Customizing access to the Amazon QuickSight console - Amazon QuickSight
Apply a custom permissions profile to a roleApply a custom permissions profile to an IAM user

Important: We've redesigned the Amazon QuickSight analysis workspace. You might encounter screenshots or procedural text that doesn't reflect the new look in the QuickSight console. We're in the process of updating screenshots and procedural text.

To find a feature or item, use the Quick search bar.

For more information on QuickSight's new look, see Introducing new analysis experience on Amazon QuickSight.

Customizing access to the Amazon QuickSight console

 Applies to: Enterprise Edition 
   Intended audience: Administrators and Amazon QuickSight developers 

In Enterprise edition, you can restrict the functionality that people can access in Amazon QuickSight. Amazon QuickSight custom permissions are applied through IAM policies. You can configure custom permissions for roles (admin, author, reader) for all identity types in QuickSight. You can also apply user level custom permissions to AWS Identity and Access Management users. User level custom permissions override a role's existing default or custom role level permisisons for the specified user.

The following limitations apply to user level custom permissions.

  • You can't grant permissions that are above a user's default role. For example, if a user has reader access, you can't grant permissions for that user to edit dashboards.

  • To customize permissions, you need to be a QuickSight administrator with permissions to use "quicksight:CustomPermissions".

IAM policies and QuickSight permissions are not the same thing. A user can be granted access permissions and assigned a role with an IAM policy, but the IAM policy doesn't control what that user can do within QuickSight. QuickSight assets have their own sets of permissions that are used to customize QuickSight– specific features. These permissions are handled at the resource level outside is IAM.

You can create custom permissions profiles to restrict access to any combination of the following operations.

Asset Customizable permissions

Data sources and datasets

Create or update data source

Create or update dataset

Share dataset

Dashboards and analyses

Add or run anomaly detection

Create or update theme

Export to CSV or Excel

Share

Folders

Create shared folder

Rename shared folder

Reports

Create

Update

Subscribe to email report

Items that are added to shared folders are shared regardless of the asset's custom permissions. This applies to dashbaords, analyses, datasets and data sources.

Use the following procedure to create a custompermissions profile in QuickSight.

To create a custom permissions profile

  1. From any page in the QuickSight console, choose Manage QuickSight at the top right corner.

    Only QuickSight administrators have access to the Manage QuickSight menu option. If you don't have access to the Manage QuickSight menu, contact your QuickSight administrator for assistance.

  2. Choose Security & permissions.

  3. Under Manage permissions, choose Manage.

  4. Choose one of the following optione.

    • To edit or view an existing custom permissions profile, choose the ellipsis (three dots) next to the profile that you want, and then choose View/Edit.

    • To create a new custom permissions profile, choose Create.

  5. If you want to create or update a custom permissions profile, make selections for the following items.

    • For Name, enter a name for the custom permissions profile.

    • For Restrictions, choose the options that you want to deny. Any option that you don't choose is allowed. For example, if you don't want users to create or update data sources, but you want them t be able to do everything else, choose only Creating or updating data sources.

  6. Choose Create or Update to confirm your choices. To go back without making any changes, choose Back.

  7. Once you are done making changes, record the name of the custom permissions profile. Provide the name of the custom permissions profile to API users so that they can apply the custom permissions profile to roles or users.

Apply a custom permissions profile to a QuickSight role with the QuickSight API

After you create a custom permissions profile, use the QuickSight API to add or change the custom permissions profile that is assigned to a role.

Before you begin, you need to set up and configure the AWS CLI. For more information about installing the AWS CLI, see Install or update the latest version of the AWS CLI and Configure the AWS CLI in the AWS Command Line Interface User guide. You also need permissions to use the QuickSight API.

The following example calls the UpdateRoleCustomPermission API to update the custom permissions that are assigned to a role.

aws quicksight update-role-custom-permission \
--role ROLE \
--aws-account-id AWSACCOUNTID \
--namespace default \
--custom-permissions-name PERMISSIONNAME \
--region REGION

The following example returns the custom permissions profile that is assigned to a role.

aws quicksight describe-role-custom-permission \
--role ROLE \
--aws-account-id AWSACCOUNTID \
--namespace default \
--region REGION

The following example deletes a custom permissions profile from a role.

aws quicksight delete-role-custom-permission \
--role ROLE \
--aws-account-id AWSACCOUNTID \
--namespace default \
--region REGION

Apply a custom permissions profile to an IAM userwith the QuickSight API

The folowing example adds custom permissions to a new IAM user.

aws quicksight register-user \
--iam-arn arn:aws:iam::AWSACCOUNTID:user/USER \
--identity-type IAM \
--user-role AUTHOR \
--custom-permissions-name custom-permissions-profile-name \
--email EMAIL \
--aws-account-id AWSACCOUNTID \
--namespace default \

You can also associate an existing IAM user with a new permissions profile. The following example updated the custom permissions profile of an existing IAM user.

aws quicksight update-user \
--user-name USERNAME \
--role AUTHOR \
--custom-permissions-name custom-permissions-profile-name \
--email EMAIL \
--aws-account-id AWSACCOUNTID \
--namespace default \

The example below removes an existing user from a permissions profile.

aws quicksight update-user \
--user-name USERNAME \
--role AUTHOR \
--unapply-custom-permissions \
--email EMAIL \
--aws-account-id AWSACCOUNTID \
--namespace default

To test the custom permissions that are applied to a role or user, log in to the user's account. When a user logs into QuickSight, they are granted the highest privilege role that they have access to. The highest privileged role a user can be granted is Admin. The lowest privileged role that a user can be granted is reader. For more information about roles in Amazon QuickSight, see Managing user access inside Amazon QuickSight.

If you assign a custom permissions profile that restricts data source sharing to the author's role, that author is no longer able to access the controls that allow data source sharing. Instead, the affected author has view-only permissions to the data source.