Posted inAWS Blog Data Engineering

Amazon QuickSight Row Level Security (RLS) Implementation Guide

No Comments

Introduction

Amazon QuickSight Row Level Security (RLS) ensures that users can only view the data they are authorized to access. This guide walks you through the step-by-step process of implementing RLS in QuickSight dashboards, allowing administrators to control data visibility effectively.

Prerequisites

Before implementing RLS, ensure the following requirements are met:

  • An Amazon QuickSight Enterprise Edition account
  • Administrator access to QuickSight
  • A configured data source in QuickSight
  • A main dataset requiring row-level security

Step 1: Prepare the Permissions Dataset

Create a CSV file with the following structure:

UserName, AccountId
user_1,42966743-f0a8-4ac1-93c4-4411c332ec87ef
user_2,2dc0f3ee-bcbb-4412-a8bd-33333333

Important Notes:

  • Column names are case-sensitive (e.g., “UserName”).
  • UserNames must match QuickSight usernames precisely.
  • Include QuickSight administrators who need access.
  • Multiple rows per user are allowed if users need access to multiple accounts.

Step 2: Create the Permissions Dataset in QuickSight

  1. Go to the QuickSight homepage.
  2. Click Datasets in the left panel.
  3. Click New dataset.
  4. Choose Upload a file.
  5. Upload your CSV file.
  6. Click Next.
  7. Verify data types:
    • UserName: String
    • AccountId: String
  8. Click Create dataset.

Step 3: Configure Row-Level Security on the Main Dataset

  1. Navigate to Datasets.
  2. Locate your main dataset.
  3. Click the three dots (…) next to the dataset.
  4. Select Security.
  5. Click Row-level security.
  6. Enable Use a dataset.
  7. Select your permissions dataset from the dropdown.

Step 4: Map RLS Columns

  1. In the RLS configuration:
    • User column: Select “UserName”
    • Data value column: Select “AccountId”
    • Dataset column to match: Choose the matching column in your main dataset
  2. Click Apply.

Step 5: Refresh Datasets

To ensure the updated RLS settings are applied:

  1. For the Permissions Dataset:
    • Click three dots (…).
    • Select Refresh now.
  2. For the Main Dataset:
    • Click three dots (…).
    • Select Refresh now.

Step 6: Configure Analysis Filters

  1. Open your analysis in QuickSight.
  2. Go to the Filter pane.
  3. Configure the AccountId filter:
    • Enable Only values in filter dataset.
    • Enable Cascade to other filters.
    • Enable Show only values that users have permission to see.

Step 7: Test Access

  1. Share the dashboard with test users.
  2. Verify each user sees only their authorized data:
    • user_1 should see only their AccountId.
    • user_2 should see only their AccountId.
  3. Test filters:
    • Users should only see their authorized AccountIds in filter dropdowns.

Advanced Configuration Options

Implementing Multiple Column Security

  1. Add additional columns in the permissions dataset.
  2. Configure mapping for each column in the RLS settings.
  3. Ensure all conditions match for accurate data access.

Dynamic Rules with Database Tables

For larger organizations, dynamically manage RLS permissions:

  1. Store permissions in a database table.
  2. Configure QuickSight to query the table directly.
  3. Set up automatic refresh schedules.

Troubleshooting

Users Cannot See Data

  • Ensure UserName in permissions dataset matches QuickSight username.
  • Refresh datasets manually if needed.
  • Clear browser cache.
  • Verify dashboard sharing settings.

Filters Show All Values

  • Confirm filter settings restrict access correctly.
  • Check RLS mapping configuration.
  • Refresh datasets.
  • Ensure filter is using the RLS-applied column.

Performance Issues

  • Use SPICE storage instead of Direct Query for faster performance.
  • Optimize permissions dataset size.
  • Reduce data refresh frequency if unnecessary.

Best Practices for RLS in QuickSight

  1. Regularly update the permissions dataset.
  2. Use SPICE for optimized performance.
  3. Validate access controls frequently.
  4. Maintain a backup of permissions dataset.
  5. Consider automating permissions updates using AWS Lambda.
  6. Monitor for unauthorized access attempts.

Maintenance Considerations

  • Conduct regular RLS audits.
  • Update permissions when:
    • New users are added.
    • User roles change.
    • Employees leave the organization.
  • Document RLS configurations for future administrators.

Conclusion

Implementing Row Level Security in Amazon QuickSight enhances data security by ensuring users access only authorized information. By following this step-by-step guide, you can configure and manage RLS efficiently, ensuring data governance and compliance in your dashboards.

References

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *