RLS: Empty (NULL) UserName and GroupName

m0ltar · July 26, 2022, 2:33pm

In the docs (Using row-level security (RLS) in Amazon QuickSight - Amazon QuickSight), it states:

If you don’t add a rule for a user or group, that user or group can’t see any of the data.

Maybe I am misunderstanding this, but I think I see a different type of behaviour.

Here’s the actual SQL that is generated by QuickSight:

SELECT *
FROM "public"."rls"
WHERE ("UserName" IN ('user@example.com', '') OR "UserName" IS NULL)
AND ("GroupName" IN ('rls', 'SNAdmins', 'SNUsers', '') OR "GroupName" IS NULL)
ORDER BY "GroupName" NULLS FIRST
LIMIT 1000

So, if the rls table (dataset) is:

id   UserName  GroupName
123  NULL      NULL

That query will result in a match and will return this row, resulting in access being granted to records in the restricted dataset with id=123

Koushik_Muthanna · July 27, 2022, 8:23am

Hi,

This is what it means : “If you don’t add a rule for a user or group, that user or group can’t see any of the data.”

My user : Default-Reader1 is not part of the RLS dataset, hence cannot see any data in the dashboard.

In your dataset there is a row which has the value of 123 in the id field but the username and groupname is empty ?

m0ltar · July 27, 2022, 10:04am

In your dataset there is a row which has the value of 123 in the id field but the username and groupname is empty ?

Yes, that is what I am talking about.

I don’t have this in my dataset right now. But I can see someone making this mistake easily, and I don’t see this being documented as a feature. Unless I missed it. So it can lead to a security issue.

Koushik_Muthanna · July 27, 2022, 10:53am

Thanks for the details. Could you please provide a feedback directly in the documentation page

Screenshot 2022-07-27 at 12.52.20

Regards,
Koushik