# Granting access to a dashboard You can share dashboards and visuals with specific users or groups in your account or with everyone in your Amazon Quick account. Or you share them with anyone on the internet. You can share dashboards and visuals by using the Quick console or the Quick Sight API. Access to a shared visual depends on the sharing settings that are configured for the dashboard that the visual belongs to. To share and embed visuals to your website or application, adjust the sharing settings of the dashboard that it belongs to. For more informaton, see the following: + [Granting individual Amazon Quick Sight users and groups access to a dashboard in Amazon Quick Sight](share-a-dashboard-grant-access-users.md) + [Granting everyone in your Amazon Quick Sight account access to a dashboard](share-a-dashboard-grant-access-everyone.md) + [Granting anyone on the internet access to an Amazon Quick Sight dashboard](share-a-dashboard-grant-access-anyone.md) + [Granting everyone in your Amazon Quick account access to a dashboard with the Quick Sight API](share-a-dashboard-grant-access-everyone-api.md) + .[Granting anyone on the internet access to an Amazon Quick Sight dashboard using the Quick Sight API](share-a-dashboard-grant-access-anyone-api.md) # Granting individual Amazon Quick Sight users and groups access to a dashboard in Amazon Quick Sight With individual users and groups Use the following procedure to grant access to a dashboard. **To grant users or groups access to a dashboard** 1. Open the published dashboard and choose **Share** at upper right. Then choose **Share dashboard**. 1. In the **Share dashboard** page that opens, do the following: 1. For **Invite users and groups to dashboard** at left, enter a user email or group name in the search box. Any users or groups that match your query appear in a list below the search box. Only active users and groups appear in the list. 1. For the user or group that you want to grant access to the dashboard, choose **Add**. Then choose the level of permissions that you want them to have. You can select **Viewer** or **Co-owner**, depending on the user's Quick role. The available permissions for each role are as follows: + **Readers** – Quick readers can only be granted **Viewer** access to dashboards. They can view, export, and print the dashboard, but they can't save the dashboard as an analysis. They can view, filter, and sort the dashboard data. They can also use any controls or custom actions that are on the dashboard. Any changes that they make to the dashboard exist only while they are viewing it, and aren't saved after they close the dashboard. + **Authors** – Quick authors can be granted **Viewer** or **Co-owner** access to dashboards. + Authors with Viewer access can view, export, and print the dashboard. They can view, filter, and sort the dashboard data. They can also use any controls or custom actions that are on the dashboard. Any changes that they make to the dashboard exist only while they are viewing it, and aren't saved after they close the dashboard. However, they can save the dashboard as an analysis, unless the dashboard owner specifies otherwise. This privilege grants them read-only access to the datasets so that they can create new analyses from them. The owner has the option to provide them with the same permissions to the analysis. If the owner wants them also to edit and share the datasets, the owner can set that up inside the analysis. + Authors with Co-owner access can view, export, and print the dashboard. They can also edit, share, and delete it. They can also save the dashboard as an analysis, unless the dashboard owner specifies otherwise. This privilege grants them read-only access to the datasets so that they can create new analyses from them. The owner has the option to provide them with the same permissions to the analysis. If the owner wants them to also edit and share the datasets, the owner can set that up inside the analysis. + **Groups** – Quick groups can only be granted **Viewer** access to dashboards. They can view, export, and print the dashboard, but they can't save the dashboard as an analysis. After you add a user or group to the dashboard, you can see information about them in the **Manage permissions** section, under **Users & Groups**. You can see their user name, email, permission level, and "save as" privileges. To allow a user or group to save the dashboard as an analysis, turn on **Allow "save as"** in the **Save as Analysis** column. 