In this chapter, we will learn how to manage Amazon QuickSight operations and permissions. We will focus on the QuickSight permissions model and learn how to configure fine-grained permissions. We will also learn how to manage and organize QuickSight assets into folders, and how to set up threshold-based alerts and email reports.
We will cover the following topics in this chapter:
For this chapter, you will need access to the following:
In this section, we will learn how to configure user permissions against Quicksight resources. First, let's introduce the fundamental topics we need to understand when setting up permissions:
When granting AWS permissions, including QuickSight permissions, make sure you follow the least privilege security best practice. According to the principle of least privilege, you should only allow users to have access to the specific actions and resources they require.
As the number of users increases and their access patterns become more and more sophisticated, the complexity of configuring their permissions to resources also rises exponentially. In these circumstances, we can use user groups. User groups allow you to group users together and then apply permissions at the group level, rather than the individual level, which saves you time and effort. When a user joins a group, they automatically inherit the group permissions. Likewise, when a user leaves the group, then they lose access to the group's resources.
To better understand how to manage groups in Amazon QuickSight, we will use a simple hands-on example:
$aws quicksight create-group --group-name "Marketing" --description "Group for the Marketing Department" --aws-account-id <account-id> --namespace default --region us-east-1
$aws quicksight create-group-membership --member-name reader --group-name Marketing --aws-account-id <account-id> --namespace default --region us-east-1
Note that we didn't need to give access directly to the Reader user for this dashboard. Instead, we added the Reader user into the Marketing group, and then we allowed all users from that group to have access to our published dashboard. In the future, if we had more users joining the Marketing group, they would automatically assume access to resources shared with that particular group, eliminating the need to define specific permissions at the individual user level.
Now that we have learned about user groups and how to use them to simplify our permissions, in the next section, we will talk about custom permissions.
In Chapter 2, Introduction to Amazon QuickSight, we learned the different user cohorts: Admin, Author, and Reader. The user cohort determines the level of access to features in the QuickSight console. Custom profiles allow you to override the default permissions with custom security profiles and define permissions that fit your organization's requirements.
Note
For custom permissions to work, you will need to be using IAM federated users.
To better understand custom permissions, we will use a simple hands-on example. By default, an Author user is able to configure a new data source. For our example, let's assume that to protect our Amazon SPICE space, we want to prevent authors from creating new data sources:
Note
When defining custom permissions using the QuickSight Console, you choose which actions you want to restrict access to. The rest of the actions will be permitted based on which cohort the user belongs to.
$aws quicksight update-user --user-name author-iam --role AUTHOR --custom-permissions-name custom-author --email <your-email> --aws-account-id <account-id> --namespace default --region us-east-1
By applying custom permissions, we were able to override the default Author behavior and prevent our newly registered Author user from creating new data sources. You can configure multiple custom permissions profiles in your QuickSight account and allocate them to your users. A user cannot have more than one custom permissions profile.
aws quicksight delete-user --user-name author-iam --aws-account-id <account-id> --namespace default --region us-east-1
Now that we have learned how to configure custom permissions, in the next section, we will learn how to integrate QuickSight with Amazon Lake Formation.
In this section, we will learn about the QuickSight integration with Amazon Lake Formation. Amazon Lake Formation provides an additional permission layer above the AWS Glue Data Catalog, allowing you to set up fine-grained permissions on top of your data lake on AWS. The integration with Lake Formation is useful for Amazon Athena datasets. Combined with QuickSight, Lake Formation will allow you to manage your data permissions from a single place, enforcing the permissions at the data lake layer by enhancing the existing QuickSight fine-grained permissions. To understand the value added by Lake Formation, we will first need to understand how to apply permissions for Athena datasets without Lake Formation.
To better understand the value of Lake Formation, it is important to understand how to configure permissions for Athena datasets. We will use the demo data we configured in Chapter 1, Introducing the AWS Analytics Ecosystem. Specifically, we have configured the following AWS Glue database:
In order to be able to create the Athena dataset, you will need QuickSight to do the following:
In Chapter 2, Introduction to Amazon QuickSight, we learned how to give QuickSight access to Amazon S3 buckets. You can follow a similar process to give access to the Athena service.
To enable Athena access, we can use the following steps:
While this is straightforward to set up, it gives all users the same level of access to Athena and S3. It is very common for organizations to have different requirements when it comes to permissions to data for different users and groups. For that reason, QuickSight offers you the ability to define fine-grained access controls. This feature can be accessed via the Resource access for individual users and groups menu under the Security and Permissions settings. This will allow you to assign specific IAM policies to specific QuickSight users or groups, allowing you to define more detailed permissions to your Quicksight environment.
Now that we have learned how to create Athena datasets without Lake Formation, in the next section, we will understand how to configure datasets that are managed by Lake Formation.
Lake Formation provides an additional permission layer over your Athena datasets. Instead of granting permissions using IAM, you register your S3 storage in Lake Formation, and then you can use the Lake Formation Console or the Lake Formation API to grant or revoke permissions to the tables in your data catalog. Lake Formation supports column-based access policies, row-based filtering, and tag-based access controls, which allow you to define advanced and fine-grained access controls for your dataset.
Instead of defining IAM policies and defining assignments to your users or groups, you can use Lake Formation to manage your permissions centrally. In Lake Formation, you manage permissions with a grant/revoke syntax (which will be familiar to business intelligence (BI) developers), rather than defining JSON documents for IAM. When working with QuickSight principals, you will need to use the QuickSight user or group arn as the Lake Formation principal, as shown in the following figure:
Defining permissions in Lake Formation allows you to define complex, fine-grained permissions, without writing code or IAM policies. These data permissions are managed centrally within the AWS Console, and this allows you to easily change and verify the level of access each user has for specific datasets.
