Using deny permissions in policies associated with quicksight roles in IAM does not deny those permissions in quicksight

We have a federated identity provider for quicksight which creates three roles [QuickSight-Admin-Role, QuickSight-Author-Role, QuickSight-Reader-Role] in AWS IAM. We have been using these roles to add and remove capabilities from these three user groups. This works when we add permissions but not when we deny permissions.

Specifically, I’ve been trying to add ‘deny’ permissions to dataset creation for the QuickSight-Federated-Author role and users with that role are still able to perform the actions in the ‘deny’ permission set. However, when I add permissions to the ‘allow’ permission set in the policy associated with that role, the users with that role then are given those capabilities.

The current author policy is

    "Version": "2012-10-17",
    "Statement": [
            "Sid": "VisualEditor1",
            "Effect": "Deny",
            "Action": [
            "Resource": "*"

Is this a bug or it intended that denying access does not work?

Hey @brennan-firsthand , welcome to the Quicksight Community!

I would try the reverse, and for your user groups define the access permissions that the user groups should have.

To test this I would set a user group up with only the permissions they should have, don’t define the deny permissions, then have someone in the target user group attempt to do something outside of their allowed permissions.

Hi @duncan - just found this thread. Can you help me understand why the deny list would not work here?

Hello @Alex2 !

Here I am just suggesting a troubleshoot to see what might be happening with QS and why it wouldn’t allow the “deny” action.

@brennan-firsthand Are you still running into this issue with Denying permissions in Quicksight?

Hey @brennan-firsthand ! Are you still having trouble with this issue? We have not heard from you in a while but would still like to help find the solution. If we do not hear from you in 3 days this post will be archived.