Amazon QuickSight Enterprise edition supports multi-tenancy through namespaces. A QuickSight namespace is a logical container to organize clients, subsidiaries, teams, and so on. This means that multiple tenants, or independent organizations, can share the same QuickSight instance while still keeping their data and assets separate and secure.
By using a namespace, you can isolate the Amazon QuickSight users and groups that are registered for that namespace. Users that access the namespace can share assets only with other users or groups in the same namespace.
Terminology and Concepts
AWS Account: – You can securely isolate groups and users to support diverse workloads without adding additional AWS accounts. Access to data is still strictly controlled by AWS security features. Users can see assets (like data and dashboards) only if they have the correct resource permissions.
Namespace: – Is a way to organize groups and users within a single AWS account, allowing different teams or departments to work with their own data and assignments, and manage access to those assets. By creating a namespace, an administrator can invite other users to join and assign them different roles and permissions. Namespaces are designed to span AWS Regions, so the containment doesn’t change even if a user signs into a different AWS Region. All namespace assets are managed by API/CLI calls.
Region: – The initial region chosen during QuickSight account signup is the default home region. And it is used to manage the default namespace, groups and users using the QuickSight Manage Admin Console. The Default Namespace, Custom Namespaces, Groups and Users are shared across regions.
SPICE Capacity: – (Super-fast, Parallel, In-memory Calculation Engine) is the in-memory engine that QuickSight uses to store data. SPICE capacity is allocated separately per AWS Region.
Assets: – Includes data sources, datasets, analyses and dashboards which exist outside of any namespace. They are visible only to users who have permissions granted to them within that namespace. These assets are not available across regions and must be recreated or ported using the API/CLI. Assets can be shared to users across several namespaces using the API/CLI. Assets shared via the Console/UI can only be shared with users and groups in the same namespace.
RLS: – Using row-level security (RLS) with user-based rules to restrict access to certain data within a dataset. Row-level security works only for fields containing textual data (string, char, varchar, and so on).
Here is an visual illustration of the Namespace scope:
Namespaces currently have the following limitations:
Namespace are only accessible to Federated Single-Sign On users.
Use default instead of namespaces if you need to support the following:
Password-based logins
Active Directory SSO logins
Users cannot be transferred from one namespace to another. This requires creating a new user and replicating the asset permissions. This task can be automated programmatically using API/CLI.
By default, there is a limit of 100 namespaces per AWS account. To increase your limit, create a ticket with AWS Support.
When do I use Namespaces and Shared Folders?
Namespaces become more important in an embedded multitenant deployment. Specifically, when embedding the console experience to allow tenant authors to create and share their own custom dashboards with other users in the same tenant. This prevents tenants from seeing or accidentally sharing assets with users from other tenants.
Since assets such as datasets can be shared to users across namespaces using the API/CLI, we can still create a single dataset which has RLS applied, and users in different namespaces can leverage this dataset (either when creating a new analysis/dashboard, or viewing an existing dashboard which uses that dataset) while still filtering the data appropriately for the user. This reduces the need to create and maintain separate datasets for each tenant. For more information, see Row Level Security (RLS) with Namespaces.
Shared folders, on the other hand, allow users to share specific QuickSight assets, such as dashboards, analyses, and datasets, with other users and groups. Shared folders provide a flexible and secure way for teams to collaborate and share insights with each other. The folder owner or Admin can control the permissions of the users who are granted access, such as read-only or full access. For more information, see Organize and share your content with folders in Amazon QuickSight
Namespaces and shared folders can be used separately or in conjunction. The key difference is namespaces limit the sharing of assets to within that namespace, where shared folders facilitate sharing a set of assets for different users or groups. Generally, namespaces are good for multitenant deployments (particularly embedded QuickSight authoring), and shared folders are good for simplifying asset permissions by applying them at the folder level rather than asset-by-asset.
When deciding whether to use namespaces or shared folders, it’s important to consider the specific needs of your organization. If your organization has multiple teams who should never share assets between each another, then namespaces would be appropriate. If you need to organize assets for sharing at scale, shared folders are useful.
Overall, both namespaces and shared folders are important features that can help make QuickSight more efficient and effective. By using these features to organize and share resources, QuickSight users can more easily find the data they need and create compelling visualizations that drive business insights.
