. I want disable that option, but still allow them to change refresh schedules and manually refresh the datasets.
For example, the below defines what actions the author user ( “Principal”: “arn:aws:quicksight:us-east-1:xxxxxxxxxx:user/default/xxxxxxxx.xxxxxxx@gmail.com”] can perform on the data set
But these permissions aren’t “granular”. The docs may lead you to believe they are, as each individual permission is separately listed. But, in fact, they are treated as a single group. When you add or remove any permissions from the group, CloudFormation will fail to deploy with a validation error saying that it’s not a valid set of permissions.
There are only two (known to me) valid sets of permissions that map directly to viewer and author.
So, thereby it’s not possible to allow, for example, viewer + refresh.
Also, there’s no way to restrict users from creating datasets using a specific naming convention, which could be possible with IAM. E.g. disallowing creation of datasets with a specific prefix.
If you’re getting following error when trying to update DataSet permissions:
> InvalidParameterValueException: Unable to map resultant actions to a dataset owner or viewer.
Then read following response from support regarding permissions:
QuickSight uses a role-based permission model where permissions must map to predefined roles (Owner or Viewer) and they must form a complete, valid role set.
Attached below are permission sets for both owners and viewers: