How do I define a permission that allows ADMIN roles to interact with the data source?
Docs indicate: AWS::QuickSight::DataSource ResourcePermission - AWS CloudFormation
The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)
However, there is no way to identify ADMIN users by ARN alone.
Hi @m0ltar -
I think the best way to do this would be to have all your ADMIN users in a group. Then grant permissions to that group when creating DataSource/updating permissions.
Alternatively, you could grab all your ADMIN Arns and use them for your permissions. This would not stay current which is why a group would work better.
aws quicksight list-users \
The problem with that approach is that:
- Group management is only available thru the AWS CLI, there is no UI, which makes it not user-friendly.
- Users need to be added to the group manually.
So essentially this requires a system administrator’s time to do a simple task of adding a user.
Given current limitations (no UI groups, no permission rules). I would automate adding admin users to the group. For example, lambda function that lists all the users with admin roles and adds them to the admin group. You could use something like EventBridge for the trigger.
There are also custom solutions like Build a centralized granular access control to manage assets and data access in Amazon QuickSight | AWS Big Data Blog that do this and then some.
Not sure i understand the ask clearly. Groups UI is now available. For more information please visit here: Amazon QuickSight launches Groups Management UI
Right, I wrote the post before the announcement
My post is from March 11th.
The announcement is from March 23rd.
However, it is still not a perfect answer, since the solution requires workarounds, and is especially cumbersome in the multi-tenant environment. Because now I need to create separate groups in each namespace, and then grant the said group permission for each dataset. There is no declarative way to do this, so this can be error prone.
My apologies. I am still unclear on the problem and ask here. Do you want to assign permissions by role (admin, author, readers)? What is the use case?
Yes, that’s right. I want the admin role to be able to have access to a data source and all derived data sets by default.
While we plan to add a concept of a ‘super admin’ to the product, this article will grant those permissions to a given user/group: Enable full object access for admin