RLS and 999 rules-per-user limit

PeterKarman · November 6, 2024, 8:57am

We have a RLS permissions dataset that we apply to other datasets. It supports a multi-tenant model where we can limit a user’s access to a segment of our data.

Our main dataset has 2 columns in it: Account and Building. We create a GroupName that matches the Account and put all the users in the Account in that GroupName. Our RLS permissions dataset then has one row like:

GroupName,UserName,Account,Building
abc,,abc,

That works as we expect: all users in Account ‘abc’ can see all Buildings in the Account.

If a user should have access to only a subset of Buildings in the Account, we create a second RLS row:

GroupName,UserName,Account,Building
abc,,abc,
,the-role-name/userX,,"123,456"

which formerly worked as we expected. The userX user in Account abc could see only buildings 123 and 456.

The QS docs state there is a limit of 999 rules per user, so in this example the userX user would have 2 rules (rows) that apply to them, if I am reading the docs correctly.

Our RLS permissions dataset has a total of 1400+ rows in it now, a combination of GroupName and UserName rows, and the Building + UserName rows seem to be getting ignored. In this example userX can see all the Building rows in the abc Account.

The FAQ docs suggests that this behavior might be because we have exceeded the 999 rule limit.

My question is: how is the 999 rule counting applied? I assume it’s not the total number of rows in the RLS permissions dataset, but the number of rows that apply to a user. So not 1400 but 2 (in this example, one row for the GroupName match and one row for the UserName match).

Am I reading the docs correctly?

Giridhar.Prabhu · November 6, 2024, 1:27pm

Hi @PeterKarman

I ran into this sometime back. Per my tests the user level permission you have setup does not work. If the user x belongs to Group abc then that will take priority.

You may need to approach this by creating exceptional cases in their own groups.

Regards,
Giri

Brett · November 14, 2024, 4:09pm

Hi @PeterKarman,
It’s been awhile since we last heard from you, did you have any additional questions regarding your initial post?

If we do not hear back within the next 3 business days, I’ll go ahead and close out this topic.

Thank you!

David_Wong · November 14, 2024, 6:30pm

Hi @PeterKarman,

The 999 limit is per user. When I exceeded it in the past, I got an error when refreshing my dataset. You’ll know when you hit the limit. QuickSight won’t just skip some of your rules.

What happens when you remove the first rule in the above example? Does the 2nd rule work?

PeterKarman · November 15, 2024, 3:11am

Alas I cannot remove the first rule because that would break authz for all the other users in that group that do not have per-building permissions. The rules were, at some point, additive: first the GroupName rule would apply, then if there was another rule specific to the UserName it would also be applied. They were AND’d together. Somehow that has stopped working.

Instead I just finished switching over to tag-based RLS and that is working much better, and has the added benefit of allowing us to avoid needing to sync all our group/user permissions ahead of time. So it’s a net win for us.