I am looking into QS usage via AWS IAM Identity center where I can manage users via AD groups defined at the company level. I have a few questions about the solution for which I was unable to find answers.
If I have one AD group for readers and another for authors and a user is in both will I presume that he will have writer access. What is the situation with billing, will I be paying for one or two users?
If I add an AD group with hundreds of users will I be paying for all of them from the start or when they first login into the app?
Can the permissions for QS be managed on a group level for a specific subset of users or are the custom permission policies for resources only?
If I have one AD group for readers and another for authors and a user is in both will I presume that he will have writer access. What is the situation with billing, will I be paying for one or two users?
In IAM IDC it is just one user. The user role will change to Author and you will be charged accordingly.
If I add an AD group with hundreds of users will I be paying for all of them from the start or when they first login into the app?
First, thanks for your feedback, it’s been informative. Regarding my third question I mean if you can also manage users’ QS permissions via Security & permissions/Resource access for individual users and groups configuration option (image below). I have tried assigning some custom QS policy permissions to readers for example and they did not apply. What exactly can be assigned this way, through IAM Policies?
I have tried assigning some custom QS policy permissions to readers for example and they did not apply.
Readers only consume dashboards and you handle permissions in QuickSight on which dashboards they have access to, row level security for data.
For Authors you can apply custom permissions. An example below is a policy which restricts them from viewing Athena workgroups. This would restrict them from creating an Athena data source connection.
Thanks for you answer. I have a few additional questions regarding AWS IAM identity-based policies for QuickSight.
You have mentioned that for Readers I can limit their access to QuickSight assets within the app. If I do that will they by extension get the rights to underlying resources that those assets (analyses, dashboards, etc.) use? For example if a dashboard is sourcing some Athena tables I don’t have to grant the Readers permission to that table as well, only the base Dashboard asset will be enuogh?
I have written a custom AWS IAM Policy for QuickSight Authors but I can’t seem to deploy is as IaC. Is this possible for these types of policies? How can I apply these types of policies in my account? I am able to do it manually via the AWS Console but it is messy work and prone to errors and no audit trail.
