I am the QuickSight account owner and dataset owner on two datasets that have RLS enabled. Per AWS documentation, dataset owners should bypass RLS automatically, but I am still being blocked in the published dashboard.
What I’ve tried:
Confirmed owner status on both datasets — still blocked
Upgraded to Admin Pro — still blocked
Deleted a ghost duplicate account sharing my email — still blocked
Added my username directly to the RLS mapping table — hit the 999-row limit (I have 2,000+ rows needed)
How do I grant my admin account full unrestricted access without hitting the 999-row RLS mapping limit?
I actually wasn’t aware dataset owners should bypass RLS, so I have always added it.
Considering the number of people, I think the only way to manage this will be to add users to a user group and permission the dataset that way instead of individual permissions. Are there a ton of different/unique permission types for the users, or do you think they can be batched?
Thanks Dylan! The permission types are simple — each user only sees data filtered to their specific ID. The problem is I have 4 admin accounts that need to see ALL IDs (2,000+), which blows past the 999-row RLS limit when I try to add them to the mapping table.
Can I use a QuickSight Group for the admin accounts and exclude that group from RLS entirely? Or is there another way to give certain users unrestricted access while keeping RLS active for everyone else?
Hello @Coleman_Walker, you can definitely make a group for admin users! In order to ensure the admins can view all of the data, you will want to add their group name inside of the RLS file, but then leave all of the other field values on the row blank/NULL. This will ensure that they have unrestricted access to the data but also not exclude them. Once the group name is added, there shouldn’t be any further issues!
Hi Dylan, we tried adding the group name ‘Admins’ with a NULL value in the filter column but admins are still being blocked. Just want to confirm — our RLS table has two columns: username (STRING) and most_recent_trainer_id (INT). We added the row ('Admins', NULL). The RLS dataset is a view that joins this table to get a trainer_name column, which is the actual filter field on the datasets. Should the NULL be in the trainer_name column or the most_recent_trainer_id column? And does the group name need any special prefix like group/Admins?
Hello @Coleman_Walker, a couple things to check. sorry if some of these questions seem obvious, I just want to make sure we are on the same page.
Did all of the admin users get added to the admin group?
Did you generate a new RLS file to handle the user group? If you had previously built the RLS to check for user names or user arns, you will want to update that column name value.
How are you building the RLS file? Is it a CSV from Excel/Google Sheets? Or are you building it with a SQL query? If you are using a SQL query, I would return NULL. If it is a CSV file, you can just leave the field value empty instead of actually typing NULL in as the value.
Hi @Coleman_Walker, Checking in. We have not heard back from you regarding your question. We’d still like to help. If we do not hear back in the next 3 days, we will archive the question.
Since we haven’t received any further updates from you, I’ll treat this inquiry as complete for now. If you have any additional questions, feel free to create a new post in the community and link this discussion for context.