We are exploring the option of embedding Quicksight reports into our user inferface. Potentially we would have up to 50000 users that would log in to our console. We are trying to explore the best option to achieve this without every user having to have their own quicksight login. We are exploring the anonymous option but we would also like to be able to filter the reports based on which users are logged in by passing the agentname back to the quicksight but we are a little concerned that a user could potentially hyjack the url and use it to see other agents information.
I would be grateful for any support on the best option to securely achieve above.
Hi @murray_dj
You can achieve this in anonymous embedding using two features. 1. Authorized Resource ARNs: This will prevent access to any other dashboard other than those that you explicitly give access to for that session (the generated url).
2. sessionTags: To filter/ reduce the data for the given agent in a session.
The above steps will happen on the server-side of your application and hence users cannot manipulate the url generation and hence the session content.
If you have more questions, we can discuss it offline based on your use case. Please let us know.
When we make the call to get the embedded URL can that call pass in parameters to filter the dashboard? We’re concerned with the parameter option on the frontend of our react site that the end user could use F12 and modify a parameter before passing it on.
Hi @murray_dj
Parameters are not meant to implement Row Level Security (reducing data based on logged in user).
For row level security in anonymous embedding, you must use SessionTags to pass the agent name so that data is reduced for the entire session and even if the user changes the parameter, no data will be exposed.
Please refer the below documentation for reference.
Please let us know if you need further discussion on this. A better understanding of your use case could helps us point you in right direction.