How to add permissions to users in QuickSight?

Question & Answer
,
1

I have a bucket with several folders, each folder corresponds to a different file. I want to allow users to create datasets, analyses, and reports, but only from specific file folders, not from all of them.

2

Hi @Pedrosa

Thank you for posting

To restrict access to specific file folders in Amazon QuickSight, you can implement row-level security (RLS) with user-based rules. This feature is available in the Enterprise edition of Amazon QuickSight and allows you to control which users can access specific data.

You can create dataset rules for row-level security by creating a permissions file or query that contains columns for UserName or GroupName (or UserARN/GroupARN) along with columns representing the folders or data segments you want to restrict.

For each user or group, you specify which folders they can access.

After creating these rules, you need to apply them to your dataset by:

  1. Going to the Datasets page and selecting your dataset
  2. Choosing “Set up” for Row-level security
  3. Selecting “User-based rules”
  4. Choosing your permissions dataset
  5. Setting the Permissions policy to “Grant access to dataset”

This approach ensures that when users access the dataset, they can only see and work with data from the specific folders you’ve granted them permission to access.

Users without specific permissions won’t be able to see any of the data.

Remember that row-level security works only for fields containing textual data (string, char, varchar, etc.) and doesn’t currently work for dates or numeric fields.

You can find documentation here

Regards,
Demola

3

If I create a dataset and assign permissions using RLS, users won’t be able to access my data. But what if the user is an author—will they be able to create a new dataset from the source file and bypass my dataset?

4

The author can create a new dataset if they have access to the data source and bypass the RLS restrictions. It is important to note that QuickSight RLS operates at the dataset level with different permission as described below

  • Dataset owners: All data can be seen when RLS is applied

  • Readers: They can only see data restricted by the permission dataset rules

  • Authors: They have broader permission that can allow them to access source directly.

You can prevent RLS Bypass using Lake Formation

Regards,
Demola