Granting QuickSight access through IAM Identity Center integration - AWS Prescriptive Guidance

Granting QuickSight access through IAM Identity Center integration

Note

This access approach is available only for the Enterprise edition of Amazon QuickSight. For more information, see User management for Enterprise edition in the QuickSight documentation.

Architecture diagram of an IAM Identity Center user accessing QuickSight

The following are the characteristics of this architecture and access approach:

  • Users and groups are managed in AWS IAM Identity Center through one of the following identity sources:

  • Depending on your requirements, you can either use an organization instance or account instance of IAM Identity Center. For example, if external users need access to QuickSight but they are not available or allowed to be provisioned in the organization instance, then you can use an account instance that uses an identity source that supports both internal and external users.

  • You assign QuickSight admin, author, or reader access to IAM Identity Center groups.

  • QuickSight access is provisioned based on the mapped IAM Identity Center group memberships.

  • You cannot combine this QuickSight access approach with other approaches.

Considerations and use cases

It is recommended that you use IAM Identity Center to manage access to QuickSight. There are two approaches you can use with IAM Identity Center. QuickSight is an IAM Identity Center enabled application and supports native integration, which is the recommended approach. It is also possible to use SAML 2.0 federation, as described in Configuring federated user access to QuickSight through IAM Identity Center in this guide, but this approach is not recommended for most use cases.

Native service integration between QuickSight and IAM Identity Center does not require setting up SAML federation between the two services. Native integration uses IAM Identity Center group memberships to manage access to QuickSight.

IAM Identity Center user groups are automatically synchronized with QuickSight. In the QuickSight console, administrators can map the IAM Identity Center groups to the QuickSight roles. Groups can be assigned the Admin, Author, Reader, Admin Pro, Author Pro, or Reader Pro roles.

This approach is useful because it does not require you to maintain the federation configuration or any permission sets. However, once this approach is implemented, you cannot switch to a different approach, such as federation, in the future without ending your QuickSight subscription. You also cannot combine this approach with other approaches.

For other limitations related to the use of QuickSight native integration with IAM Identity Center, see the QuickSight documentation. For example, the use of the namespaces feature in QuickSight is not supported if you use IAM Identity Center integration.

Prerequisites

  • An active AWS account

  • The following permissions:

    • Administrative access to the AWS account where QuickSight is subscribed

    • Access to the IAM Identity Center console to assign users to groups

Configuring IAM Identity Center integration and user access

Note the following when configuring this type of access:

  1. Before subscribing to QuickSight, make sure you have already set up and configured IAM Identity Center. For instructions, see Enabling AWS IAM Identity Center and Getting started tutorials in the IAM Identity Center documentation.

  2. Follow the instructions in Signing up for a QuickSight subscription in the QuickSight documentation. Choose Enterprise, and then choose Use IAM Identity Center enabled application. Depending on which existing IAM Identity Center instances are available in your AWS account, you can select between an organization instance or account instance.

  3. To assign QuickSight roles to IAM Identity Center groups, follow the instructions in Managing access for IAM Identity Center users in the QuickSight documentation.