Customizing access to the Amazon QuickSight console - Amazon QuickSight

Customizing access to the Amazon QuickSight console

 Applies to: Enterprise Edition 
   Intended audience: Administrators and Amazon QuickSight developers 

In Enterprise edition, you can select the functionality that people can access in the Amazon QuickSight console. Amazon QuickSight custom permissions are applied through IAM policies. They override the permissions that are typically granted by assigning QuickSight users to one of the default security cohorts in QuickSight (admin, author, reader).

The following limitations apply:

  • For custom permissions to work, you need to be using AWS Identity and Access Management (IAM) federated users.

  • You can't grant permissions that are above someone's default security cohort. For example, you can't grant access to edit dashboards to someone who has reader access.

  • To customize permissions, you need to be a QuickSight administrator with permissions to use "quicksight:*CustomPermissions".

IAM policies and QuickSight permissions are separate from each other. A user can be granted access permissions and assigned a role with an IAM policy, but IAM policies don't control what users can do within QuickSight. QuickSight resources have their own set of permissions that are used to customize access to QuickSight-specific features. These permissions are handled at the resource level outside of IAM.

By using custom permissions profiles, you can restrict access to any combination of the following operations.

Asset Customizable permissions
Data sources and datasets

Create or update data source

Create or update dataset

Share dataset

Dashboards and analyses

Add or Run anomaly detection

Create or update theme

Export to CSV / Export to Excel

Share

Folders

Create shared folder

Rename shared folder

Reports

Create

Update

Subscribe to email report

Note

Items added to folders are shared regardless of custom permissions. This applies to dashboards, analyses, and datasets.

To create a named profile for a set of custom permissions
  1. Open your profile menu at upper right, and choose Manage QuickSight. You need to be an Amazon QuickSight administrator to complete this process.

  2. Choose Manage users at left to open the Manage users screen.

  3. Choose Manage permissions. The Manage custom permissions screen appears.

  4. Choose one of the following options:

    • To view or edit an existing custom permissions profile, choose View/Edit from the ellipsis () menu at right.

    • To create a new custom permissions profile, choose Create at the lower part of the screen.

  5. Whether you are creating or updating, make selections for the following items:

    • Name – Enter a name for your custom permissions profile.

    • Restrictions – Choose the options that you want to deny.

      Any option that is not selected is allowed. For example, if you don't want users to create or update data sources, but you're okay with them doing anything else, select Creating or updating all data sources only. Leave the remaining options unselected.

  6. Choose Create or Update to confirm your choices. Choose Back at upper left to exit without making any changes. To see an example policy, see IAM identity-based policies for Amazon QuickSight.

  7. After you are satisfied with your changes, record the name of the custom permissions profile. Provide this to whoever is to use the API to add the permissions for a new or existing user.

You use the API to add or change the permissions assigned to a user.

Before you begin, you need to set up and configure the AWS CLI. For more information, see Installing the AWS CLI and Configuring the AWS CLI in AWS Command Line Interface User Guide. In addition, you need permissions to use the QuickSight API. For more information, see .

To assign or change a custom permissions profile at the command prompt:
  1. Open a terminal window (Linux, Max) or open a command prompt (Windows).

  2. To add custom permissions to a user, choose one of the following:

    • For a new user – Add a new user with a permissions profile by using a command like the following example:

      aws quicksight register-user \ --iam-arn arn:aws:iam::111122223333:user/JorjeSouza \ --identity-type IAM \ --user-role AUTHOR \ --custom-permissions-name custom-permissions-profile-name \ --email JorjeSouza@example.com \ --aws-account-id 111122223333 \ --namespace default \
    • For an existing user – Associate an existing user with a permissions profile by using a command like the following example:

      aws quicksight update-user \ --user-name JorjeSouza \ --role AUTHOR \ --custom-permissions-name custom-permissions-profile-name \ --email JorjeSouza@example.com \ --aws-account-id 111122223333 \ --namespace default \
  3. (Optional) Remove an existing user from a permissions profile by using a command like the following example:

    aws quicksight update-user \ --user-name TestUser \ --role AUTHOR \ --unapply-custom-permissions \ --email <email> \ --aws-account-id 111122223333 \ --namespace default