Row-level security

Hi there,
I just set up row-level security for one of my datasets.
The permissions dataset used to implement RLS (row-level security) has two columns UserName and Brand.
I have just one row in such permissions dataset, which includes gian@test.com and company_a.

The RLS works fine for that single user. They can only see company_a data.
However, ALL other users no longer have access to any data.

How can I ensure that only users included in my permissions dataset get restricted, while everyone else has full access?

Thank you.
Kind regards,
Gian Marco

Hi @gian

Welcome back! Thank you for posting your question.

When Row-Level Security (RLS) is applied to a dataset in Amazon QuickSight, it fully controls access to the data. This means that only the users included in the permissions dataset will be able to see any data—others will have no access by default.

To allow unrestricted access to certain users, you need to explicitly grant them access to all data by adding their usernames with no value in the restriction column.

Example -

Reference - Using row-level security with user-based rules to restrict access to a dataset - Amazon QuickSight

Please let me know if that helps.

Thank you,
Shravya

Thanks for replying, @shravya
So only way is include all users’ emails one by one?
That would be quite inconvenient for us as new users continuously get invited, which means the permissions dataset will need continuous maintenance.

Isn’t there any other workaround to only include users with restricted access while everyone else has full access? Using Groups maybe?
Thank you.

Hi @gian

You can setup the Permission dataset by User Group as well.

The following is the structure of the permission dataset. You will leave UserName field blank and fill in the User Group name and provide the Row-level-field members in teh RLS Field Name (Replace it with the Field name that relates to your Row-level security)

You can refer the documentation for more details

Regards,
Giri

Hi @Giridhar.Prabhu Thank you for jumping in!

I am not sure I fully understood, though.

1. What data should I fill User Group with?
2. RLS Field Name is where I list user names that need to be restricted?

Thank you @Giridhar.Prabhu

@gian Yes, you can create QuickSight Groups to manage users with different levels of access.

If you already have groups set up in QuickSight, you can directly reference those groups in your RLS permissions dataset. This way, you don’t need to manage individual user permissions manually.

For example:
Create Groups for Access Levels:
Group: Restricted_Users → For users with limited access.
Group: Unrestricted_Users → For users who need full access.

Reference video -

Let me know if that helps.

Thank you,
Shravya

@Giridhar.Prabhu @shravya
How do I create groups?
This page talks about IAM credentials, which I do not have. I am have Admin permissions, though.

This other page shows a “Manage groups” screenshot, which I do not see.

What would be the solution here?

Hi @gian

As per AWS QuickSight documentation you need to have IAM credentials to create groups. You will see the Manage Groups page only when you login with the IAM user account.

So, you need to get an IAM user account for your QuickSight admin work as I suppose you will be managing the groups and user > group assignment.

I had the same issue and I moved to using an IAM account with Admin privileges and stopped using my QuickSight email based admin account.

Admins with IAM credentials who have access to the Amazon QuickSight console can organize sets of users into groups that make it easier to manage access and security.

Regards,
Giri

@Giridhar.Prabhu Makes sense. Thank you for the info!