How do I troubleshoot row-level security issues in QuickSight?

4 minute read
0

I applied RLS to my dataset in Amazon QuickSight, but I'm experiencing issues with data access.

Short description

The following are common issues that you can experience when you use row-level security (RLS) on your Amazon QuickSight dataset:

  • You can't see any data in the QuickSight embedded dashboard for anonymous QuickSight users.
  • Restricted users can still see all the data.
  • Unrestricted users can't see any data.
  • You receive the error code DatasetRulesInvalidColType when you apply RLS.
  • You receive the error Code DatasetRulesUserDenied when you create an analysis.

RLS has the following limitations:

  • RLS is available only for the Enterprise edition of QuickSight.
  • RLS supports only textual data, such as string, char, and varchar for fields in the dataset rule. Currently, RLS doesn't work for dates or numeric fields.
  • The full set of rule records that are applied per user can't exceed 999. Datasets with more than 999 rules might fail to apply RLS rules to the dataset.
  • You can't apply RLS to empty rows with the default null value because QuickSight treats null as an empty field value. However, spaces in a field are treated as a literal value, so the dataset rule applies to these rows.
  • Only users that are added to the dataset rule can see the data based on the rule that's defined. Other users can't see the data.
  • When multiple fields in the dataset rules are used, the rules work as an AND operator. The OR operator is currently not supported.
  • RLS tag-based rules are supported only for embedded dashboards for anonymous users with the GenerateEmbedUrlForAnonymousUser API. If you embedded dashboards for registered users with the GenerateEmbedUrlForRegisteredUser API, then use user-level rules.

Resolution

I can't see any data in the QuickSight embedded dashboard for anonymous users

If you use tag-based rules for your anonymous embedded dashboard, then you can't see or modify the data. To see the data, you must add user-based RLS rules to the dataset.

In the following example dataset rule, John Stiles can see data from only the Logistics department. Martha Rivera can see all the data from the dataset:

UserName,Department JohnStiles,Logistics
MarthaRivera,

Note: You can apply both tag-based rules and user-based RLS rules on your dataset.

Restricted users can still see all data

If a dataset contains too many rules, then even if you successfully applied RLS, restricted users can still see all the data. To resolve this issue, make sure that your dataset contains only 999 or fewer rules. If you restrict users by UserName and have more than 999 users in your dataset rule, then create QuickSight groups. Add the users to the groups, and use GroupName instead of UserName in the dataset rule.

Unrestricted users can't see any data

The following are possible reasons why unrestricted users can't see data:

  • The user doesn't exist in the dataset rule. Check the dataset rule to verify that all the intended users are there.
  • The UserName or GroupName doesn't match the users or groups in QuickSight. Check the UserName or GroupName from the dataset rule to verify that they match the users or groups in QuickSight.

You receive the error code DatasetRulesInvalidColType when you apply RLS

The DatasetRulesInvalidColType error occurs when you use RLS for dates or numeric fields.

Check the field that's used to evaluate RLS in the dataset rule to verify that the data type is String. You can also edit the dataset to convert numeric fields to String in QuickSight.

You receive the error code DatasetRulesUserDenied when you create an analysis

This DataRulesUserDenied error occurs when the user isn't in the dataset rule. To resolve this error, add the user to the dataset rule, and then refresh the dataset.

Related information

Using row-level security (RLS) with user-based rules to restrict access to a dataset

Using row-level security (RLS) with tag-based rules to restrict access to a dataset when embedding dashboards for anonymous users

Adding filter conditions (group filters) with AND and OR operators

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago