I’m experiencing some unexpected behavior with Row-Level Security (RLS) implementation in Quick Sight and would appreciate any insights.
Scenario:
Implementing category-based RLS where different users should have access to different sets of categories
Example: User1 should access all 10 categories, User2 should access 8 categories, etc.
Previous Behavior (Test Environment):
Users could only access the dashboard if they were part of specific IAM groups
Individual user access to the dashboard wouldn’t work if the user wasn’t in these groups, even if explicitly added to dashboard sharing
Current Behavior (Production Dashboard):
Users can access the dashboard if they’re either:
Part of the IAM groups OR
Added as individual users in dashboard sharing
Has anyone experienced similar changes in RLS behavior? Could this be related to a recent Quick Sight update? Any suggestions on how to ensure consistent RLS implementation across different dashboards would be greatly appreciated.
RLS should not effect whether a user has general access to a dashboard. RLS only means that when a user accesses a dashboard they will only see rows that correlate to what was set int he rules dataset.
Did you change anything about your groups or how you manage permissions in Quick Sight with IAM?
Thank you for your input. I’d like to clarify the situation and the reason for my confusion:
Test Environment Dashboard:
Created two ANT groups for dashboard access
Implemented different row-level access for each group in the rules dataset
Observed: When RLS was enabled, individual users (including myself as dashboard owner) lost data on dashboard visuals, even though I was part of one of the ANT groups.
Solution found: Adding the same ANT groups to dashboard access restored visibility
Production Environment Behavior:
Same two ANT groups specified in the rules dataset
Different outcome: Users added individually to dashboard access can see data this time as long as they’re part of the ANT groups, even without adding ANT groups to dashboard access.
This discrepancy between test and production dashboard is the core of my confusion. I’m seeking to understand why the RLS behavior differs, particularly why individual user access works in production without requiring ANT group inclusion in dashboard access.
Could you provide insights on:
Why this difference in behavior might occur?
Best practices for consistent RLS implementation?
How to properly manage individual vs. group-based access in conjunction with RLS?
Your expertise on these points would be greatly appreciated.
Are you only using groups for your rules dataset or are you also using usernames? I think that the groups need to be added to the dashboard because your rules dataset includes them.
I’m not sure why that’s not working between environments. Are your Test/Dev and Prod environments in the same Quick Sight account?