Hello,
I would like to setup QuickSight with support for multitenancy across different AWS Regions, and I have some questions as to how best to approach this.
What we are trying to achieve with QuickSight
- Provide our clients with easy access to their data in a flat a structure as possible so that they can use it to build their own analysis, reports and dashboards
- For ourselves, to have a holistic view across all our clients from a single QuickSight account (preferably), allowing us to:
- Easily manage individual namespaces without having to log into each to make changes
- Create standardised assets (e.g. default analysis or dashboards) that we can deploy to selected/all namespaces (clients)
- Be able to build analysis of our on own using datasets from across different namespaces
- For creating billing invoices
- Building KPI metrics for different regions
- Being able to easily visualise and compare sales between different clients across different regions
Note: Each client is setup with their own individual RDS that will be used to read data from and ingest into SPICE. These RDS currently reside in the same AWS region to which the client belong. Data from the RDS cannot be exported to a different region due to regional legislation. It may be viewed, but must not be stored in a different region.
With the above in mind, I have come up with 2 options to this problem.
Option 1:
The first option is to have a single Enterprise QuickSight account created in eu-west-2. As the account is created in eu-west-2, a Default namespace would be created for this region.
I would then create separate custom namespaces for each client and setup and data source and datasets for each namespace. Next, I would create local Authors and Readers for each namespace so that they have access only to the data source and datasets within their own namespace.
Questions:
- If a custom namespace is created for a different AWS region from which the Default namespace resides, is there SPICE capacity created in the same regions as the custom namespace so that when data is ingested, it stays in the same region?
- Would I be required to create an Admin account in each namespace so that I can manage that namespace? (e.g. for adding/removing assets). Or will the Admin from the Default namespace have access to add/update/remove Analyis/Dashboards in other custom namespaces and across regions?
- Similar to above, will the Admin from the Default namespace be able to view and manage all users belonging to different namespaces and in different regions from within QuickSight Admin pages > Manage Users?
Option 2:
The second option is to have multiple Enterprise QuickSight accounts. One for each AWS region in which we have clients. This second approach is to guarantee that data is not exported outwith a region.
Questions:
- Is it possible to create multiple QuickSight accounts within a single AWS account?
- If separate QuickSight accounts are created, does that mean it will not be possible to visualise and compare sales data between different clients across different regions?
Any questions or feedback you may have on any of the above, or how you think I should setup QuickSight based on my needs, is greatly appreciated.
Thanks
