Quicksight public access restrictions

0

Hi, we are trying to share some of our dashboards with external users and so far it looks like GenerateEmbedUrlForAnonymousUser is the way to go to pass session tags and use RLS to restrict data for each individual user (instead of query params that can be manipulated for instance). The issue we are facing is that in order for that API to work we have to set public access for the whole quicksight account and not for individual dashboards. Namespaces do not seem to be an option, to let's say, have one public and another one private. Is this a valid approach or would something like enabling some sort of SSO integration be better? The main issue in that case being that there is no way to set session tags to filter the dataset using RLS.

Thanks in advance,

1 Antwort
0

To share QuickSight dashboards with external users while restricting data access using row-level security (RLS) based on individual users, the recommended approach is to use the GenerateEmbedUrlForAnonymousUser API with session tags. This allows setting tag values at runtime to filter the dataset based on the specific user accessing the dashboard.

However, a key limitation of this approach is that it requires enabling anonymous (public) access for the entire QuickSight account, not just individual dashboards. This means that anyone with the embed URL can access the dashboards, although data access will be restricted by the RLS rules.

An alternative is to use SSO integration, but this does not support setting session tags for RLS filtering of the dataset based on individual users. SSO integration is suitable if you don't need to filter the dataset based on individual users.

If filtering the dataset using RLS based on individual users is a requirement, the GenerateEmbedUrlForAnonymousUser API with session tags is the recommended approach, despite the limitation of enabling public access for the entire QuickSight account. You should carefully evaluate the security implications and implement appropriate access controls to mitigate the risks associated with public access.

AWS
Mihir G
beantwortet vor 3 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen