Quicksight Account Provisioning Pattern for external clients

Hi all,

As bit of a newbie in Quicksight, I’d like to get recommendations on how to set up and manage Quicksight accounts for our external clients in this scenario:

  • We provision individual QS accounts for internal users for ADMIN, AUTHOR, READER roles and allow them to login via QS login
  • We have multiple organizations we’d like to provision accounts as follows: one QS READER account per organization (or more if multiple organizational users)
  • We want to provision accounts via a custom back office using RegisterUser
  • We do not want them to login via Quicksight, only via a portal we provide them
  • We do not want the external users to receive emails/notifications from Quicksight
  • QS dashboards will be embedded within the portal using GetDashboardEmbededUrl
  • We want to use their organizational account as reference for RLS to provide data boundaries between organizations

I am a little confused on the best way to proceed because RegisterUser requires an email, and we do not want to provide the external organization’s email here. We also DO NOT want to use ANONYMOUS identity type for GetDashboardEmbededUrl.

We intend to use Cognito as the IdP for our client portal.

I’d greatly appreciate any info/advice on this. Thank you!

Oooof, I think I figured this out.

Apparently, I should be using GenerateEmbedUrlForRegisteredUser instead of GetDashboardEmbededUrl