Managing User Access Inside Amazon QuickSight - Amazon QuickSight

Managing User Access Inside Amazon QuickSight

Intended audience: System administrators and Amazon QuickSight administrators

Amazon QuickSight administrators can use the following topics to manage user access to Amazon QuickSight and Amazon QuickSight access to AWS resources.

Inviting Users to Access Amazon QuickSight

Applies to: Enterprise Edition and Standard Edition
Intended audience: Amazon QuickSight administrators

In Standard edition, and in Enterprise edition using SSO, you can invite any person with a valid email address to use Amazon QuickSight. When they sign up, a new Amazon QuickSight-only user account is created for them. You can also invite IAM users in your AWS account to use Amazon QuickSight. In this case, they can use their IAM credentials to sign in to Amazon QuickSight. Any IAM user you invite must have a password associated with their IAM credentials, and you must also have an email address for them.

User accounts are created in two steps. First, you invite a user to join Amazon QuickSight. Doing this creates an inactive user account in Amazon QuickSight, and sends an invitation email to the user. When the user accepts the invitation and signs in for the first time, the user creates a password to activate the user account.

For information about signing in for the first time, see Signing In to Amazon QuickSight.

Use the following procedure to invite a user to access Amazon QuickSight.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users. On this screen, you can manage users who already exist in your account.

  3. Choose Invite users.

  4. In the Invite users to this account screen, enter a new user name for a person to whom you want to grant access to Amazon QuickSight. If the user is an IAM user, enter their IAM user name. Then press +. A user's IAM user name can be the same as their email address.

    Repeat this step until you have entered everyone who you want to invite. Then go to the next step to enter details.

  5. For Email, enter an email address for the user account.

    Note

    Currently, email addresses are case-sensitive.

  6. For Role, choose the role to assign to each person you're inviting. A role determines the permission level to grant to that user account.

    • Choose ADMIN if you want the user to be able to both use Amazon QuickSight for authoring and for performing administrative tasks like managing users or purchasing SPICE capacity.

      There are some differences in the administrative tasks that IAM admin users and Amazon QuickSight admin users can perform. These differences occur because some administrative tasks require permissions in AWS, which Amazon QuickSight–only users lack. The differences are these:

      • Admin users can manage users, SPICE capacity, and subscriptions.

      • Admin users who are also IAM admin users can also manage users, SPICE capacity, and subscriptions. In addition, they can manage Amazon QuickSight permissions to AWS resources, upgrade to Enterprise edition, and unsubscribe from Amazon QuickSight.

      If you want to create an admin user with IAM admin access, check with your AWS administrator. Make sure that the IAM user has the all necessary statements in their IAM permissions policy to work with Amazon QuickSight resources. For more information about what statements are required, see IAM Policy Examples for Amazon QuickSight.

    • To set the user to be able to author analyses and dashboards in Amazon QuickSight but not perform any administrative tasks, choose AUTHOR.

    • In Enterprise edition, you can set users to be able to interact with shared dashboards, but not author analyses or dashboards or perform any administrative tasks. To do this, choose READER.

  7. For IAM User, verify that it says Yes for accounts that are associated with IAM users, and No for those that are Amazon QuickSight-only.

  8. (Optional) To delete a user, choose the delete icon at the end of the relevant row.

  9. Choose Invite.

Resend an Invitation to a User

The sign-up URL in the invitation email expires after 7 days. To resend an invitation to someone, use the following procedure.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users.

  3. Find the entry for the person you want to re-invite, and choose Resend invitation for that user.

  4. Choose Confirm.

Viewing Amazon QuickSight User Account Details

Intended audience: Amazon QuickSight administrators

You can view Amazon QuickSight user accounts on the Manage Users page. To view a user account, use the following procedure.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users to view details about people who are QuickSight users. The information that displays includes:

    • Username – The person's user name.

    • Email – The email associated with this user name.

    • Role – The security cohort that the person's user name belongs to: ADMIN, AUTHOR, or READER.

    • Last active – The last date and time that this person accessed the QuickSight console. Anyone who isn't an active user has a Last active status of User has no activity.

    You can also see deleted or inactive users in this screen.

  3. To find a user name, enter a part or all of a user's name or email the search box. Search is case-insensitive and wildcards aren't supported. To clear the search results and view all user names, delete your search entry.

Deleting a User Account

Intended audience: Amazon QuickSight administrators

User accounts can be deleted by either an AWS administrator or an Amazon QuickSight administrator. Deleting a user account works the same in both the Standard and Enterprise editions of Amazon QuickSight.

Deleting a user account removes or transfers their resources. In Enterprise edition, the network administrator can temporarily deactivate a user account by removing it from the network group that has access to Amazon QuickSight. If a user is deleted, but not deactivated, that user can still access Amazon QuickSight as a new user. For more information about deactivating an Enterprise user account, see Deactivating Active Directory User Accounts.

Use the following procedure to delete a user account.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users.

  3. Locate the user account you want to delete and then choose the delete icon at the end of that row.

  4. Choose to either delete or transfer any resources owned by the user and then choose OK.

  5. Do one of the following:

    • If you chose to transfer user resources, enter the user name of the account to transfer them to and then choose Delete and transfer resources.

    • If you chose to delete user resources, choose Delete. You can't undo this action.

Creating a Group in Amazon QuickSight

Intended audience: Amazon QuickSight administrators

You can create user groups inside Amazon QuickSight so you don't have to manage users individually. For example, you can create groups for specific dashboards so you can manage security.

Before you begin, you need to have the AWS CLI installed. For more information, see Installing the AWS CLI in the AWS CLI User Guide.

Use the following procedure to create an Amazon QuickSight user group.

  1. Open a terminal window. If you are using Microsoft Windows, open a command prompt.

  2. Enter the following command at the prompt to create a group. Substitute the correct values for your parameters.

    aws quicksight create-group --aws-account-id=111122223333 --namespace=default --group-name="Sales-Management" --description="Sales Management - Forecasting"

    You might find it easier to create the command in a text editor before entering it at the prompt. For more information on create-group, and other available commands, see the Amazon QuickSight API Reference.

  3. Verify that the group exists by using a command similar to one of the following. The following command lists all groups.

    aws quicksight list-groups -\-aws-account-id=111122223333 -\-namespace=default

    The following command describes a specific group.

    aws quicksight describe-group -\-aws-account-id=11112222333 -\-namespace=default -\-group-name=Sales
  4. Add a member to the new group by using a command similar to the following.

    aws quicksight create-group-membership --aws-account-id=111122223333 --namespace=default --group-name=Sales --member-name=Pat