Now that we have learned how to configure custom permissions and talked briefly about the Lake Formation integration, in the next section, we will learn how to organize QuickSight assets using folders and set up alarms and email reports.
In this section, we will focus on managing QuickSight assets. We will learn how to organize QuickSight assets using folders and how to set up alarms and reports.
You can use folders to easily organize, navigate, and discover QuickSight assets. QuickSight assets include the following:
Folders can be either of the following:
Note
Only a QuickSight Admin user can create shared folders. Ownership of shared folders can be transferred to another user who belongs to the Author user cohort. Personal folder ownership always belongs to the user who created it.
To create folders, you can use either the QuickSight Console or QuickSight API. To better understand how to use folders, we will use a hands-on example using the New York Taxi sample dataset, analysis, and dashboard configured in Chapter 4, Developing Visuals and Dashboards.
In this section, we will work with personal folders and use them to group different assets together. For our example, let's assume that the Author user needs to organize all assets (datasets, analyses, and dashboards) of a specific project together. This will allow them to organize the QuickSight assets as they develop different projects.
To organize these assets, you can use QuickSight folders:
Note that now we have grouped together different assets relevant to a specific project, which saves you time when searching for relevant assets. The benefits of managing and organizing assets using folders are greater when you have a large number of projects and assets to work with.
Now that we have learned how to use personal folders, in the next section, we will look at shared folders.
Shared folders can be used to share assets between users or groups. Shared folders can be particularly useful when there are many BI developers working on a project. You can create shared folders for your users so they can easily find assets in a consistent way. As you onboard new users into your QuickSight environment, you can share folders with the new users, and your users will inherit the access to the underlying assets.
Note
Sharing a folder will give the underlying assets the same permissions as the shared folders. This will allow you to share multiple dashboards that belong to a folder with multiple users or groups, without having to configure specific rules for each asset.
To create a shared folder, we will use the following steps:
Note the message informing you that your asset will have the same sharing permissions to your shared folder:
Managing folders effectively can help you organize and efficiently share QuickSight assets with your users or group of users. With effective folder management, your users will be able to easily navigate and find the assets they need to view or work with. Access management can also be simplified by grouping assets together in shared folders, and then providing access to the container folder, rather than on an individual asset level.
Note
You can transfer ownership of a shared folder to other QuickSight users who are in the Author or Admin user cohort. Readers cannot own shared folders and can only view them. Reader users can create personal folders only.
Now that we have learned how to work with shared folders, in the next section, we will learn how to create reports and alerts.
In this section, we will learn how to configure email reports and alerts. QuickSight allows you to configure email reports to update your business users on the latest state of the business.
Email reports are configured against a QuickSight dashboard. To better understand how to set up email reports, we will use the dashboard we created in Chapter 4, Developing Visuals and Dashboards. To set up an email report, follow these steps:
Now that we have configured the email report as the Author user, we will now focus on the Reader user and learn how to manage the report subscriptio:
These report preferences can be seen in the following screenshot:
Now that we have learned how to set up email reports as Authors and how to manage subscriptions as Readers, in the next section, we will learn how to work with QuickSight alerts.
QuickSight allows you to set up threshold-based alerts when certain changes occur in your data. Using threshold-based alerts, you can receive notifications when a specific metric changes above or below a certain threshold. For example, when a key performance indicator (KPI) falls below a target, you get notified so that action can be taken to get the KPI back on target.
Note
You can have multiple alerts based on different conditions for a specific KPI. Creating different types of alerts for the same metric allows you to implement a complex KPI-monitoring alert system.
In the next section, we will learn how to add threshold-based alerts.
To better understand how to configure threshold-based alerts, we will use the New York Taxi dashboard we developed in Chapter 4, Developing Visuals and Dashboards. We will use the gauge visual of this dashboard. At the time of writing, there are two visual types that can be configured with alerts:
To configure threshold-based alerts, complete the following steps:
Note
Threshold-based alerts can only be configured at a QuickSight dashboard, and not on a QuickSight analysis.
Alerts for SPICE datasets are evaluated every time the dataset is refreshed. According to the AWS documentation, for direct query datasets, alert rules are evaluated at a random time between 6:00 PM and 8:00 AM in the AWS Region that holds the dataset:
https://docs.aws.amazon.com/quicksight/latest/user/threshold-alerts.html
Now that we have configured two alerts, in the next section, we will learn how to manage alerts.
In this section, we will learn how to manage threshold-based alerts:
By using email reports and threshold-based alerts, you ensure your business users are up to date with your latest dashboards. Your business users will receive email notifications either when new data is available or when certain thresholds are met.
Congratulations on completing this chapter.
In this chapter, we learned how to configure permissions for our Amazon QuickSight users and groups. We also learned how to define fine-grained permissions, and we discussed the benefits of integrating QuickSight with Amazon Lake Formation. Then, we focused on how best to organize QuickSight assets such as analyses, datasets, and dashboards by using folders, and how to share assets using shared folders. Finally, we learned how to configure automated email reports and how to configure threshold-based alerts.
Using the things you learned in this chapter, you will be able to define your permissions and make sure you manage them effectively, making use of groups and folders where possible.
In the next (and final) chapter, we will learn how to configure and architect multi-tenant QuickSight environments.
https://docs.aws.amazon.com/quicksight/latest/user/amazon-quicksight-user.pdf
3.145.157.54