Custom Permissions

QuickSight has three standard user profiles - Admin, Author and Reader Custom permissions allows you to further customize these profiles by taking away capabilities as needed to suit your use case. For example, you might have a core data curation team who is in charge of setting up datasets for BI analysts to use. In this scenario, you might want to allow only the data curators to create datasets and prevent BI analysts from doing so. Using custom permissions, you can create a restricted author permission wherein creation of datasources and datasets is not allowed and can apply this custom permission to BI analysts.

Exercise 1 - Create custom permission

  1. In QuickSight (admin user) tab, Click Username from top right and choose Manage QuickSight.
  2. In Management console, click Manage permissions button.
  3. In Manage custom permissions screen, click Create button.
  4. Enter name as QSWS-CustomPermission - For purposes of this lab, it is important that you use this exact same name as this is referenced in subsequent section. When setting up for real in your own environment, you can use any name that makes sense to you.
  5. Check the boxes for Creating or updating all data sources and Creating or updating all datasets.
  6. Click Create button.
  7. Click QuickSight icon to return to console.
AdminWorkshop-CustomPermission-Exercise

Exercise 2 - Check current access

  1. Click Datasets from left panel and note that you still see (don’t click) the New dataset button.
  2. Click on QSTCF-Dataset and note that you see (don’t click) options to edit and duplicate the dataset.
  3. Click X to close the dataset menu.
  4. Click Username ** from top right and choose Manage QuickSight.
  5. Note that Permissions column is blank against admin user. ie - We created a custom permission but haven’t attached it to admin user yet. Don’t exit the management panel view. We will come back to this in next step.
AdminWorkshop-CustomPermission-Exercise

Exercise 3 - Apply custom permission to admin user

  1. In Cloud9, execute following update-user command to apply custom permission to our admin user. We are picking admin user here for ease of demonstration.
aws quicksight update-user --aws-account-id $AAI --namespace default --user-name $UN --role ADMIN --email $EML --custom-permissions-name QSWS-CustomPermission --region $IR
  1. Shift back to QuickSight tab and refresh your browser. Permissions column against admin user should now show QSWS-CustomPermission
  2. Click QuickSight icon to exit management panel.
  3. Open Datasets view and note that the New dataset button is no longer present.
  4. Click on QSTCF-Dataset and note that options to edit and duplicate the dataset are no longer active.
  5. Click X to the dataset menu.
AdminWorkshop-CustomPermission-Exercise

Exercise 4 - Remove custom permission from admin user

  1. In Cloud9, execute following update-user command to remove custom permissions from admin user.
aws quicksight update-user --aws-account-id $AAI --namespace default --user-name $UN --role ADMIN --email $EML --unapply-custom-permissions --region $IR
  1. Shift back to QuickSight tab and refresh the browser.
  2. Note that the Datasets view now has the New dataset button again.
AdminWorkshop-CustomPermission-Exercise

Exercise 5 - Optional - Delete custom permission
If you are running this lab in your own environment, delete the custom permission from admin panel to keep things clean.

  1. Click Username from top right and choose Manage QuickSight.
  2. In Management panel, click Manage permissions button.
  3. Open QSWS-CustomPermission’s menu and click Delete.
  4. Click Delete button in confirmation dialog.
  5. Click QuickSight icon to exit management console.
AdminWorkshop-CustomPermission-Exercise