Customizing access to Amazon QuickSight capabilities
| Applies to: Enterprise Edition |
| Intended audience: Administrators and Amazon QuickSight developers |
In Enterprise edition, you can restrict the functionality that people can access in Amazon QuickSight. You can configure custom permissions at the role (admin, author, reader) and user levels for all identity types in QuickSight. User level custom permissions override a role's existing default or custom role level permissions for the specified user.
The following limitations apply to custom permissions.
-
You can't grant permissions that are above a user's default role. For example, if a user has reader access, you can't grant permissions for that user to edit dashboards.
-
To customize permissions, you need to be a QuickSight administrator with permissions to use
"quicksight:CustomPermissions".
IAM policies and QuickSight custom permissions are not the same thing. A user can be granted access permissions and assigned a role with an IAM policy, but the IAM policy doesn't control what that user can do within QuickSight.
You can create custom permissions profiles to restrict access to any combination of the following operations.
| Asset | Customizable permissions |
|---|---|
|
Data sources and datasets |
Create or update data source |
|
Create or update dataset |
|
|
Share dataset |
|
|
Dashboards and analyses |
Add or run anomaly detection |
|
Create or update theme |
|
|
Export to CSV or Excel |
|
|
Share |
|
|
Folders |
Create shared folder |
|
Rename shared folder |
|
|
Reports |
Create |
|
Update |
|
|
Subscribe to email report |
Items that are added to shared folders are shared regardless of the asset's custom permissions. This applies to dashboards, analyses, datasets and data sources.
Use the following procedure to create a custompermissions profile in QuickSight.
To create a custom permissions profile
-
From any page in the QuickSight console, choose Manage QuickSight at the top right corner.
Only QuickSight administrators have access to the Manage QuickSight menu option. If you don't have access to the Manage QuickSight menu, contact your QuickSight administrator for assistance.
-
Choose Security & permissions.
-
Under Manage permissions, choose Manage.
-
Choose one of the following options.
-
To edit or view an existing custom permissions profile, choose the ellipsis (three dots) next to the profile that you want, and then choose View/Edit.
-
To create a new custom permissions profile, choose Create.
-
-
If you want to create or update a custom permissions profile, make selections for the following items.
-
For Name, enter a name for the custom permissions profile.
-
For Restrictions, choose the options that you want to deny. Any option that you don't choose is allowed. For example, if you don't want users to create or update data sources, but you want them t be able to do everything else, choose only Creating or updating data sources.
-
-
Choose Create or Update to confirm your choices. To go back without making any changes, choose Back.
-
Once you are done making changes, record the name of the custom permissions profile. Provide the name of the custom permissions profile to API users so that they can apply the custom permissions profile to roles or users.
