Use of Quicksight name spaces for multi-tenancy with IAM Identity Center

I would like to use Quicksight name spaces in a single AWS account to separate customer end users and resources so they are isolated from each other to support a multi-tenancy environment.

Today, we use AWS IAM Identity center (SSO) , integrated with Quicksight, to automatically register a Quicksight Reader account under the default name space when creating a new user.

We would like to use IAM Identity Center to create users for different customers using a different Quicksight name space per customer. Is there a way to pass in the name space attribute when creating the user in IAM Identity Center so that it invokes RegisterUser with the specified name space? If not, is there a reasonable work around to continue managing users in IAM Identity Center and then manually changing the name space for the Quicksight user created by IAM Identity center?

@koxley Thanks for your question. If you don’t get a reply soon from one of our community members, we’ll reach out to our internal experts on Tuesday to see if we can get a reply for you.

Hope you had a great weekend!

Hi @koxley ,

At high level, I assume following is your workflow today :

1/you create the user in IAM Identity Center and provide access to the QuickSight application.
2/user logs into SSO link and clicks on the QuickSight application.
3/If Email sync is not enabled, the user would have to provide the email address.
4/This would create the QuickSight user.

The QuickSight just in time user provisioning ( Provisioning users for Amazon QuickSight - Amazon QuickSight ) works only for the default namespace.

With custom namespaces, at the time of creating users in IAM Identity Center who would access QuickSight, you would also have to pre-register the user in QuickSight using the register user api in the required namespace. RegisterUser - Amazon QuickSight .

The user will then view assets shared within that specific namespace when they access QuickSight when federating through the SSO link.

Kind regards,
Koushik

1 Like

hi @koxley

in addition to what Koushik replied, IAM Identity Center generates SIM event when the user is created. probably you can use event trigger to register user for the underlying namespace in QuickSight. I am attaching the blog related to it

kind regards,
Wakana

2 Likes

Thanks for all of the responses.
Today, we use AWS IAM Identity center (SSO) , integrated with Quicksight, to automatically register a Quicksight Reader account under the default Quicksight name space when creating a new user through the IAM Identity center console. This happens implicitly when creating an IAM Identity center user.

Based on your suggestion, I believe what I want to happen now is to use the CreateUser SCIM event referenced in the blog to invoke RegisterUser using the appropriate name space. I’d like to derive the name space from the IAM Identity group name selected when creating the Identity center user through the IAM Identity console (for my requirements, the group name could be equal to the name space).

A follow-up question is how do I logically replace the implicit RegisterUser (using the default name space) being done through the IAM Identity center via Quicksight integration with a new RegisterUser to be invoked with a non-default name space via the CreateUser SCIM event.

Thanks,
Kevin

1 Like

hi @koxley,

I suggest not to use just-in-time user provisioning feature in QuickSight if you create a user manually vis SCIM event, so that you don’t have to bother to replace/delete the user created by it.

just-in-time user provisioning is trigged by IAM role attached to the user which includes IAM policy with CreateUser action allowed. if you don’t specify the action to be allowed, QuickSight will not provision the user.

hope this helps.

kind regards,
Wakana

1 Like

Thank you for the additional detail.

Kevin