Customizing Access to the Amazon QuickSight Console - Amazon QuickSight

Customizing Access to the Amazon QuickSight Console

 Applies to: Enterprise Edition 

 Intended audience: Amazon QuickSight administrators 

 Intended audience: Amazon QuickSight developers 

In Enterprise edition, you can select the functionality that each person can access in the Amazon QuickSight console. Amazon QuickSight custom permissions are applied through IAM policies. They override the permissions typically granted by assigning QuickSight users to one of the default security cohorts in QuickSight (admin, author, reader).

By using custom permissions profiles, you can restrict access to any combination of the following operations:

  • Create and update data sources

  • Create and update datasets

  • Create and update email reports

  • Subscribe to email reports

This feature is available only to Amazon QuickSight Enterprise edition subscriptions that use SAML 2.0-Based Federation for Single Sign-On (SSO). For more information, see Single Sign-On Access to Amazon QuickSight Using SAML 2.0.

To create a named profile for a set of custom permissions

  1. Open your profile menu at upper right, and choose Manage QuickSight. You must be an Amazon QuickSight administrator to complete this process.

  2. Choose Manage users at left to open the Manage users screen.

  3. Choose Manage permissions. The Manage custom permissions screen appears.

  4. Choose one of the following options:

    • To view or edit an existing custom permission profile, choose View/Edit from the ellipsis () menu at right.

    • To create a new custom permission profile, choose Create at the lower part of the screen.

  5. Whether you are creating or updating, make selections for the following items:

    • Name

    • Restrictions – Choose any combination of the following options:

      • Restrict creating or updating data sources – Enabling this option prevents changing or making new data sources.

      • Restrict creating or updating data sets – Enabling this option prevents changing or making new datasets.

      • Restrict creating or updating email reports – Enabling this option prevents changing or making new email reports.

      • Restrict subscribing to email reports – Enabling this option prevents the person from subscribing to email reports.

  6. Choose Create or Update to confirm your choices. Choose Cancel at upper left to exit without making any changes.

  7. After you are satisfied with your changes, record the name of the custom permission profile. Provide this to whoever is to use the API to add the permissions for a new or existing user.

To use the API to add or change the permissions for a new or existing user, use the following procedure.

To assign or change a custom permissions profile for an QuickSight user

  1. Make sure that you have access to the QuickSight API.

  2. If you haven't already, set up the AWS CLI. For more information, see Installing the AWS CLI and Configuring the AWS CLI in AWS Command Line Interface User Guide.

  3. Do one of the following:

    • To add a custom permissions profile for a new user, open a terminal window and run the following command.

      aws quicksight register-user \ --iam-arn arn:aws:iam::111122223333:user/JorjeSouza \ --identity-type IAM \ --user-role AUTHOR \ --custom-permissions-name custom-permissions-profile-name \ --email JorjeSouza@example.com \ --aws-account-id 111122223333 \ --namespace default \ --endpoint https://quicksight.aws.amazon.com/
    • To add a custom permissions profile for an existing user, open a terminal window and run the following command.

      aws quicksight update-user \ --user-name JorjeSouza \ --role AUTHOR \ --custom-permissions-name custom-permissions-profile-name \ --email JorjeSouza@example.com \ --aws-account-id 111122223333 \ --namespace default \ --endpoint https://quicksight.aws.amazon.com/
    • To remove custom permissions from an existing user, open a terminal window and run the following command:

      aws quicksight update-user \ --user-name TestUser \ --role AUTHOR \ --unapply-custom-permissions \ --email <email> \ --aws-account-id 111122223333 \ --namespace default \ --endpoint