Hi,
My organization would like to do a wider rollout of our QuickSight dashboards. We attempted to do ID Federation via Okta (following the guidelines in the Federate Amazon QuickSight access with Okta blog post). The problem we ran into was that users were successfully created, but they were not part of any group, nor did they have access to any folders automatically, so each new user must be either explicitly added to a group or explicitly have resources shared with them. This is undesirable.
After discovering this issue more research was done and this QS community post caught my eye: Manage access to insights with an account instance of AWS IAM Identity Center and Amazon QuickSight. This definitely seems like a better fit. I wanted to describe how I envision this to work, and see if I can get positive confirmation from others in the community.
The plan would be:
- Create the okta groups that we intend to use for mapping into QuickSight groups. These are:
a. Billing-Admins
b. Billing-Authors
c. Billing-Users
- Sync these Okta groups into AWS IAM Identity Center via SCIM
- Initialize QuickSight subscription through AWS IAM Identity Center as described in the post above. As part of this, we would make the following group mappings:
a. Billing-Admins maps to QuickSight Admin group
b. Billing-Authors maps to QuickSight Authors group
c. Billing-Users maps to QuickSight Users group
With this in place, my impression is:
- When a user that is a member of the 'Billing-Admins' group logs into the corresponding AWS account, that user will have admin-related functionality in QuickSight, e.g. the 'Manage QuickSight' menu, etc.
- When a user that is a member of the 'Billing-Authors' group logs into the corresponding AWS account, that user will not see admin-related functionality, but they will see analyses + datasets, and will have the ability to create entities as well as update and publish.
- When a user that is a member of the 'Billing-Users' group logs into the corresponding AWS account, that user will not see admin-related functionality, nor will they see analyses + datasets, but they will have access to Dashboards.
Because the 'Billing-Admins', 'Billing-Authors', and 'Billing-Users' will be valid QuickSight groups, we can share assets with those groups, and users that belong to those groups will automatically have visibility of the assets shared with their respective group. So when a new user logs in for the first time, by virtue of them belonging to one of these groups, the assets they should have access to are already shared out to them (this is key).
An additional question that I have: my impression is that we do not need to explicitly add QuickSight IAM policies to these groups, that the notion of mapping Identity Center groups to corresponding QuickSight roles/groups means that QuickSight is providing a predefined set of policies to members of the groups that provide the expected functionality. The conclusion being that we do NOT need to define any QuickSight-specific IAM roles/policies for these groups/users. I would appreciate confirmation on this.
Secondly, we have a use case where we want our QuickSight users to also be able to access Cost Explorer "side by side" in two tabs of the same browser window, which we successfully do today for a variety of other AWS services. Thus, assuming the 'Billing-Admins', 'Billing-Authors', and 'Billing-Users' members map to roles/policies that provide corresponding levels of access to CostExplorer functionality, these users would only need to login to AWS once, and accessing the second service through the AWS console will not stomp on the other session, etc.
Relevant articles:
If anyone can eyeball this approach and let me know if it is sound, I would really appreciate it. If there are adjustments I need to make - please let me know what they are!
Thanks,
Bryan
AWS OFFICIALUpdated 2 months ago
