How to allow users with role ADMIN to access the data source

m0ltar · March 10, 2022, 1:59pm

How do I define a permission that allows ADMIN roles to interact with the data source?

Docs indicate: AWS::QuickSight::DataSource ResourcePermission - AWS CloudFormation

The ARN of an Amazon QuickSight user or group associated with a data source or dataset. (This is common.)

However, there is no way to identify ADMIN users by ARN alone.

Thanks.

robdhondt · March 10, 2022, 4:29pm

I think the best way to do this would be to have all your ADMIN users in a group. Then grant permissions to that group when creating DataSource/updating permissions.

Alternatively, you could grab all your ADMIN Arns and use them for your permissions. This would not stay current which is why a group would work better.

aws quicksight list-users \
--aws-account-id=1111111111111 \
--namespace=default \
--query 'UserList[?Role==`ADMIN`].Arn'

m0ltar · March 11, 2022, 2:41am

The problem with that approach is that:

Group management is only available thru the AWS CLI, there is no UI, which makes it not user-friendly.
Users need to be added to the group manually.

So essentially this requires a system administrator’s time to do a simple task of adding a user.

robdhondt · March 11, 2022, 4:35am

Given current limitations (no UI groups, no permission rules). I would automate adding admin users to the group. For example, lambda function that lists all the users with admin roles and adds them to the admin group. You could use something like EventBridge for the trigger.

There are also custom solutions like Build a centralized granular access control to manage assets and data access in Amazon QuickSight | AWS Big Data Blog that do this and then some.

agmayan · March 28, 2022, 4:11am

Hi Everyone,

Not sure i understand the ask clearly. Groups UI is now available. For more information please visit here: Amazon QuickSight launches Groups Management UI

m0ltar · March 28, 2022, 4:28am

Right, I wrote the post before the announcement

My post is from March 11th.

The announcement is from March 23rd.

m0ltar · March 28, 2022, 4:29am

However, it is still not a perfect answer, since the solution requires workarounds, and is especially cumbersome in the multi-tenant environment. Because now I need to create separate groups in each namespace, and then grant the said group permission for each dataset. There is no declarative way to do this, so this can be error prone.

agmayan · March 28, 2022, 4:33am

Hi,

My apologies. I am still unclear on the problem and ask here. Do you want to assign permissions by role (admin, author, readers)? What is the use case?

m0ltar · March 28, 2022, 4:48am

Yes, that’s right. I want the admin role to be able to have access to a data source and all derived data sets by default.

Jesse · March 28, 2022, 6:21pm

While we plan to add a concept of a ‘super admin’ to the product, this article will grant those permissions to a given user/group: Enable full object access for admin