Console/User Interface, Command Line Interface and Application Program Interface
| Function | Role | Console/UI | CLI | API | Authentication |
|---|---|---|---|---|---|
| Create User | ADMIN | Yes (IAM & QuickSight with Password only) | Yes | Yes | IAM, QuickSight SSO Login & QuickSight with Password |
| Update User | ADMIN | Yes | Yes | Yes | * |
| Create Group | ADMIN | Yes | Yes | Yes | * |
| Create Group Membership | ADMIN | Yes | Yes | Yes | * |
| Create Namespace | ADMIN | No | Yes | Yes | IAM, QuickSight SSO Login |
| Register User with Namespace | ADMIN | No | Yes | Yes | IAM, QuickSight SSO Login |
| Create Namespace Group | ADMIN | No | Yes | Yes | IAM, QuickSight SSO Login |
| Create Namespace Group Membership | ADMIN | No | Yes | Yes | IAM, QuickSight SSO Login |
| Create Shared Folder | ADMIN/AUTHOR | Yes | Yes | Yes | * |
| Create Shared Folder Membership | ADMIN/AUTHOR | Yes | Yes | Yes | * |
| Update Shared Folder Permission | ADMIN/AUTHOR | Yes | Yes | Yes | * |
Below is the test script and scenario test case
Test Script
– Default Namespace Users
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-A --aws-account-id ############ --namespace ‘default’ --email ‘name@email.com’ --user-role ADMIN
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-B --aws-account-id ############ --namespace ‘default’ --email ‘name@email.com’ --user-role AUTHOR
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-C --aws-account-id ############ --namespace ‘default’ --email ‘name@email.com’ --user-role READER
– Default Namespace Groups
aws quicksight create-group --group-name ‘Group-1’ --description ‘Group 1 Default’ --aws-account-id ############ --namespace ‘default’
aws quicksight create-group --group-name ‘Group-2’ --description ‘Group 2 Default’ --aws-account-id ############ --namespace ‘default’
aws quicksight create-group --group-name ‘Group-3’ --description ‘Group 3 Default’ --aws-account-id ############ --namespace ‘default’
– Adding Users in Group 1,2,3 Default Namespace
aws quicksight create-group-membership --member-name ‘USER-A’ --group-name ‘Group-1’ --aws-account-id ############ --namespace ‘default’
aws quicksight create-group-membership --member-name ‘USER-B’ --group-name ‘Group-2’ --aws-account-id ############ --namespace ‘default’
aws quicksight create-group-membership --member-name ‘USER-C’ --group-name ‘Group-3’ --aws-account-id ############ --namespace ‘default’
Step 1: Create Two Namespaces
aws quicksight create-namespace --aws-account-id ############ --namespace ‘namespace-1’ --identity-store QUICKSIGHT
aws quicksight create-namespace --aws-account-id ############ --namespace ‘namespace-2’ --identity-store QUICKSIGHT
Describe Two Namespaces
aws quicksight describe-namespace --aws-account-id ############ --namespace ‘namespace-1’
aws quicksight describe-namespace --aws-account-id ############ --namespace ‘namespace-2’
Step 2: Create Groups in Namespace 1
aws quicksight create-group --group-name ‘Group-4’ --description ‘Group 1 Namespace 1’ --aws-account-id ############ --namespace ‘namespace-1’
aws quicksight create-group --group-name ‘Group-5’ --description ‘Group 2 Namespace 1’ --aws-account-id ############ --namespace ‘namespace-1’
Step 3: Register Users in Namespace 1 for Group 4
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-D --aws-account-id ############ --namespace ‘namespace-1’ --email ‘name@email.com’ --user-role ADMIN
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-E --aws-account-id ############ --namespace ‘namespace-1’ --email ‘name@email.com’ --user-role READER
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-F --aws-account-id ############ --namespace ‘namespace-1’ --email ‘name@email.com’ --user-role READER
Step 4: Register Users in Namespace 1 for Group 5
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-G --aws-account-id ############ --namespace ‘namespace-1’ --email ‘name@email.com’ --user-role AUTHOR
