Hierarchal Permission File for RLS

Hello,

I am reading/following the blog, Implement row-level security using a complete LDAP hierarchical organization structure in Amazon QuickSight to gain more understanding about how this security can be implemented within QS. The guide is successful in achieving restricting data, but I was a bit confused on the permissions file. Would anyone be able to elaborate on how the permission file is structured and how/why it works?

Thank you

Hello @mitoo !

The permission file is structured so that you can apply access on the row level with single value in the permission field. This acts as a dynamic filter on the dataset level so that your data source is unchanged but you keep security. It’s also scalable.

For example, if I have a director, manager, team lead, and direct report I could define their permissions by Region, subregion, team, and then book of business. Now, the director can see the book of business for the entire region with scaling granularity down to the direct report.

The reason this works is when you join the datasets QuickSight knows that based on the user that logins in, they should only see data relating to the value in your permission field, acting as a sort of static filter.