Right now in Quick Sight, if we give someone Author access, they can update all datasets they have access to, and also create new SPICE datasets.
What we’d like is the ability to be more specific. For example:
Allow an Author to update only a few assigned SPICE datasets.
Prevent them from creating new datasets or updating others outside their scope.
This would help a lot with governance and avoid situations where users accidentally spin up or change datasets they shouldn’t be touching.
We have different business units working in Quick Sight, and each BU only needs to update their own SPICE datasets. Right now the only option is to either give them broad dataset access (too much) or restrict them completely (too little). Having more fine-grained control would strike the right balance.
I agree this type of setup for asset access would be a nice feature to have built-in to the Quick Sight system so that it’s easier to maintain so I’ll mark this as a feature request to promote visibility to the support team.
One thing to add though, have you checked out options available for customizing access; I’m not sure if it assists with limiting specific datasets to a given user, but I’ll include documentation below for the permissions that can be customized.
Additionally, you could explore the use of namespaces or groups as those allow you to grant access to assets for a defined group of users.
As @Brett pointed out you can apply custom permissions to users to restrict some of the permissions that are available to them as part of the Author license.
You could use user groups as a way to organize these authors by BU and in the Dataset permissions provide access to these specific BU user groups with access; other BU authors then don’t datasets they don’t have access to
In the Custom Permissions (Manage Quick Sight > Manager Users > Manage Permissions) you may have some general restrictions possible.
Since we have not heard back, I’ll go ahead and close out this topic. However, if you have any additional questions, feel free to create a new post in the community.
I would say this will not serve our usecase.
For example, I can have users who have access to both sensitive and nonsensitive data on Quicksight.
For such users, the user may want to use non sensitive data with SPICE and sensitive data without it (if it contains PII etc)
Custom policy puts a blanket permission on users, when it should be combination of dataset + users.
Infact if we can even put a deny policy to an IAM action on a datasource level that we can apply via API/CLI to not allow any data from it’s datasets to be ingested to spice, that would work too.
Hi @Aishwarya_K01,
Thank you for the additional notes; as I’ve marked this as a feature request, I will close this topic for the current timeframe. Feel free to keep an eye on the ‘What’s New’ section in the Community for all updates that are made.
If you have any additional questions, feel free to create a new post in the community.