Users & Groups

Exercise 1 - Create a new user
Register-user command can be used for creating new users in QuickSight.

  1. In Cloud9, Execute following register-user command from terminal to create a READER. Identity type of QUICKSIGHT means that the user is fully managed within QuickSight. Register-user can be used to create QuickSight users mapped to federated identities and IAM users as well.
aws quicksight register-user --aws-account-id $AAI --namespace default --identity-type QUICKSIGHT --user-role READER --email --user-name Default-Reader1 --region $IR
  1. Copy the UserInvitationUrl from output of above command and launch in a private browser window.
  2. Enter and confirm QS-DemoPass as the password. If you are running this on your own account, be sure to set a password of your choice.
  3. Click Continue button.
  4. Enter username as Default-Reader1, the password you set and click Sign in button. We don’t need to have namespace as part of the user name. It is already part of the user/group arn. We are doing it here just to make it easier to understand in a lab setting.
  5. Note that Default-Reader1 doesn’t have access to any dashboards currently. Don’t close the browser. We will come back to this in later step.

Exercise 2 - Create a new group
QuickSight groups can be used to share objects & folders and also to specify RLS and CLS rules.

  1. In Cloud9, Execute following create-group command to create a QuickSight group.
aws quicksight create-group --aws-account-id $AAI --namespace default --group-name Default-ReaderGroup --region $IR
  1. Optional - Execute describe-group command to ensure that the group got created.
aws quicksight describe-group --aws-account-id $AAI --namespace default --group-name Default-ReaderGroup --region $IR
  1. Optional - Execute list-groups command to see listing of all groups in a namespace.
aws quicksight list-groups --aws-account-id $AAI --namespace default --region $IR

Exercise 3 - Share a dashboard with ReaderGroup

  1. From QuickSight Dashboards view of admin user, click on QSTCF-Dashboard.
  2. Click on Share and select Share dashboard.
  3. Search for Default. You will see both the user Default-Reader1 and the group Default-ReaderGroup in match list.
  4. Select Default-ReaderGroup and click Share button.

Exercise 4 - Add Default-Reader1 to Default-ReaderGroup
We are purposefully doing this after sharing dashboard with the group. This makes it clear that the authorization is based on group membership at time of accessing the dashboard (in next step).

  1. In Cloud9, Execute following create-group-membership command to add Reader1 to ReaderGroup
aws quicksight create-group-membership --aws-account-id $AAI --namespace default --group-name Default-ReaderGroup --member-name Default-Reader1 --region $IR
  1. Optional - Execute list-group-memberships to list members of ReaderGroup.
aws quicksight list-group-memberships --aws-account-id $AAI --namespace default --group-name Default-ReaderGroup --region $IR
  1. Optional - Execute list-user-groups to list the groups that Default-Reader1 is part of.
aws quicksight list-user-groups --aws-account-id $AAI --namespace default --user-name Default-Reader1 --region $IR

Exercise 5 - Check Default-Reader1’s Dashboard view

  1. Shift to the private window where you launched QuickSight as Default-Reader1 earlier.
  2. Refresh the browser; QSTCF-Dashboard should now be showing in the Dashboard view.
  3. Click QSTCF-Dashboard and see it load up for Default-Reader1.
  4. Click Default-Reader1 from top right of screen and select Sign out from the drop down.