QuickSight RLS: Apply group specific permission for same user part of multiple groups in embedding API generateEmbedUrlForRegisteredUser

Sushant_Kumar_Mishra · March 1, 2024, 4:56pm

Hi,

I have a dashboard URL generated using API generateEmbedUrlForRegisteredUser, which I’m embedding in application. The logged-in user assumes certain specific role while accessing solution. The specific role selected by user has specific permission. As shown in the example, when user A logs-in as Manager-Asia, he should only have access to those specific countries’ data, while user logs in as Manager-Europe, he should only have access to those specific countries’ data.

How do I achieve this for registered user? I tried using groups and permissions but if a user is part of multiple groups then all the permissions are applied from all the groups. Can the API generateEmbedUrlForRegisteredUser take some additional context (like group name) to apply only that specific permission? Or like the API generateEmbedUrlForAnonymousUser takes session tags, can registered user also accept session tags?

Or please let me know any other option. My application constraints are that I have to use generate embed URL for registered user and not anonymous user and that one user would have different role context at a time for which the data needs to be shared.

Thanks,

DylanM · March 1, 2024, 10:41pm

Hello @Sushant_Kumar_Mishra, welcome to the QuickSight community!

First thing is that session tags are only applicable for anonymous users and not registered users. As for RLS, permissions are either linked in QuickSight as the User level or the Group level. Once you create the RLS dataset, you will attach it to the datasets linked to your dashboards. Here is documentation on setting that up:

Alternatively, you could put a parameter on the analysis, use it to filter the countries that each user role would have access to, then pass in the required parameter value in the URL based on the user that is accessing them.

Those are the 2 most likely ways that you will be able to achieve this! I will mark my response as the solution, but if you have further questions, please let me know!