Hi everyone,
I’m currently working on expanding my QuickSight dashboard to serve a global audience, and I’m facing some challenges with implementing Column Level Security (CLS) and Row Level Security (RLS).The primary use case for CLS is to hide sensitive information, such as personal email IDs, from certain user groups. For example, I want to restrict access to personal email IDs in the regular table to specific permission groups. Additionally, I plan to use RLS to tailor the dashboard to different regions, starting with Canada.
Here’s the approach I’m trying to implement:
CLS: Hide personal email IDs from users not belonging to specific permission groups.
RLS: Create separate permission groups for different regions (e.g., Canada), and grant access only to data relevant to each region.
However, I’m encountering an issue with CLS where the entire table records get hidden instead of just the email ID field. This is preventing me from fine-tuning access to the dashboard as intended.I would appreciate any insights or guidance on how to properly implement CLS and RLS in QuickSight to achieve the desired outcome. If anyone has experience or suggestions regarding this matter, please share them here.
Thank you in advance for your help
Hello @sankgand, welcome to the QuickSight community!
So, from what I understand, you will need to set up the CLS seperately from RLS. Your RLS dataset can handle all of the row specific permissions you want to implement, then you can add CLS to certain columns for users and groups on the dataset level. I’ll link some documentation below that explains this a little better:
Thank you for sharing the document. I did review those still, I havent been sucessful in implementing the same. Attached screenshot shows that only two fields were in CLS. however, I am still not able to see other fields in the dataset. I assume that i do not have access to the personal email id and phone numbers i should have been able to see rest of the fields. I am not sure where am i going wrong.
Attached are screenshot:
CLS Dataset
Analysis Screenshot
Hello @sankgand, I see. So since your user is unable to view Phone Numbers or Emails, since those columns exist in the table, the whole visual is blocked from viewing. I don’t believe there is a work-around for an issue like this. QuickSight doesn’t have the ability to remove certain columns from the visual, so rather they don’t provide access to it. I would say your best opportunities for work-arounds to manage this issue would be to create 2 user groups that would determine if they have access to those fields or not, then publish 2 different dashboards for each group. Then you can exclude those fields from one and display them in the visuals for the other.
I believe that will be the best way to accomplish this task. You can even duplicate the analysis and remove the columns that cannot be accessed to avoid rebuilding all of the visuals.
I will also tag this as a feature request since the functionality you were hoping for does not work as expected. Let me know if you have any follow-up questions, otherwise I can archive this topic for our support team. Thank you for your feedback!