We have been getting a lot of queries on how to customize a single QuickSight dashboard for user specific data. We can accomplish this by filtering the dashboard data with login username using AWS QuickSight’s Row-Level Security. To further explain this use-case, let’s consider the sales department in a company. Every day your team of sales agents contacts a list of potential customers. Now you need a single dashboard that is accessed by all the agents but only displays the list of prospects he or she is assigned to.
Note: This is completely different from filter/controls on QuickSight dashboards. If you have filters/controls/parameters set up with dynamic values being picked up from the dataset, then even that data is filtered with Row-Level security, as the underlying dataset itself is filtered with the login username.
Let’s get on with the show! I have created a hypothetical data set. This dataset has a column named assigned-agent which shall be used for filtering.
Using this dataset, I have created a dashboard that looks like below.
This dashboard is shared with two other IAM users (sales agents).
As we haven’t set up any rules both of them can access whole data.
As you can see ziva, could also access whole data and we don’t want that!
|Can access only his prospects
|Can access only her prospects
|Super user, can access all prospects
Creating Data Set Rules for Row-Level Security:
Create a file or a query that contains the data set rules (permissions).
It doesn’t matter what order the fields are in. However, all the fields are case-sensitive. They must exactly match the field names and values.
The structure should look similar to one of the following. You must have at least one field that identifies either users or groups. You can include both, but only one is required, and only one is used at a time. If you are specifying groups, use only Amazon QuickSight groups or Microsoft AD groups.
The following example shows a table with user names.
|Nick Howe,Ziva Medalle
/* for users*/
select User as UserName, Agent as agent_assigned
Or if you prefer to use a .csv file:
"manager","Nick Howe,Ziva Medalle"
Here agent_assigned is a column in the dataset, and UserName is the same as QuickSight login name.
What we are essentially doing is mapping UserName with the agent_assigned column. Let’s suppose ziva has logged in, only those records with condition agent_assigned = Ziva Medalle are picked up. Same is the case with nick.
But in the case of the manager, we want him to be a superuser, so we added all the agent names (all values of agent_assigned column).
Note: If you are using an Athena or an RDS or a Redshift or an S3 CSV file-based dataset, just make sure the output format/structure of those sources matches the above-mentioned formats.
Create Permissions Data Set:
Create a QuickSight dataset with the above data set rules. Go to Manage data, choose New data set, choose source and create accordingly. As mine is a CSV, I have just uploaded it. To make sure that you can easily find it, give it a meaningful name, for example in my case Permissions-prospects-list.
After finishing, Refresh the page as it might not appear in the data sources list while applying it to the dataset.
Creating Row-Level Security:
Choose Permissions, From the list choose the permissions dataset that you have created earlier.
Choose the Apply data set.
Once you have applied, you should be seeing the dataset has a new lock symbol on it saying restricted.
That’s it. Now the data is filtered/secured based on username.
You could also add Users to Groups and have permissions set at the group level. More information here.
I hope it was helpful, any queries drop them in the comments section.
Thanks for the read!
This story is authored by Koushik. Koushik is a software engineer and a keen data science and machine learning enthusiast.