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-H --aws-account-id ############ --namespace ‘namespace-1’ --email ‘name@email.com’ --user-role READER
Step 5: Adding Users in Group 4 Namespace 1
aws quicksight create-group-membership --member-name ‘USER-D’ --group-name ‘Group-4’ --aws-account-id ############ --namespace ‘namespace-1’
aws quicksight create-group-membership --member-name ‘USER-E’ --group-name ‘Group-4’ --aws-account-id ############ --namespace ‘namespace-1’
aws quicksight create-group-membership --member-name ‘USER-F’ --group-name ‘Group-4’ --aws-account-id ############ --namespace ‘namespace-1’
Step 6: Adding Users in Group 5 Namespace 1
aws quicksight create-group-membership --member-name ‘USER-G’ --group-name ‘Group-5’ --aws-account-id ############ --namespace ‘namespace-1’
aws quicksight create-group-membership --member-name ‘USER-H’ --group-name ‘Group-5’ --aws-account-id ############ --namespace ‘namespace-1’
Step 7: Create Groups in Namespace 2
aws quicksight create-group --group-name ‘Group-6’ --description ‘Group 6 Namespace 2’ --aws-account-id ############ --namespace ‘namespace-2’
aws quicksight create-group --group-name ‘Group-7’ --description ‘Group 7 Namespace 2’ --aws-account-id ############ --namespace ‘namespace-2’
Step 8: Register Users in Namespace 2
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-I --aws-account-id ############ --namespace ‘namespace-2’ --email ‘name@email.com’ --user-role READER
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-J --aws-account-id ############ --namespace ‘namespace-2’ --email ‘name@email.com’ --user-role READER
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-K --aws-account-id ############ --namespace ‘namespace-2’ --email ‘name@email.com’ --user-role ADMIN
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-L --aws-account-id ############ --namespace ‘namespace-2’ --email ‘name@email.com’ --user-role READER
aws quicksight register-user --identity-type IAM --iam-arn arn:aws:iam::############:user/USER-M --aws-account-id ############ --namespace ‘namespace-2’ --email ‘name@email.com’ --user-role READER
Step 9: Register Users in Namespace 2 for Group 6
aws quicksight create-group-membership --member-name ‘USER-I’ --group-name ‘Group-6’ --aws-account-id ############ --namespace ‘namespace-2’
aws quicksight create-group-membership --member-name ‘USER-J’ --group-name ‘Group-6’ --aws-account-id ############ --namespace ‘namespace-2’
aws quicksight create-group-membership --member-name ‘USER-K’ --group-name ‘Group-6’ --aws-account-id ############ --namespace ‘namespace-2’
Step 10: Register Users in Namespace 2 for Group 7 (Group cannot have spaces)
aws quicksight create-group-membership --member-name ‘USER-K’ --group-name ‘Group-7’ --aws-account-id ############ --namespace ‘namespace-2’
aws quicksight create-group-membership --member-name ‘USER-L’ --group-name ‘Group-7’ --aws-account-id ############ --namespace ‘namespace-2’
aws quicksight create-group-membership --member-name ‘USER-M’ --group-name ‘Group-7’ --aws-account-id ############ --namespace ‘namespace-2’
Scenario Test Case
Scenario 1: In Default Namespace Dashboard User A from Group 1 shared with Namespace 1 USER-D
aws quicksight update-dashboard-permissions --aws-account-id ############ --dashboard-id ‘123a6402-7c8e-4e50-8142-52a5bc46f4f4’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:user/namespace-1/USER-D’,Actions=‘quicksight:DescribeDashboard,quicksight:QueryDashboard,quicksight:ListDashboardVersions’
Scenario 2: User Sharing Dashboard to Group
aws quicksight update-dashboard-permissions --aws-account-id ############ --dashboard-id ‘123a6402-7c8e-4e50-8142-52a5bc46f4f4’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:group/namespace-1/Group-4’,Actions=‘quicksight:DescribeDashboard,quicksight:QueryDashboard,quicksight:ListDashboardVersions’
Scenario 3: Create Shared Folder-A
