Row Level Security Rules in Amazon QuickSight

Row level security allows you to control which users can access rows in your dataset. With Amazon QuickSight user-based rules you can create a dataset for your row level security (RLS) rules that allow you create ‘AND’ and ‘OR’ conditions to give you fine grain control, with up to 999 rules per user.

Using this dataset:

UserName,Region,Industry,Segment
JohnDoe,AMER,"Finance,Energy","Enterprise,Strategic"
JaneDoe,EMEA,Healthcare,
JaneDoe,EMEA,,SMB
AnnOther,,Tech,
MrCEO,,,

the following rules are true:

  • John Doe can only see Enterprise and Strategic companies in Finance and Energy, in EMEA. This rule is AND, so companies must match region, industry, and segment
  • Jane can see all Healthcare companies in EMEA. Jane can also see any SMB company in EMEA. This rule is OR. Since Jane appears twice in this dataset, she can see companies that match EITHER set of conditions
  • Ann can see all Tech companies in any segment and any region
  • Mr CEO can see all companies

You can test row level security using this RLS dataset and the SaaS-Sales Dataset available in the QuickSight Author Workshop.

As well as the points covered in the documentation, here are a few other tips to remember when you’re using RLS:

  • You can use comma separated values to match multiple conditions
    • In a csv file you need to use double quotes around your values if you have more than one value, as you would for any csv file with a comma in the string.
    • Make sure you don’t have spaces around your commas within your string of values
  • There is a limit of 999 rules per user. This means the number of rows you have per user. In this example,
    • There is one rule for John Doe, covering two industries across two segments in one region.
    • There are two rules for Jane Doe, one for EMEA healthcare, and another for EMEA SMB.
  • If you’re reaching that 999 limit, consider whether you can apply grouping to your data in your main dataset to simplify your RLS rules.
  • You can’t include other columns (such as a notes column that describes the expected behaviour) in the published dataset, but you can include them in your csv file and move the column to excluded fields in the dataset preparation area. This can help with diagnosis if you don’t get the behaviour you expect.
  • And finally, don’t forget to add your own user/group in the rls file when you’re testing or you won’t be able to see the data when you’re creating your analysis!
7 Likes