How to create row level security on AWS Quicksight Authors

Question

In our business case we want to implement row level security for our authors. Our customers would have the author access to the Analysis page. They can create their visualization and publish the dashboards. Our parquet files are stored in S3 and those are queried through Athena tables. So the quicksight will be connected to anyone those Athena tables as dataset/datasource.

Say we have a table as follows:

| id. | department. | Names

|. 1. | Sales. | M

|. 2. | Marketing | N

|. 3. | Sales. | O

|. 4. | Developer. | P

|. 5. | Developer | Q

|. 6. | Marketing. | R

The author should have the access to the same department rows/data on the analysis page. Say author M is opening the analysis, he/she should get only row 1 and 3. Similar way author P should see the rows 4 and 5. Quicksight row level security option was looking promising. But we found that is for the readers on published dashboard. Is there a way we can do the same things for authors on the analysis page?

Answer 1

There is also another way which I have recently found from the quicksight. This looks quite straight forward. Here are the steps

1. Goto Datasets page
2. New Data Set. Select/upload the data (Say your original table name is ABC_incorporation).
3. Do the Edit/preview
4. There you can use the filter to create a subset of data from your original data source. Choose filter "department" value include "sales". Rename this data set say, ABC_incorporation_sales. Then do save and publish. It will create a new dataset with the name ABC_incorporation_sales. Now do publish and visualize. It will create an Analyses on top of ABC_incorporation_sales.
5. In that way we can create multiple datasets on Quicksight from a single datasource/table. Each of them will have only the access of those rows which have matched with the filter condition

Answer 2

What you need to do in order to control row-level security access is enable Lake Formation on your account to control your data lake.

To enable Lake formation, follow this official documentation: https://docs.aws.amazon.com/lake-formation/latest/dg/getting-started-setup.html

When granting access to your authors, you first have to create data filters in lake formation. Here's the documentation for that: https://docs.aws.amazon.com/lake-formation/latest/dg/data-filters-about.html

To create the data filter you have to:

1. Open the Lake Formation Console.
2. In the left panel got to Data Filters.
3. Click on Create new filter.
4. Choose a name for the filter.
5. Select the database.
6. Select the table.
7. In the row-filter expression you have to write a conditions expression similar to the WHERE clause in SQL. This expression syntax is precisely PartiQL query engine, which is highly compatible with standard SQL.
8. Click on Create filter.

After creating the data filter. You have to grant permissions to users:

1. Select SAML users and groups.
2. Write the arn of the quicksight group.
3. Choose Named data catalog resources.
4. Select the database.
5. Select the table.
6. Select the data filter. In this case you will select the data filter you created previous steps.
7. For table permissions, Select and Describe would be enough.
8. Click Grant.

That's it. You'll basically by now have granted to specific users (or group of users), specific permissions to rows in your table or tables.

NOTE: If you haven't used lake formation yet, it has a learning curve. But it is essential for your current use case and I'm sure it will help you with future uses cases on your data lake.