1. To add more users to the dashboard, enter another user email or group name in the search box and repeat steps A and B. # Granting everyone in your Amazon Quick Sight account access to a dashboard With everyone in your account Alternatively, you can share your Amazon Quick Sight dashboard with everyone in your account. When you do this, everyone in your account can access the dashboard, even if they weren't granted access individually and assigned permissions. They can access the dashboard if they have a link to it (shared by you) or if it's embedded. Sharing the dashboard with everyone in your account doesn't affect email reports. For example, suppose that you choose to share the dashboard with everyone in your account. Suppose also that you choose **Send email report to all users with access to dashboard** when setting up an email report for the same dashboard. In this case, the email report is sent only to people who have access to the dashboard. They receive access either through someone explicitly sharing it with them, through groups, or through shared folders. **To grant everyone in your account access to a dashboard** 1. Open the published dashboard and choose **Share** at upper right. Then choose **Share dashboard**. 1. In the **Share dashboard** page that opens, for **Enable access for** at bottom left, toggle on **Everyone in this account**. Accounts that sign in with an Active Directory can't access the **Everyone in this account** switch. Accounts that use Active Directory can enable this setting with an `UpdateDashboardPermissions` API call. For more information on `UpdateDashboardPermissions`, see [UpdateDashboardPermissions](https://docs.amazonaws.cn//quicksight/latest/APIReference/API_UpdateDashboardPermissions.html) in the *Amazon Quick Sight API Reference*. 1. (Optional) Toggle on **Discoverable in Quick Sight**. When you share a dashboard with everyone in the account, owners can also choose to make the dashboard discoverable in Quick Sight. A dashboard that's discoverable appears in everyone's list of dashboards on the **Dashboards** page. When this option is turned on, everyone in the account can see and search for the dashboard. When this option is turned off, they can only access the dashboard if they have a link or if it's embedded. The dashboard doesn't appear on the **Dashboards** page, and users can't search for it. # Granting anyone on the internet access to an Amazon Quick Sight dashboard With anyone on the internet | | | --- | |  Applies to: Enterprise Edition  | You can also share your Amazon Quick Sight dashboard with anyone on the internet from the **Share** menu in the Amazon Quick console. When you do this, anyone on the internet will be able to access the dashboard, even if they aren't a registered user on your Quick account, when you share the dashboard link or embed the dashboard. Use the following sections to grant anyone on the internet access to dashboard when you share it. **Topics** + [ # Before you start ](share-a-dashboard-grant-access-anyone-prerequisites.md) + [ # Granting anyone on the internet access to a dashboard ](share-a-dashboard-grant-access-anyone-access.md) + [ # Updating a publicly shared dashboard ](share-a-dashboard-grant-access-anyone-update.md) + [ # Turning off public sharing settings ](share-a-dashboard-grant-access-anyone-no-share.md) # Before you start Before you can share a dashboard with anyone on the internet, make sure to do the following: 1. Turn on session capacity pricing on your account. If you have not turned on session capacity pricing on your account, you won't be able to update your account's public sharing settings. 1. Assign public sharing permissions to an administrative user in the IAM console. You can add these permissions with a new policy or you can add the new permissions to an existing user. The following sample policy provides permissions for use with `UpdatePublicSharingSettings`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": "quicksight:UpdatePublicSharingSettings", "Resource": "*", "Effect": "Allow" } ] } ``` ------ Accounts that don't want users with administrator access to use this feature can add an IAM policy that denies public sharing permissions. The following sample policy denies permissions for use with `UpdatePublicSharingSettings`. ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": "quicksight:UpdatePublicSharingSettings", "Resource": "*", "Effect": "Deny" } ] } ``` ------ For more information on using IAM with Quick Sight, see [Using Quick with IAM](security_iam_service-with-iam.md). You can also use the "Deny" policy as a Service Control Policy (SCP) if you don't want any of the accounts in your organization to have the public sharing feature. For more information, see [Service control policies (SCPs)](https://docs.amazonaws.cn/organizations/latest/userguide/orgs_manage_policies_scps.html) in the *Amazon Organizations User Guide*. 1. Turn on public sharing on your Amazon Quick account. 1. From the Amazon Quick start page, choose your user icon at the upper right of your browser window, and then choose **Manage Quick**. 1. In the page that opens, scroll down to the **Permissions** section. 