Scenario Description
We are trying to launch a quicksight panel by using a url call. To do this we are sending the parameters that the panel needs following AWS documentation for this purpose.
So far we have been successful at properly open the Quicksight panel in a new browser with URL parameters following the indications in AWS documentation (Using parameters in a URL - Amazon QuickSight)
However, the problem we see is that URL parameters are shown in the browser URL and an advanced user can change the parameter values; making the Panel show different sets of data that do not match the intended set of data that should be shown.
Question
¿Is there a way that we can send parameters to the Quicksight Panel but not as fragments after the hash sign in the URL?
¿Maybe using a POST method?
¿Maybe doing some kind of encryption or URL rewriting?
¿Maybe using other mechanism provieded by AWS that prevents the user to identify the parameters and alter their original values?
If so, ¿could you direct us to some code snippet or AWS documentation that illustrates how to use such an alternative method to send parameters to open a Quicksight panel in a browser?
Snippet of the code that we are using to successfully generate a URL with parameters to display the Quicksight Panel
public String getQuicksightEmbedUrl(
final String accountId,
final String panelId,
final List allowedDomains,
final String userArn,
final String year
) throws Exception {
RegisteredUserPanelEmbeddingConfiguration panelEmbeddingConfiguration =
RegisteredUserPanelEmbeddingConfiguration.builder()
.initialPanelId(panelId)
.build();
Are you trying to embed QuickSight into an application or open the non-embedded QuickSight console (UI) by opening a new browser tab?
If you want to embed the QuickSight, which your code seems to indicate, you can use the Amazon QuickSight Embedding SDK (JavaScript) to embed the console session URL that you’d generated in your website or application page. Check out the documentation to see step-by-step instructions.
The embedding SDK allows to set parameters right from the beginning through the contentOptions or updating parameters at any time by using the setParameters function.
Example for using the contentOptions (full example can be found in the SDK documentation):
If your concern about altering parameter values has to do with the fact that you want to restrict a user’s access to the dataset to a certain subset, you should be having a look at the row-level-security capability that QuickSight offers.
Did this answer your question? If so, please help the community out by marking this answer as "Solution!
Regarding your key first question, we are trying to open the non-embedded QuickSight console (UI) by opening a new browser tab (as a matter of fact we open a new browser instead of a tab in the same browser so the user can easily check our application and the Quicksight console at the same time).
We provide a button in our application with the functionality of “Go to Quicksight”. When the user clicks that button we succesfully manage to build an URL that it is open in a new browser and shows the Quicksight dashboard filtered by the parameters we send with the URL. The generation of the URL was shown in the code that we have included in our initial post.
Since the set of data that the Quicksight dashboard should display depends on the parameters passed in the URL, we don’t want the user to be able to change them in the URL. That’s why we have asked if there is a method to pass parameters to the dashboard different than as URL parameters.
Bear in mind that it is our backend who builds the embed URL with the proper parameters to open the Quicksight console with the dashboard filtered. The full workflow would be as follows:
User clicks on a button “Go to Quicksight” so Anlasys Data can be shown in a different browser
When the user clicks the button, our application Frontend calls our application backend to generate the proper URL (parameters will be set depending on the área of our application where the user click the “Go to Quicksight” button and other business rules)
Our backend generates the required URL and passes it to our application Frontend
Our application Frontend opens a new browser with the Quicksight Dashboard which contains data filtered according to the parameters passed on the URL.
Since we generate the URL in the backend we cannot use the Amazon QuickSight Embedding SDK. ¿Are there other options for passing parameters in the AWS SDK that we use in the backend to generate the URL?
Thanks for sharing the additional context.
For opening a non-embedded QuickSight console, you don’t have to generate any embed URL. You can simply direct them to QuickSight using a URL pointing to the desired asset, like a dashboard - e.g. https://eu-west-1.quicksight.aws.amazon.com/sn/dashboards/<DASHBOARD-ID>. While you can append parameters to that URL, users could change them as they wish.
Parameters are no mechanism to restrict access to data that a user can see. To achieve that, you should have a look at the row-level-security (RLS) capability that QuickSight offers.