aws quicksight create-folder --aws-account-id ############ --folder-id ‘516281-Shared-Folder-A’ --name ‘Shared Folder-A’
Scenario 4: Grant Full - Permission to Shared Folder-A to User-D in Namespace-1
aws quicksight update-folder-permissions --aws-account-id ############ --folder-id ‘516281-Shared-Folder-A’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:user/namespace-1/USER-D’,Actions=‘quicksight:CreateFolder, quicksight:DescribeFolder, quicksight:UpdateFolder, quicksight:DeleteFolder, quicksight:CreateFolderMembership, quicksight:DeleteFolderMembership, quicksight:DescribeFolderPermissions, quicksight:UpdateFolderPermissions’
Scenario 5: Assign Dashboard-A to Shared Folder-A
aws quicksight create-folder-membership --aws-account-id ############ --folder-id ‘516281-Shared-Folder-A’ --member-id ‘123a6402-7c8e-4e50-8142-52a5bc46f4f4’ --member-type DASHBOARD
Scenario 5: Grant Read-only permission to Group 4 & 5 in Namespace-1
aws quicksight update-folder-permissions --aws-account-id ############ --folder-id ‘516281-Shared-Folder-A’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:group/namespace-2/Group-6’,Actions=‘quicksight:DescribeFolder’
aws quicksight update-folder-permissions --aws-account-id ############ --folder-id ‘516281-Shared-Folder-A’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:group/namespace-2/Group-7’,Actions=‘quicksight:DescribeFolder’
Scenario 6: User Sharing Dashboard A to Namespace 2 User K
aws quicksight update-dashboard-permissions --aws-account-id ############ --dashboard-id ‘123a6402-7c8e-4e50-8142-52a5bc46f4f4’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:user/namespace-2/USER-K’,Actions=‘quicksight:DescribeDashboard,quicksight:QueryDashboard,quicksight:ListDashboardVersions’
Scenario 7: In Namespace 1 USER-D developed a DASHBOARD-B and shared it to Namespace-2 USER-K User Sharing Dashboard A to Namespace 2 User K
aws quicksight update-dashboard-permissions --aws-account-id ############ --dashboard-id ‘bbfc50ef-95af-4407-a7cb-b8adc1df7802’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:user/namespace-2/USER-K’,Actions=‘quicksight:DescribeDashboard,quicksight:QueryDashboard,quicksight:ListDashboardVersions’ --region ‘us-west-2’
Scenario 8: Create Shared Folder-B
aws quicksight create-folder --aws-account-id ############ --folder-id ‘516281-Shared-Folder-B’ --name ‘Shared Folder-B’
Scenario 9: Grant Full - Permission to Shared Folder-B to User-K in Namespace-2
aws quicksight update-folder-permissions --aws-account-id ############ --folder-id ‘516281-Shared-Folder-B’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:user/namespace-2/USER-K’,Actions=‘quicksight:CreateFolder, quicksight:DescribeFolder, quicksight:UpdateFolder, quicksight:DeleteFolder, quicksight:CreateFolderMembership, quicksight:DeleteFolderMembership, quicksight:DescribeFolderPermissions, quicksight:UpdateFolderPermissions’
Scenario 10: Assign Dashboard-B to Shared Folder-B
aws quicksight create-folder-membership --aws-account-id ############ --folder-id ‘516281-Shared-Folder-A’ --member-id ‘bbfc50ef-95af-4407-a7cb-b8adc1df7802’ --member-type DASHBOARD
Scenario 11: Grant Read-only permission to Group 6 & 7 in Namespace-2
aws quicksight update-folder-permissions --aws-account-id ############ --folder-id ‘516281-Shared-Folder-B’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:group/namespace-2/Group-6’,Actions=‘quicksight:DescribeFolder’
aws quicksight update-folder-permissions --aws-account-id ############ --folder-id ‘516281-Shared-Folder-B’ --grant-permissions Principal=‘arn:aws:quicksight:us-east-1:############:group/namespace-2/Group-7’,Actions=‘quicksight:DescribeFolder’
Related References:
Amazon QuickSight Learning Series: User Management, Groups and Namespaces
Namespace Operations
Supporting Multitenancy with Isolated Namespaces
Shared Folder Operations
Authors: Dr. Alexander Peter, and Douglas Bergquist
Editors: Jesse Gebhardt, Srikanth Baheti, and Arun Sathosh
Illustration: Douglas Bergquist