What are some of the best practices on users provisioning within QuickSight
1.QuickSight access to development team ?
2.QuickSight access to end users to consume reports ?
I’ve gone through the below video link , Best practices are not mentioned in this.
Thanks in advance for any reference !
Hi @Abhishek11 - Thanks for the question. To answer this, it depends upon the requirement. From my experience,
- It is better to have author for the development team, so that they can develop analysis, dashboards freely and its very cost effective as the price is per user basis with unlimited access.
- For end user, depending upon usecase and user base , a decision can be made. If the dashboard is going to embedded in any application, better to go anonyms embedding access which is session based price. If the user base is internal and they just need to access dashboard directly from QS, then reader is best.
You can get all pricing details from QS page.
By saying this, lets hear from other experts as well, tagging @ErikG @duncan @David_Wong @sagmukhe @Biswajit_1993
Regards - Sanjeeb
@Abhishek11 - There are multiple methodologies to manage users. One good way is to leverage Shared Folders and Groups to control the access of the users to relevant QuickSight Content.
- Ideally you can create Shared Folder per subject area to logically isolate different different departments.
- Create dedicated folders within that Shared Folder for each types of assets i.e. Datasources, Datasets, Analyses and Dashboards.
- Create dedicated QuickSight Groups for Authors (developers) and Readers (Viewers)
- Give access for the Main Folder (Subject Area Folder) to the Author group as they would need to access all the assets for development purposes
- Give access for the Dashboards folder only within the Main Folder (Subject Area Folder) to the Reader group as they would only need access to the dashboard for viewing purposes
- Further custom permissions can be leveraged to limit access at the user level.
Hope this helps!
Did my suggestion help you in resolving your query? If yes, would request you to mark the post as “Solution”. This will help the community to find guidance and answers to similar question. Thank you!
2 Likes
Good responses in here already. We do a combination of the things mentioned. For user provisioning we have SSO enabled on Google Workspace. All users get reader access by default. Essentially when a user accesses QS for the first time from Google the user is created in QS. Then we manually add them to relevant groups (by role/function) that give them access to necessary dashboards and apply row-level access security. My next project is to create a Lambda function to automatically add users to groups when they get created via SSO.
1 Like