Managing user accounts in Amazon QuickSight Enterprise edition - Amazon QuickSight

Managing user accounts in Amazon QuickSight Enterprise edition

 Applies to: Enterprise Edition 
   Intended audience: System administrators and Amazon QuickSight administrators 

AWS administrators can use this topic to learn more about managing user accounts in Amazon QuickSight Enterprise edition. For information about managing user accounts in Amazon QuickSight Standard edition, see Managing user access inside Amazon QuickSight.

In Enterprise edition, you can manage users through any of the following:

  • Microsoft Active Directory. You can add and remove Active Directory directory groups to create and deactivate user accounts. You can access the directory groups directly or by using the AD Connector.

  • Federated logins.

  • Inviting users by email.

To manage users in these ways, you must have both administrative privileges in Amazon QuickSight and also appropriate AWS permissions. For more information on the necessary AWS permissions, see IAM policy examples for Amazon QuickSight. If you are using directory groups, you need to be a network administrator.

Each Amazon QuickSight Enterprise edition account can have an unlimited number of user accounts. User names that contain a semicolon ( ; ) aren't supported.

Use the following procedures to add, view, and deactivate Amazon QuickSight Enterprise edition user accounts.


You can't remap Amazon QuickSight users or groups from one identity store to another. For example, if you are migrating from an on-premises Active Directory to AWS Directory Service, or the other way around, you unsubscribe and resubscribe to Amazon QuickSight. You do this because even if the user's aliases remain the same, the underlying identity data changes. To make the transition easier, request in advance that your users document all their Amazon QuickSight assets and settings before the migration.

Adding user accounts

Whether you are using federated logins or inviting users by email or using Microsoft Active Directory, an Amazon QuickSight administrator can directly add users to Amazon QuickSight. If you are using Active Directory, you can also manage users through groups. You can create multiple user accounts at once by choosing one or more Active Directory groups to integrate with Amazon QuickSight. All users in the selected groups are authorized to sign in to Amazon QuickSight. You can also add user accounts individually by adding those users to Active Directory groups that are already integrated with Amazon QuickSight.

To see what groups are integrated with your Amazon QuickSight account, use the procedure in Viewing user account details. For more information about adding a user to an Active Directory directory group, see Add users and groups (Simple AD and Microsoft Active Directory). Or you can read more about how to connect to a directory using AD Connector.

Users who are invited by email are notified how to sign in. Other users aren't automatically notified of their access to Amazon QuickSight. You or your assigned Amazon QuickSight administrator must provide users with your Amazon QuickSight account name, the sign-in URL (, and instructions to sign in.


Although you can manage users through Active Directory groups or as AWS Identity and Access Management (IAM) users, you don't have to do it this way. You can instead choose to invite Amazon QuickSight–only users by email. Choose the Manage Users feature of the Manage QuickSight page, and enter an email address to invite someone to join your Amazon QuickSight account. Each user gets an email containing a link to Amazon QuickSight. Using the invitation link, the user can then set up a user name and password in Amazon QuickSight. Users can also request access through self-provisioning. For more information on requesting access, see Provisioning users for Amazon QuickSight.

Amazon QuickSight subscriptions based on Active Directory can only have users provisioned in Active Directory.

Viewing user account details

Use the following procedure to view the users or groups that are integrated with Amazon QuickSight.

  1. Choose Manage Users to view details about people who are QuickSight users. The information that displays includes:

    • Username – The person's user name.

    • Email – The email associated with this user name.

    • Role – The security cohort that the person's user name belongs to: ADMIN, AUTHOR, or READER.

    • Last active – The last date and time that this person accessed the QuickSight console. Anyone who isn't an active user has a Last active status of User has no activity.

    You can also see deleted or inactive users in this screen.

  2. To find a user name, enter a part or all of a user's name or email the search box. Search is case-insensitive and wildcards aren't supported. To clear the search results and view all user names, delete your search entry.

  3. (Optional) If you are using Microsoft Active Directory and you have the correct administrative permissions, you can view the directory groups integrated with Amazon QuickSight.

    Choose Manage groups.

  4. (Optional) If you are managing groups, then enter your AWS or IAM credentials on the AWS sign-in page that appears.

Deactivating Active Directory user accounts

Deactivating a group or user account removes that group or user's access to Amazon QuickSight resources, like analyses or data sets. However, it doesn't delete resources they own and it doesn't release their SPICE capacity. After deactivating a user, you can delete the user from your Amazon QuickSight account. When you delete a user, Amazon QuickSight gives you the option to either delete the user's resources or transfer their resources to another user.

To deactivate a user account individually, remove that user from all Microsoft Active Directory directory groups that are integrated with Amazon QuickSight. To view the groups integrated with your Amazon QuickSight account, use the procedure in Viewing user account details.

If you later need to reactivate a user account, put the user into a group with access to Amazon QuickSight. Doing this restores their access to Amazon QuickSight and to any existing resources that are still associated with that user account.


You can't upgrade or downgrade a user by transferring them between groups. For more information, see Updating Enterprise user accounts.

You can activate or deactivate multiple user accounts at once by adding or removing one or more Active Directory directory groups from integration with Amazon QuickSight.


Removing all groups and users doesn't remove any resources and doesn't cancel your subscription to Amazon QuickSight.

Use the following procedure to remove an Active Directory directory group from Amazon QuickSight.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users.

  3. Choose Manage groups.

  4. On the AWS sign-in page, enter your AWS or IAM credentials.

  5. Locate the group that you want to remove under either the Administrator groups or the User groups section, and then choose the x-shaped delete icon.

  6. In the Manage users screen, you can view each deactivated user in the Deleted user section. This is located beneath the Active users this month section.

    To transfer the user's resources, click on the Action "x" button beside that user's name. You are prompted to decide what to do with resources owned solely by that user.

    Choose one of the following:

    • Transfer ownership of all orphaned resources to a different user in this account.

    • Delete all orphaned resources. (This frees the user's SPICE capacity.)


      You can't undo this action.

    Whichever action you choose applies to all resources owned solely by that user. If you transfer the user's resources, Amazon QuickSight reassigns them to the user you choose. It doesn't make unnecessary duplicates of those resources.

Updating Enterprise user accounts

You can upgrade or downgrade between author and admin users in the Manage users tab of the Manage QuickSight screen. If you are using directory groups, you can instead move a user into the appropriate group. To do this, you need both administrative privileges in Amazon QuickSight and also appropriate AWS permissions. Some limitations apply on upgrading or downgrading user access in this automated way.

To downgrade authors to readers, you delete the users and then recreate them as readers. After you choose to remove a user, you are prompted to transfer or delete their assets. If you are using directory groups, also move that user into the appropriate group. Just moving them into another group doesn't change their access the way it does for transfers between admin and author.

You can change a user's name by first creating a new user and then deleting the original user. By using this approach, you can transfer their assets directly back to them. If you are using a directory service, you can temporarily transfer their assets to a different user. Then, make your changes in Active Directory. The next time the user signs in to Amazon QuickSight, they are asked to create a new account. After they create the new account, the user possessing their assets can transfer all assets back to them.

When you make changes to users or groups in Amazon QuickSight, it can take up to five minutes for the change to take effect. Examples of such changes are the following:

  • Deleting a user

  • Changing a user from an admin to an author

  • Adding or removing group members

The five-minute time period allows changes to propagate throughout the system.

Deleting Enterprise user accounts

Deleting a user account works the same way in both the Standard and Enterprise editions of Amazon QuickSight. User accounts can be deleted by an Amazon QuickSight administrator. To delete a user account, use the procedure in Deleting a user account.