- 最新
- 最多得票
- 最多評論
To share QuickSight dashboards with external users while restricting data access using row-level security (RLS) based on individual users, the recommended approach is to use the GenerateEmbedUrlForAnonymousUser API with session tags. This allows setting tag values at runtime to filter the dataset based on the specific user accessing the dashboard.
However, a key limitation of this approach is that it requires enabling anonymous (public) access for the entire QuickSight account, not just individual dashboards. This means that anyone with the embed URL can access the dashboards, although data access will be restricted by the RLS rules.
An alternative is to use SSO integration, but this does not support setting session tags for RLS filtering of the dataset based on individual users. SSO integration is suitable if you don't need to filter the dataset based on individual users.
If filtering the dataset using RLS based on individual users is a requirement, the GenerateEmbedUrlForAnonymousUser
API with session tags is the recommended approach, despite the limitation of enabling public access for the entire QuickSight account. You should carefully evaluate the security implications and implement appropriate access controls to mitigate the risks associated with public access.
- [1] Using row-level security (RLS) with tag-based rules to restrict access to a dataset when embedding dashboards for anonymous users : https://docs.aws.amazon.com/quicksight/latest/user/quicksight-dev-rls-tags.html
- [2] Step 2: Generate the URL with the authentication code attached - https://docs.aws.amazon.com/quicksight/latest/user/embedded-analytics-dashboards-with-anonymous-users-step-2.html
- [3] Embedding QuickSight data dashboards for anonymous (unregistered) users - https://docs.aws.amazon.com/quicksight/latest/user/embedded-analytics-dashboards-for-everyone.html
相關內容
- AWS 官方已更新 7 個月前
- AWS 官方已更新 8 個月前