You mentioned that you are opening QuickSight in a new browser so that users can check your application and QuickSight at the same time. What most customers do instead in such cases is to embed QuickSight into their application, so that they have the insights from QuickSight right next to the content from their own application. Additionally, the embedding SDK allows you to build an advanced integration between the two, by adding callback functions, listening to events, or triggering certain actions or filtering from within your parent application. In such a case, your parameters or filters would also not be directly visible to the end user (but again, if it is all around security and restricting access to the dataset, please look at RLS).
Hi @Jlabuelo,
Since we haven’t heard back, I’ll close out this topic. However, if you have any additional questions, feel free to create a new post in the community and link this discussion for relevant information if needed.
Hello again Thomas. Here we are back trying to find a right solution for our scenario.
Let me explain you where we are so far. We have hired 6 Quicksight reader users. Also we have a DataSet that contains different information from 4 areas (North, South, East and West). Also we have designed a panel where this information is shown. So far we buided a way to call a QuickSight URL using the login and password or each of these reader users from our crm system.
First Problem → All users can access the panel but they also can see all data, so this is not the desired scenario, as we want users from North to see only data from “North area”…etc.
To try to solve this we included the parameters and variables in the URL, and we got a way to limit the data shown in the panel to the parameter included in the URL.
Second Problem → We have seen that as parameters are passed in the URL using GET method this is not secure, as an user can simply change the value in the URL from Zone=North to Zone=South and get access to data not related to his area.
To try to solve this you suggested us to try to configure our panel and dataset with the “row-level-security” that quicksight capacity offers. We have configured the dataset and panel following the row-level-security documentation, but now we realice that to use this solution we nee to hire Capacity and starting price is 250$ /month for 500 sessions per month. Problem is that we have passed from a model where for 6 users we have a18$/month bill with (in our understanding) no limit to the time you can use QuickSight, to a model limited in times to access the panel and where we need to take care of the time they use the panel so costs dont go up exaggeratedly.
We are reading in the AWS Quicksight documentation that Capacity plans are thought for a tool that would like to show information for thousands of non registered users, and that can make sense for us. But dont see this should be the right approach for a case like this.
We are an organization with different levels o data access,(workers, team leaders, managers…), as I said we are 6 users. What we would like to achieve is an easy way to share a panel where the data is shown but depending on the user that access this panel, we must find a way so users can see only the data they must have access to. I think it must be a common situation for other customers.
Could you please share with us what would be your recomendation to build this scenario with 6 users and QuickSight?
unregistered users in case of anonymous embedding scenarios by using tag-based rules.
Please have a look at the RLS approach that leverages user-based rules for your use case. This way you don’t have to switch to capacity pricing and can continue to leverage the user-based pricing option.
I hope this helps, but please let me know if the above opens up more/new questions.
Thanks a lot for the info Thomas. Will give it a try now with the user-based rules for registered users. Could you confirm if we could or not use tag-based-rules even for registered users?
Also one question please, where can we see some code examples of how to call the the QuickSight panel from our system and open it in a new browser window now that we have applied user-based-rules?.
Can you please elaborate a bit on how the second question differs from your question from earlier in this thread, which I tried to answer here? If I understood you right, you would not need any QuickSight-specific embedding code for that and simply use regular HTML or JavaScript code to have the provided link to the QuickSight console/dashboard opening in a new browser window.
Hello Thomas.
Thanks a lot once more for your answer. We have been able to configure a test scenario using RLS with user-based rules, and I have to say that it works fine for the tests we performed so far :-).
Now we are going to give it a try using the API GenerateEmbedUrlForRegisteredUser to see if we can get it to work and if it can help us to match our business need.
However I am getting a little bit confused with the QuickSight Editions and the user limitations. Please let me explain.
My understanding is that we need to stay in the QuickSight Enterprise edition to be able to use RLS user-based rules (please correct me if I am wrong).
After reading AWS docs and also some posts in this forum I am not able to get clear if:
Can we use “Reader” users to use RLS user-based rules or do we need to use “Author” users?.
If we can use “Reader” users to get access to the panels having RLS user-based rules applied, is there any limitation in the number of sessions per month that each “Reader” user can access the panel?. (I have seen in some posts in this forum that there is a total limitation of 500 sessions per month for all Reader users in a QuickSight account, however dont know if that is official)
If such limitation is true, does this limitation also applies to Author users?.
I mean our idea is to use Reader users to get access to the panel, but if there is a limitation for the number or times per month they can access this panel dont know if that fits for our business scenario.