I am new to QuickSight and I have configured QuickSight from AWS and if I understood correctly, current user access is using IAM federated access. Hence anyone of my org having an assumed IAM role user can access to QuickSight.
Now I wish to assign Reader access in quicksight, but when first time they login they are assigned with Admin role in quicksight which I can change to Author subsequently.
In the drop down there I can see other roles such as Admin, Admin Pro, Author, and Author Pro.
You cannot downgrade users from Admin to Reader. If the users have not created any assets in QuickSight, you can delete them and then recreate them as Readers.
Please refer the below QuickSight documentation and community post this might be helpful for you.
There is a role and associated policy that determines the role the user is going to get assigned. I presume the role and policy assigned in your case is that of admin and you should have three separate roles one each for admin, author and reader and have associated policies to provide required privileges.
While the below blog may not directly be your case but it has detailed steps of how the AWS side of the setup looks like. I hope this helps.
Thanks for pointing out the fact that cannot downgrade to Reader role from Admin. That helped me to reconcile the facts that I was missing. There is a limitation for my case that I cannot control IAM policies since we are on a GCC environment and the standardisations are done at organization level, henceforth any IAM user logging in to QuickSight from AWS, was picking the Admin role by default as I suspect IAM policies are not properly set for QuickSight at organization level. So I reconfigured the QuickSight with IAM federation and QuickSight user login as authentication method. Which allowed me to avoid this limitation when I choose IAM federation only as authentication method.
