If QuickSight was set up using AD authentication where each of the QuickSight roles are assigned to an AD group when a user is assigned to for example the reader’s AD group as well as the author’s AD group, will they be charged as both a reader and author in QuickSight?
Thank you for posting.
You will only be charged with the role with the highest level of access. In this case, you will be charged just as an author.
Regards,
Demola
Thanks for that Demola.
Going on from my previous question, if a user was assigned to two AD groups say for example reader and author, and we remove them from the author’s AD group (after moving assets that they are the owner of to the Admin group in QuickSight). Will the user when they log in again now be charged as a reader?
Hello Glenvill,
Answer is Yes/No and i think depends on below,
With IAM Identity Center integrated into your QuickSight account or Active Directory users, you can change a user’s role type by moving them to a group that is associated with a different QuickSight role. If a user is in multiple groups that are mapped to different QuickSight role types, the user is able to access QuickSight with the role that offers the broadest level of access.
Accounts that use other identity types can’t upgrade or downgrade a user by transferring them between groups. For more information, see Changing a user’s role.
QuickSight may still charge for author until the month passes and the following month it will be charge as reader.
you may check the user role via cli to confirm what role it has post changes
refer - list-users — AWS CLI 1.38.8 Command Reference
Hope this clears your doubt.
Cheers,
Deep
1 Like
Hi Deep,
We did some testing and noticed the following in our QuickSight which is setup with Active Directory.
We did the following experiment with a user who was assigned the Admin role and was not assigned to any other role. The user had logged in to QuickSight using this user account which created a user in QuickSight with that role.
-
The user was removed from the Admin role AD group and was added to the Reader role AD group and the user logged in as a reader creating another QuickSight user account. Now the user had an Admin role user account and a Reader role user account in QuickSight.
-
I changed the reader user’s role to Admin via the “Manage QuickSight” → “Manage Users” console.
-
The user logged in again and after some time the user was now able to see the “Manage QuickSight” menu and had the Admin role, but was using the reader the user created earlier.
Will the user now be charged for both Admin user accounts in QuickSight (the original one and the reader that I changed to have the Admin role)?