If you don’t add a rule for a user or group, that user or group can’t see any of the data.
Maybe I am misunderstanding this, but I think I see a different type of behaviour.
Here’s the actual SQL that is generated by QuickSight:
SELECT *
FROM "public"."rls"
WHERE ("UserName" IN ('user@example.com', '') OR "UserName" IS NULL)
AND ("GroupName" IN ('rls', 'SNAdmins', 'SNUsers', '') OR "GroupName" IS NULL)
ORDER BY "GroupName" NULLS FIRST
LIMIT 1000
So, if the rls table (dataset) is:
id UserName GroupName
123 NULL NULL
That query will result in a match and will return this row, resulting in access being granted to records in the restricted dataset with id=123
In your dataset there is a row which has the value of 123 in the id field but the username and groupname is empty ?
Yes, that is what I am talking about.
I don’t have this in my dataset right now. But I can see someone making this mistake easily, and I don’t see this being documented as a feature. Unless I missed it. So it can lead to a security issue.