I am trying to set up row-level security for all of the users in my org for a dataset, I tested for one group that is already made in Quicksight and I was able to see it in effect.
So I was trying to figure out how I do it for all the users in my org.
This is my plan, but please let me know if there is any other easier way to achieve this:
make groups of users in quick sight (which would be around 25) and then make a csv having the rules of what group can see what row.
But this is too manual work, is there any other way to achieve this?
Hi @haider - Can you create the groups in QuickSight and the RLS data can be imported once if you know the groups in advance. If you are maintaining RLS data in an excel or csv data, yes for any new addition you have to refresh it. or if you can maintain RLS data in a database, it is easy to insert the data at database level and make the query as direct query mode. You do not need to refresh always.
Regards - Sanjeeb
hi, yes i can make the groups in quicksight but, first i would need to make a quicksight account for all the users in my organization, is that correct?
so i was thinking a better option would be to use tag based rules. so that i dont have to make all the quicksight accounts and groups for users and it can just be tag based?
Hi @haider - You have to create user accounts and then assign the user to the groups. However you can create users programmatically as well using boto3 QuickSight API - have a look on the link -register_user - Boto3 1.26.118 documentation ( Note - It has some limitations) , but with some custom code automation can be done.
Regards - Sanjeeb
This may not apply to you but I wanted to share how we implement RLS for our users.
When a new user is created in our application, we programmatically create a QuickSight user for them by using the API and add them to a group (e.g. based on their company).
We also use a SQL query to create our RLS rules. This way our rules are always up-to-date and don’t have to be updated manually.
1 Like
@haider first off, I agree with @Sanjeeb2022 and @David_Wong’s suggestions if you plan to manage users within QuickSight. If you are embedding QS into your application, then you have the option to use Anonymous Embedding along with the tag-based RLS you had mentioned. This route is usually preferable to our customers who embed QS into their apps as it eliminates the need to replicate/manage the users and groups within QS, but you can still apply RLS to each user. It just changes where you are managing the RLS rules (moves that login into your application layer vs managing within a dataset).
1 Like