Multitenancy

This module depends on Users & Groups module.

QuickSight Users and Groups are contained in Namespaces to allow for Multitenant setup on same account. Users with ability to share content (Authors/Admins) will only be able to see other users and group within their own namespace.
All other assets (data sources, datasets, themes, templates, analyses, dashboards etc) live in the common space of the account and hence can be shared with users/groups in any namespace by admin via API.
(RLS/CLS can be applied as well on such shared assets. We are not getting into RLS/CLS here as it is covered in Author workshop)

Federated users, IAM users and QuickSight managed users can all be created in secondary namespaces. However, only Federated and IAM users in secondary namespace will be able to access QuickSight console directly. You can user QuickSight managed users with secondary namespaces if your use case requires only embedded access. Both dashboard and session/author embedding is possible with QuickSight managed users in secondary namespaces.

Exercise 1 - Create a new namespace

  1. In Cloud9, Execute create-namespace command to create a new namespace called Customer1. Creating a new namespace can take 20-30 seconds. So, we will check the status of this after we finish next exercise.
aws quicksight create-namespace --aws-account-id $AAI --identity-store QUICKSIGHT --namespace Customer1 --region $IR
AdminWorkshop-Multitenancy-Exercise

Exercise 2a - Create two new users in IAM

  1. Launch AWS Console (https://console.aws.amazon.com) in a new browser tab, search for IAM and launch it.
  2. Click Users from left panel followed by Add user button from main panel.
  3. Enter User name as Customer1-Author1. We don’t need to have customer/namespace as part of the user name. It is already part of the user/group arn. We are doing it here just to make it easier to understand in a lab setting.
  4. Click + add another user option
  5. Enter Customer1-Reader1 as next user name.
  6. Under Select AWS access type, select AWS Management console access.
  7. Choose Custom password option and enter QS-DemoPass as the password. If you are doing this on your own account, be sure to set a different password.
  8. Deselect Require password reset.
  9. Click Next: Permissions button.
AdminWorkshop-Multitenancy-Exercise

Exercise 2b - Create two new users in IAM

  1. Under Add user Set permissions, click Attach existing policies directly.
  2. Click Next: Tags button. Not selecting any policy from the list is intentional. We don’t want to give any rights to these users from IAM.
  3. Click Next: Review button.
  4. Ignore the warning and click Create users button.
AdminWorkshop-Multitenancy-Exercise

Exercise 3 - Check status of new namespace

  1. In Cloud9, Execute describe-namespace command to check status of Customer1 namespace.
aws quicksight describe-namespace --aws-account-id $AAI --namespace Customer1 --region $IR
  1. Cross check output of above command to make sure that CreationStatus has value CREATED.
AdminWorkshop-Multitenancy-Exercise

Exercise 4 - Register the IAM users in QuickSight
Auto registration on launching QuickSight from AWS console will always register users into primary workspace. (ie - The workspace named default or any that you might have updated to be primary workspace via update-account-settings API) For this to happen, the user should at minimum have quicksight:CreateReader, quicksight:CreateUser or quicksight:CreateAdmin permissions. In our case, since we are going to explicitly register the user into QuickSight via register-user command, the above permissions are not needed. Note - Per QuickSight licensing terms, each and every named user has to be uniquely identified within QuickSight. Using shared users is not allowed and will result in sessions being throttled.

  1. Execute register-user command to register Customer1-Author1 as an Author in Customer1’s namespace.
aws quicksight register-user --aws-account-id $AAI --namespace Customer1 --identity-type IAM --iam-arn arn:aws:iam::$AAI:user/Customer1-Author1 --user-role AUTHOR --email Customer1-Author1@quicksightadminworkshop.com --region $IR
  1. Execute register-user command to register Customer1-Reader1 as an Reader in Customer1’s namespace.
aws quicksight register-user --aws-account-id $AAI --namespace Customer1 --identity-type IAM --iam-arn arn:aws:iam::$AAI:user/Customer1-Reader1 --user-role READER --email Customer1-Reader1@quicksightadminworkshop.com --region $IR
AdminWorkshop-Multitenancy-Exercise

