If Quick Sight was set up using AD authentication where each of the Quick Sight roles are assigned to an AD group when a user is assigned to for example the reader’s AD group as well as the author’s AD group, will they be charged as both a reader and author in Quick Sight?
Thank you for posting.
You will only be charged with the role with the highest level of access. In this case, you will be charged just as an author.
Regards,
Demola
Thanks for that Demola.
Going on from my previous question, if a user was assigned to two AD groups say for example reader and author, and we remove them from the author’s AD group (after moving assets that they are the owner of to the Admin group in Quick Sight). Will the user when they log in again now be charged as a reader?
Hello Glenvill,
Answer is Yes/No and i think depends on below,
With IAM Identity Center integrated into your Quick Sight account or Active Directory users, you can change a user’s role type by moving them to a group that is associated with a different Quick Sight role. If a user is in multiple groups that are mapped to different Quick Sight role types, the user is able to access Quick Sight with the role that offers the broadest level of access.
Accounts that use other identity types can’t upgrade or downgrade a user by transferring them between groups. For more information, see Changing a user’s role.
Quick Sight may still charge for author until the month passes and the following month it will be charge as reader.
you may check the user role via cli to confirm what role it has post changes
refer - list-users — AWS CLI 2.31.10 Command Reference
Hope this clears your doubt.
Cheers,
Deep
1 Like
Hi Deep,
We did some testing and noticed the following in our Quick Sight which is setup with Active Directory.
We did the following experiment with a user who was assigned the Admin role and was not assigned to any other role. The user had logged in to Quick Sight using this user account which created a user in Quick Sight with that role.
-
The user was removed from the Admin role AD group and was added to the Reader role AD group and the user logged in as a reader creating another Quick Sight user account. Now the user had an Admin role user account and a Reader role user account in Quick Sight.
-
I changed the reader user’s role to Admin via the “Manage Quick Sight” → “Manage Users” console.
-
The user logged in again and after some time the user was now able to see the “Manage Quick Sight” menu and had the Admin role, but was using the reader the user created earlier.
Will the user now be charged for both Admin user accounts in Quick Sight (the original one and the reader that I changed to have the Admin role)?