QuickSight Users and Groups are contained in Namespaces to allow for Multitenant setup on same account.
Users with ability to share content (Authors/Admins) will only be able to see other users and group within their own namespace.
All other assets (data sources, datasets, themes, templates, analyses, dashboards etc) live in the common space of the account and hence can be shared with users/groups in any namespace by admin via API.
(RLS/CLS can be applied as well on such shared assets. We are not getting into RLS/CLS here as it is covered in Author workshop)
Federated users, IAM users and QuickSight managed users can all be created in secondary namespaces.
However, only Federated and IAM users in secondary namespace will be able to access QuickSight console directly.
You can user QuickSight managed users with secondary namespaces if your use case requires only embedded access. Both dashboard and session/author embedding is possible with QuickSight managed users in secondary namespaces.
Exercise 1 - Create a new namespace
In Cloud9, Execute create-namespace command to create a new namespace called Customer1. Creating a new namespace can take 20-30 seconds. So, we will check the status of this after we finish next exercise.
Click Users from left panel followed by Add user button from main panel.
Enter User name as Customer1-Author1. We don’t need to have customer/namespace as part of the user name. It is already part of the user/group arn. We are doing it here just to make it easier to understand in a lab setting.
Click + add another user option
Enter Customer1-Reader1 as next user name.
Under Select AWS access type, select AWS Management console access.
Choose Custom password option and enter QS-DemoPass as the password. If you are doing this on your own account, be sure to set a different password.
DeselectRequire password reset.
Click Next: Permissions button.
Exercise 2b - Create two new users in IAM
Under Add user Set permissions, click Attach existing policies directly.
Click Next: Tags button. Not selecting any policy from the list is intentional. We don’t want to give any rights to these users from IAM.
Click Next: Review button.
Ignore the warning and click Create users button.
Exercise 3 - Check status of new namespace
In Cloud9, Execute describe-namespace command to check status of Customer1 namespace.
Cross check output of above command to make sure that CreationStatus has value CREATED.
Exercise 4 - Register the IAM users in QuickSight
Auto registration on launching QuickSight from AWS console will always register users into primary workspace.
(ie - The workspace named default or any that you might have updated to be primary workspace via update-account-settings API)
For this to happen, the user should at minimum have quicksight:CreateReader, quicksight:CreateUser or quicksight:CreateAdmin permissions. In our case, since we are going to explicitly register the user into QuickSight via register-user command, the above permissions are not needed.
Note - Per QuickSight licensing terms, each and every named user has to be uniquely identified within QuickSight.
Using shared users is not allowed and will result in sessions being throttled.
Execute register-user command to register Customer1-Author1 as an Author in Customer1’s namespace.
Enter account name if prompted (QSWS-emailhandlewithout@ / QSWS-emailhandlewithout@-yyyymmdd depending on what you used during sign up); If account name is already populated, confirm it is the correct one.
Enter Username as Customer1-Author1 , password as QS-DemoPass and click Sign in button.
Click X to close the welcome message and click on Dashboards from left panel.
Confirm that no dashboards are present in Customer1-Author1’s view.
Don’t close this session. We will come back to this at end of this module.
Exercise 6 - Try to share a dashboard with Customer1-Author1
In QuickSight (admin user) tab, Open Dashboards view and click on QSTCF-Dashboard to launch it.
Click Share and choose Share dashboard.
Try searching for Customer1. We won’t get any matches. Why? Customer1-Author1 is in a separate namespace and hence is not visible to users in default namespace.
Click X to close the share dialog and click QuickSight icon to exit the dashboard.
Exercise 7 - Share dashboard with Customer1-Author1
So, how do we share the QSTCF-Dashboard with Customer1-Author1? We can do this via update-dashboard-permissions API.
In Cloud9, Execute describe-dashboard-permissions to get current permissions applied on the dashboard. Dashboard id is the uid that is present in the last node of the dashboard url (as visible in your browser window when dashboard is opened). It is auto generated when we publish a dashboard via UI. On other hand, when we do it via API/CloudFormation, we have the option to specify the dashboard id. It just needs to be unique per account per region. In the CloudFormation stack we ran during initial setup, the dashboard id is set same as dashboard name and hence using QSTCF-Dashboard as dashboard-id below.
Execute update-dashboard-permissions command to grant permissions to Customer1-Author1. From the output of above command, we can see two sets of permissions - 3 actions for Default-ReaderGroup and 8 actions for Admin user (TeamRole/MasterKey or your own admin). There are viewer and full owner rights respectively. Let apply full owner rights. We will use short hand syntax and do it completely from command line (reserving using of cli skeleton files for a later segment)