1. Choose **Public access to dashboards** at left. 1. On the page that opens, choose **Anyone on the internet**. When you turn on this setting, a pop up will appear asking you to confirm your choice. Once you've confirmed your choice, you can grant the public access to specific dashboards and share those dashboards with them with a link or by embedding the dashboard in a public application, wiki, or portal. # Granting anyone on the internet access to a dashboard **To grant anyone on the internet access to a dashboard** 1. In Quick, open the published dashboard that you want to share. You must be the owner or a co-owner of the dashboard. 1. In the published dashboard, choose the **Share** icon at upper-right, and then choose **Share dashboard**. 1. In the **Share dashboard** page that opens, choose **Anyone on the internet (public)** in the **Enable access for** section at bottom-left. This setting allows you to share the dashboard with anyone on the internet with the share link or when embedded. Turning on this switch also automatically turns on the **Everyone in this account** option, which means that the dashboard will be shared with anyone in your Quick account. If you do not want this, turn off this option. 1. In the **Allow public access** pop-up that appears, enter `confirm` in the box to confirm your choice, and then choose **Confirm**. After you confirm your dashboard's access settings, an orange **PUBLIC** tag appears at upper right of your dashboard in the Amazon Quick console. Additionally, an eye icon appears on the dashboard on the Quick Sight Dashboards page, both in tile and list view. Note that when public access is turned on, the dashboard can only be accessed using the link or when embedded using the embed code. For more information about sharing a link to the dashboard, see [Sharing a link a shared dashboard](share-a-dashboard-share-link.md). For more information about embedding dashboards for anyone on the internet, see [Embedding Amazon Quick Sight visuals and dashboards for anonymous users with a 1-click embed code](embedded-analytics-1-click-public.md). # Updating a publicly shared dashboard Use the following procedure to update a shared dashboard that can be accessed by anyone on the internet. **To update a public dashboard:** 1. From the Amazon Quick start page, choose the analysis that is tied to the dashboard that you want to update and make your desired changes. You must be the owner or a co-owner of the analysis. 1. In the analysis, choose **Publish**. 1. In the pop-up that appears, choose **Replace an existing dashboard** and select the public dashboard that you want to update. 1. To confirm your choice, enter `confirm` and then choose **Publish dashboard**. Once you choose **Publish dashboard**, your public dashboard is updated to reflect the new changes. # Turning off public sharing settings You can turn off public sharing settings for dashboards at anytime. You can turn off public sharing for an individual dashboard, or for all dashboards in your account. Visual sharing settings are determined at the dashboard level. If you turn off public sharing settings to a dashboard that holds a visual that you are embedding, users won't be able to access the visual. The following table describes the different scenarios for when a dashboard is publicly available. | Account-level public setting | Dashboard-level public setting | Public access | Visual indicators | | --- | --- | --- | --- | | Off | Off | Off | None | | On | Off | Off | None | | On | On | Yes | An orange badge appears on the dashboard and an eye icon appears on the dashboard in the **Dashboards** page. | | Off | On | No | A grey badge appears on the dashboard and an eye icon with a slash appears on the dashboard in the **Dashboards** page. It can take up to two minutes for a dashboard's public access to be revoked. | **To turn off public sharing for a single dashboard** 1. In Amazon Quick, open the published dashboard that you no longer want to share. You must be the owner or a co-owner of the dashboard. 1. In the published dashboard, choose the **Share** icon at upper-right, and then choose **Share dashboard**. 1. In the **Share dashboard** page that opens, toggle off the **Anyone on the internet (public)** switch in the **Enable access for** section at bottom-left. This action will remove public access to the dashboard. It will now only be accessible to users that it has been shared with. **To turn off public sharing settings for all dashboards in a Quick user account** 1. From the Amazon Quick start page, choose your user icon at upper right of your browser window, and then choose **Manage Quick**. 1. In the page that opens, scroll down to the **Permissions** section. 