QuickSight row-level security allows you to restrict data access for specific users and groups. A permission dataset is created, containing the rules for users or groups, along with a mapping column that defines the data they are allowed to access in the main dataset.
There are two types of rules that can be configured in QuickSight row-level security: User-based rules and Tag-based rules. Here, in this article, we dive into user-based rules row-level security in detail.
User-based rules Row-Level Security
In User-based rules Row-Level Security, the rules or permissions dataset can be created in two ways: one is by uploading a file (e.g., CSV, XLSX, JSON, TSV), and the other is by creating it through a query.
Field names and the values used in the permissions dataset are case-sensitive and must match exactly as they appear in the target dataset to restrict data for the respective usernames and group names.
Moreover, the permissions dataset must have at least one column that identifies either the username or the group name. Both username and group name can be used simultaneously in a permissions dataset, but at least one of them is mandatory to set rules for the target dataset.
Username permission dataset format:
| UserName | Region | Segment |
|---|---|---|
| lal | US-East | Consumer |
| lal | US-West | Business |
| john | US-East | Consumer |
Groupname permission dataset format:
| GroupName | Region | Segment |
|---|---|---|
| lalgroup | US-East | Consumer |
| prasanthgroup | US-West | Business |
| nawingroup | NULL | Consumer |
| santhgroup | US-East | NULL |
| dhivygroup | NULL | NULL |
The following explanation describes how users in the groups will have restricted access to the data in the dashboard.
- lalgroup → Can only access data where
Region = 'US-East'andSegment = 'Consumer'. - prasanthgroup → Can only access data where
Region = 'US-West'andSegment = 'Business'. - nawingroup → Can access all regions (
NULLin Region) but onlyConsumersegment. - santhgroup → Can access all segments (
NULLin Segment) but onlyRegion = 'US-East'. - dhivygroup →
NULLin both columns means full access (no restriction).
UserARN permission dataset
The main purpose of using UserARN or GroupARN is that each user and group has a unique ARN, which is assigned when they are first created. If there are users with the same username or groups with the same group name across multiple AWS accounts or namespaces, their ARNs will still be unique and different.
| UserARN | Region | Segment |
|---|---|---|
| arn:aws:quicksight:us-east-1:123456789012:user/default/lal | US-East | Consumer |
| arn:aws:quicksight:us-east-1:123456789012:user/default/prasanth | US-West | Business |
| arn:aws:quicksight:us-east-1:123456789012:user/default/nawin | NULL | Consumer |
| arn:aws:quicksight:us-east-1:123456789012:user/default/santh | US-East | NULL |
| arn:aws:quicksight:us-east-1:123456789012:user/default/dhivy | NULL | NULL |
SQL query as Permission dataset
Permission datasets can also be built using an SQL query. The following query uses UNION ALL since we do not need to remove duplicates and simply merge all records as they are.
SELECT 'lal' AS UserName, 'US-East' AS Region, 'Consumer' AS Segment UNION ALL SELECT 'lal', 'US-West', 'Business' UNION ALL SELECT 'john', 'US-East', 'Consumer' UNION ALL SELECT 'sales-team', 'US-West', 'Marketing';
The following table is the result of the above query.
| UserName | Region | Segment |
|---|---|---|
| lal | US-East | Consumer |
| lal | US-West | Business |
| john | US-East | Consumer |
| sales-team | US-West | Marketing |
The following explanation describes how users in the groups will have restricted access to the data in the dashboard.
lalcan access both US-East (Consumer) and US-West (Business) data.johncan access only US-East (Consumer) data.sales-teamcan access only US-West (Marketing) data.