Group-Based Parameters with Cognito Users

I have a web application which uses Cognito as the IdP to authenticate internal users. We’re expanding the web application to allow clients to log in and view the status of their assigned work items. The clients’ users have properties on their accounts in Cognito linking them to their respective companies. Their reader accounts are automatically created in QuickSight and they are assigned to a group for their company. I would like them to view an existing dashboard embedded into the web application but take a parameter from their group to limit the data to only their company.

eg. Sally and John are from Company A and Tim from Company B. When Sally and John view the embedded dashboard, after logging into the web application with cognito as the IdP, they are automatically authenticated in QuickSight and see the data relating to Company A when Tim views the same embedded dashboard after logging in, he sees data relating to Company B. None of them should have the ability to change the company they are viewing.

Is this possible?

Hi @MrMcClean,
Welcome to the Quicksight Community. Thank you for posting your question!

Yes, it is possible with Row Level Security feature in Quicksight.

One way is to create Quicksight Groups for users - something like below (I have attached a clear workshop at the end, please refer to it if you are not able to follow below steps)

Group A - Sally and John
Group B - Tim

then create a csv with 2 columns - one column is to mention the GroupArn/GroupName and the other is to mention to which company they belong to

GroupArn Company
Group A Company A
Group B Company B
Group C Company C

Save it and Upload this csv into quicksight. Now apply this csv onto the original dataset.
Go to datasets → click on 3 dots beside your original dataset -. click row-level security → apply the RLS sheet that you have created above → Click apply.

So, here since Sally and John belongs to Group A then they will be able to see only Company A’s data.

If any user wants to see all the company’s data, then add him/her to all the groups!

You can also do it by giving UserName and CompanyName in csv - something like below (refer documentation attached above for headers that you can use in csv)

UserName Company
User A Company A
User B Company B
User C Company C

I am attaching a workshop which has clear step-by-step instructions to how to work with RLS. Please find the workshop details - RLS Workshop

Let me know if that helped!

Thank you,