I would like to use Quicksight name spaces in a single AWS account to separate customer end users and resources so they are isolated from each other to support a multi-tenancy environment.
Today, we use AWS IAM Identity center (SSO) , integrated with Quicksight, to automatically register a Quicksight Reader account under the default name space when creating a new user.
We would like to use IAM Identity Center to create users for different customers using a different Quicksight name space per customer. Is there a way to pass in the name space attribute when creating the user in IAM Identity Center so that it invokes RegisterUser with the specified name space? If not, is there a reasonable work around to continue managing users in IAM Identity Center and then manually changing the name space for the Quicksight user created by IAM Identity center?
@koxley Thanks for your question. If you don’t get a reply soon from one of our community members, we’ll reach out to our internal experts on Tuesday to see if we can get a reply for you.
At high level, I assume following is your workflow today :
1/you create the user in IAM Identity Center and provide access to the QuickSight application.
2/user logs into SSO link and clicks on the QuickSight application.
3/If Email sync is not enabled, the user would have to provide the email address.
4/This would create the QuickSight user.
With custom namespaces, at the time of creating users in IAM Identity Center who would access QuickSight, you would also have to pre-register the user in QuickSight using the register user api in the required namespace. RegisterUser - Amazon QuickSight .
The user will then view assets shared within that specific namespace when they access QuickSight when federating through the SSO link.