Using deny permissions in policies associated with quicksight roles in IAM does not deny those permissions in quicksight

brennan-firsthand · September 14, 2023, 1:13pm

We have a federated identity provider for quicksight which creates three roles [QuickSight-Admin-Role, QuickSight-Author-Role, QuickSight-Reader-Role] in AWS IAM. We have been using these roles to add and remove capabilities from these three user groups. This works when we add permissions but not when we deny permissions.

Specifically, I’ve been trying to add ‘deny’ permissions to dataset creation for the QuickSight-Federated-Author role and users with that role are still able to perform the actions in the ‘deny’ permission set. However, when I add permissions to the ‘allow’ permission set in the policy associated with that role, the users with that role then are given those capabilities.

The current author policy is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": [
                "quicksight:UpdateDataSourcePermissions",
                "quicksight:PutDataSetRefreshProperties",
                "quicksight:CreateDataSet",
                "quicksight:UpdateDataSet",
                "quicksight:DeleteDataSet",
                "quicksight:DeleteDataSetRefreshProperties",
                "quicksight:DeleteDataSource",
                "quicksight:UpdateDataSource",
                "quicksight:CreateDataSource",
                "quicksight:UpdateDataSetPermissions"
            ],
            "Resource": "*"
        }
    ]
}```

Is this a bug or it intended that denying access does not work?

duncan · September 14, 2023, 4:57pm

Hey @brennan-firsthand , welcome to the Quicksight Community!

I would try the reverse, and for your user groups define the access permissions that the user groups should have.

To test this I would set a user group up with only the permissions they should have, don’t define the deny permissions, then have someone in the target user group attempt to do something outside of their allowed permissions.

Alex2 · September 14, 2023, 8:35pm

Hi @duncan - just found this thread. Can you help me understand why the deny list would not work here?

duncan · October 2, 2023, 5:54pm

Hello @Alex2 !

Here I am just suggesting a troubleshoot to see what might be happening with QS and why it wouldn’t allow the “deny” action.

@brennan-firsthand Are you still running into this issue with Denying permissions in Quicksight?

duncan · October 10, 2023, 9:49pm

Hey @brennan-firsthand ! Are you still having trouble with this issue? We have not heard from you in a while but would still like to help find the solution. If we do not hear from you in 3 days this post will be archived.