Namespace clarifications

I’ve been trying to get a custom namespace working, and the experience I’m having isn’t lining up with what I have expected from reading various articles online. My understanding is that namespaces exist to isolate groups of users in Quicksight so they aren’t able to share assets with or view users in other namespaces. However, when I created a user and logged in through IAM into the custom namespace, they were able to share assets and see users that belonged to the default namespace. I did some more googling, and found that because the user logged in through IAM, they would always be able to see ever user on the account.

Is that true? Is there another way to isolate users from seeing the default namespace? I also saw that every SSO would use IAM, so it doesn’t seem like there’s a way to truly isolate users if they always have to use IAM to login. Please correct me if I have anything wrong, and let me know how I should approach this issue.

Hi @ineedqshelp,

I believe you are correct and this behavior is how it is intended, as I think IAM takes precedence over federated SSO due to it being on Amazon organizational level (which does not take into account any additional federated SSO).

However, I would definitely recommend looking into this namespace documentation, as through the Quick API, there might be some specific calls you can to modify this precedence and achieve your desired behavior.

Hope this helps!

If I wanted to have users use a federated SSO instead of IAM, would I have to setup a new AWS account and do it differently so IAM doesn’t take precedence?

Hi @ineedqshelp,

As this is an account-based matter and am not too sure the specifics of how your federal SSO and IAM are setup, I would definitely create a support ticket with AWS Support, as they will be able to look further in-depth into your namespace issue.