Exercise 5 - Login to QuickSight as Customer1-Author1

  1. Launch QuickSight (https://quicksight.aws.amazon.com ) in a private browser.
  2. Enter account name if prompted (QSWS-emailhandlewithout@ / QSWS-emailhandlewithout@-yyyymmdd depending on what you used during sign up); If account name is already populated, confirm it is the correct one.
  3. Enter Username as Customer1-Author1 , password as QS-DemoPass and click Sign in button.
  4. Click X to close the welcome message and click on Dashboards from left panel.
  5. Confirm that no dashboards are present in Customer1-Author1’s view.
  6. Don’t close this session. We will come back to this at end of this module.
AdminWorkshop-Multitenancy-Exercise

Exercise 6 - Try to share a dashboard with Customer1-Author1

  1. In QuickSight (admin user) tab, Open Dashboards view and click on QSTCF-Dashboard to launch it.
  2. Click Share and choose Share dashboard.
  3. Try searching for Customer1. We won’t get any matches. Why? Customer1-Author1 is in a separate namespace and hence is not visible to users in default namespace.
  4. Click X to close the share dialog and click QuickSight icon to exit the dashboard.
AdminWorkshop-Multitenancy-Exercise

Exercise 7 - Share dashboard with Customer1-Author1
So, how do we share the QSTCF-Dashboard with Customer1-Author1? We can do this via update-dashboard-permissions API.

  1. In Cloud9, Execute describe-dashboard-permissions to get current permissions applied on the dashboard. Dashboard id is the uid that is present in the last node of the dashboard url (as visible in your browser window when dashboard is opened). It is auto generated when we publish a dashboard via UI. On other hand, when we do it via API/CloudFormation, we have the option to specify the dashboard id. It just needs to be unique per account per region. In the CloudFormation stack we ran during initial setup, the dashboard id is set same as dashboard name and hence using QSTCF-Dashboard as dashboard-id below.
aws quicksight describe-dashboard-permissions --aws-account-id $AAI --dashboard-id QSTCF-Dashboard
  1. Execute update-dashboard-permissions command to grant permissions to Customer1-Author1. From the output of above command, we can see two sets of permissions - 3 actions for Default-ReaderGroup and 8 actions for Admin user (TeamRole/MasterKey or your own admin). There are viewer and full owner rights respectively. Let apply full owner rights. We will use short hand syntax and do it completely from command line (reserving using of cli skeleton files for a later segment)
aws quicksight update-dashboard-permissions --aws-account-id $AAI --dashboard-id QSTCF-Dashboard --grant-permissions Actions=quicksight:DescribeDashboard,quicksight:ListDashboardVersions,quicksight:UpdateDashboardPermissions,quicksight:QueryDashboard,quicksight:UpdateDashboard,quicksight:DeleteDashboard,quicksight:DescribeDashboardPermissions,quicksight:UpdateDashboardPublishedVersion,Principal=arn:aws:quicksight:$IR:$AAI:user/Customer1/Customer1-Author1
  1. Optional - Cross check the output and confirm that a section has been added for Customer1-Author1.
AdminWorkshop-Multitenancy-Exercise

Exercise 8 - Check Dashboards view of Customer1-Author1 again

  1. Shift back to the private window where we had signed in as Customer1-Author1. If you accidentally closed it, follow Exercise5 - steps 1-4.
  2. Refresh the browser to load Dashboards view again; QSTCF-Dashboard should now be visible.
  3. Click on QSTCF-Dashboard to launch it and ensure that Customer1-Author1 is able to see content therein.
  4. Click Share and select Share dashboard.
  5. Search for Default. You won’t get any matches. Why? Default-Reader1 is in a separate namespace and hence is not visible to users in Customer1 namespace.
  6. Search for Customer1. Select Customer1-Reader1.
  7. Click Share button.
  8. Click X to close the permissions dialog and click on QuickSight icon to exit the dashboard.
AdminWorkshop-Multitenancy-Exercise