Customizing access to the Amazon QuickSight console
| Applies to: Enterprise Edition |
| Intended audience: Administrators and Amazon QuickSight developers |
In Enterprise edition, you can restrict the functionality that people can access in Amazon QuickSight. Amazon QuickSight custom permissions are applied through IAM policies. You can configure custom permissions for roles (admin, author, reader) for all identity types in QuickSight. You can also apply user level custom permissions to AWS Identity and Access Management users. User level custom permissions override a role's existing default or custom role level permisisons for the specified user.
The following limitations apply to user level custom permissions.
-
You can't grant permissions that are above a user's default role. For example, if a user has reader access, you can't grant permissions for that user to edit dashboards.
-
To customize permissions, you need to be a QuickSight administrator with permissions to use
"quicksight:CustomPermissions".
IAM policies and QuickSight permissions are not the same thing. A user can be granted access permissions and assigned a role with an IAM policy, but the IAM policy doesn't control what that user can do within QuickSight. QuickSight assets have their own sets of permissions that are used to customize QuickSight– specific features. These permissions are handled at the resource level outside is IAM.
You can create custom permissions profiles to restrict access to any combination of the following operations.
| Asset | Customizable permissions |
|---|---|
|
Data sources and datasets |
Create or update data source |
|
Create or update dataset |
|
|
Share dataset |
|
|
Dashboards and analyses |
Add or run anomaly detection |
|
Create or update theme |
|
|
Export to CSV or Excel |
|
|
Share |
|
|
Folders |
Create shared folder |
|
Rename shared folder |
|
|
Reports |
Create |
|
Update |
|
|
Subscribe to email report |
Items that are added to shared folders are shared regardless of the asset's custom permissions. This applies to dashbaords, analyses, datasets and data sources.
Use the following procedure to create a custompermissions profile in QuickSight.
To create a custom permissions profile
-
From any page in the QuickSight console, choose Manage QuickSight at the top right corner.
Only QuickSight administrators have access to the Manage QuickSight menu option. If you don't have access to the Manage QuickSight menu, contact your QuickSight administrator for assistance.
-
Choose Security & permissions.
-
Under Manage permissions, choose Manage.
-
Choose one of the following optione.
-
To edit or view an existing custom permissions profile, choose the ellipsis (three dots) next to the profile that you want, and then choose View/Edit.
-
To create a new custom permissions profile, choose Create.
-
-
If you want to create or update a custom permissions profile, make selections for the following items.
-
For Name, enter a name for the custom permissions profile.
-
For Restrictions, choose the options that you want to deny. Any option that you don't choose is allowed. For example, if you don't want users to create or update data sources, but you want them t be able to do everything else, choose only Creating or updating data sources.
-
-
Choose Create or Update to confirm your choices. To go back without making any changes, choose Back.
-
Once you are done making changes, record the name of the custom permissions profile. Provide the name of the custom permissions profile to API users so that they can apply the custom permissions profile to roles or users.
