Tag-based RLS (row-level security) is primarily used for embedding dashboards in applications or web pages. Tag-based row-level security uses tags to restrict user access to data. These tags are provided as key-value pairs to the QuickSight Embed SDK, and based on these key-value pairs, data access is granted and embedded within the application.
In contrast, user-based row-level security relies on a permission dataset to restrict data access for users. However, this restriction applies only to users accessing the dashboards within the QuickSight environment.
Tag-based rules with Anonymous dashboard embedding
Tag-based RLS is designed to work for anonymous dashboard embedding. It can restrict data for anonymous users using session tags, eliminating the need to register thousands of users in QuickSight to grant access to the data they are supposed to view.
The session tags are passed along with the GenerateEmbedUrlForAnonymousUser API to match the tags created for the dashboard. Once the session tags are matched with the tags in IAM/QuickSight users, the dashboard is embedded in the application with the allowed data for the users. An example of embed code to generate the anonymous embed URL along with the session tags is given below.
import boto3
# Initialize QuickSight client
client = boto3.client('quicksight')
# Parameters
aws_account_id = "YOUR_AWS_ACCOUNT_ID"
namespace = "default" # Change if using a custom namespace
dashboard_id = "YOUR_DASHBOARD_ID"
session_tags = [
{"Key": "region", "Value": "APAC"},
{"Key": "department", "Value": "Sales"}
]
# Generate the anonymous embed URL
response = client.generate_embed_url_for_anonymous_user(
AwsAccountId=aws_account_id,
Namespace=namespace,
SessionLifetimeInMinutes=600, # 10 hours session
AuthorizedResourceArns=[
f"arn:aws:quicksight:{aws_account_id}:dashboard/{dashboard_id}"
],
ExperienceConfiguration={
"Dashboard": {
"InitialDashboardId": dashboard_id
}
},
SessionTags=session_tags
)
# Output the generated URL
print(response['EmbedUrl'])
Tag-based rules row-level security End-to-end process
Tag-based RLS is the process of assigning tags to dataset columns, which determine data access for users, allowing them to view only the intended data in the application.
It provides a major benefit when managing users outside the QuickSight environment. Users who access the dashboard via the application are not required to register with QuickSight. These tags control what needs to be displayed in the application they log into to view the dashboard.
User Login
- The user logs into the web application.
- The application retrieves the user’s details (e.g., email, role, region) from the database.
Application Database
- Contains user attributes (e.g.,
Office= ILLINOIS, Role = Manager). - These attributes are used to generate session tags.
Session Tags Generation
- The application creates session tags based on user attributes.
- Example:
Key = Office, Value = ILLINOIS.
Embed API Request
- The application sends a request to QuickSight’s Anonymous Embed API.
- The request includes session tags.
IAM/QuickSight User Tags
- QuickSight matches the session tags with IAM/QuickSight user tags.
- Example: IAM user has
Key = Office, Value = ILLINOIS.
Manage Tags in QuickSight Dataset
- The dataset has tag-based rules configured.
- Example:
Column = office_name,Tag Key = Office .- The tag key from IAM/QuickSight is matched here.
The following are the key parameters for managing tags in tag-based RLS in a QuickSight dataset.
- The Column (e.g.,
office_name) - The Tag Key (e.g.,
Office) - Delimiter (if needed, like
,for multiple values in session tags) - Match All (which controls whether all tags must match or just one)
Data Filtering in QuickSight
- QuickSight applies row-level security (RLS) based on matched tags.
- Only data for the user’s assigned region is shown.
Embedded Dashboard Display
-
- The filtered data is displayed in the embedded QuickSight dashboard.
- Users see only the data relevant to their assigned session tags.