1. Choose **Public access to dashboards** at left. 1. On the page that opens, toggle off the **Anyone on the internet** switch. When you disable public sharing settings from the **Public sharing** menu, a pop-up will appear asking you to confirm your choice. Select **I have read and acknowledge this change** and then choose **Confirm** to confirm your choice. This action will remove public access to every dashboard on your account. Dashboards that were visible to anyone on the internet will now only be accessible to users that each dashboard has been shared with. Individual dashboards that have their public settings turned on will have a gray badge and the eye icon that appears on the **Dashboards** page will have a strike through it to indicate that the account level public settings are disabled and that the dashboard can't be viewed. It can take up to two minutes for a dashboard's public access to be revoked. If your session capacity pricing subscription has expired, public sharing settings will be automatically removed across your account. Renew your subscription to restore access to public sharing settings. # Granting everyone in your Amazon Quick account access to a dashboard with the Quick Sight API With everyone in your account with the API | | | --- | |    Intended audience: Amazon Quick developers  | Alternatively, you can grant everyone in your account access to the dashboard with the Quick Sight API using the `UpdateDashboardPermissions` operation. The following example API request illustrates how to do so using an Amazon CLI command. It grants link permissions on the dashboard in your account, and allows the following operations: `DescribeDashboard`, `QueryDashboard` and `ListDashboard`. ``` aws quicksight update-dashboard-permissions \ --aws-account-id account-id \ --region aws-directory-region \ --dashboard-id dashboard-id \ --grant-link-permissions Principal="arn:aws-cn:quicksight:aws-directory-region:account-id:namespace/default", Actions="quicksight:DescribeDashboard, quicksight:QueryDashboard, quicksight:ListDashboardVersions" ``` The response for the preceding request looks similar to the following. ``` { "Status": 200, "DashboardArn": "arn:aws-cn:quicksight:AWSDIRECTORYREGION:ACCOUNTID:dashboard/ DASHBOARDID", "DashboardId": "DASHBOARDID", "LinkSharingConfiguration": { "Permissions": [ { "Actions": [ "quicksight:DescribeDashboard", "quicksight:ListDashboardVersions", "quicksight:QueryDashboard" ], "Principal": "arn:aws-cn:quicksight:AWSDIRECTORYREGION:ACCOUNTID:namespace/default" } ] }, "Permissions": [ // other dashboard permissions here ], "RequestId": "REQUESTID" } ``` You can also prevent all users in your account from accessing the dashboard using the same API operation. The following example request illustrates how by using a CLI command. ``` aws quicksight update-dashboard-permissions \ --aws-account-id account-id \ --region aws-directory-region \ --dashboard-id dashboard-id \ --revoke-link-permissions Principal="arn:aws-cn:quicksight:aws-directory-region:account-id:namespace/default", Actions="quicksight:DescribeDashboard, quicksight:QueryDashboard, quicksight:ListDashboardVersions" ``` For more information, see [UpdateDashboardPermissions](https://docs.amazonaws.cn/quicksight/latest/APIReference/API_UpdateDashboardPermissions.html) in the *Amazon Quick API Reference*. When all users in a Quick user account are granted access to the dashboard, the following snippet is added to Amazon CloudTrail log as part of the `eventName` `UpdateDashboardAccess`, and the `eventCategory` `Management`. ``` "linkPermissionPolicies": [ { "principal": "arn:aws-cn:quicksight:AWSDIRECTORYREGION:ACCOUNTID: namespace/default", "actions": [ "quicksight:DescribeDashboard", "quicksight:ListDashboardVersions", "quicksight:QueryDashboard" ] } ] ``` # Granting anyone on the internet access to an Amazon Quick Sight dashboard using the Quick Sight API With anyone on the internet using the API Alternatively, you can grant anyone on the internet access to the dashboard with the Amazon Quick Sight API using the `UpdateDashboardPermissions` operation. Before you begin, make sure to grant everyone in your account access to the dashboard. For more information, see [Granting everyone in your Amazon Quick account access to a dashboard with the Quick Sight API](share-a-dashboard-grant-access-everyone-api.md). The following example API request illustrates how to grant anyone on the internet access to a dashboard using an Amazon CLI command. It grants link permissions on the dashboard in your account, and allows the following operations: `DescribeDashboard`, `QueryDashboard` and `ListDashboardVersions`. ``` aws quicksight update-dashboard-permissions --aws-account-id account-id --region aws-directory-region --dashboard-id dashboard-id --grant-link-permissions Principal="arn:aws-cn:quicksight:::publicAnonymousUser/*", Actions="quicksight:DescribeDashboard, quicksight:QueryDashboard, quicksight:ListDashboardVersions" ``` The response for the preceding request looks similar to the following. ``` { "Status": 200, "DashboardArn": "arn:aws-cn:quicksight:AWSDIRECTORYREGION:ACCOUNTID:dashboard/ DASHBOARDID", "DashboardId": "DASHBOARDID", "LinkSharingConfiguration": { "Permissions": [ { "Actions": [ "quicksight:DescribeDashboard", "quicksight:ListDashboardVersions", "quicksight:QueryDashboard" ], "Principal": "arn:aws-cn:quicksight:AWSDIRECTORYREGION:ACCOUNTID:namespace/default" }, "Principal": "arn:aws-cn:quicksight:::publicAnonymousUser/*", "Actions": [ "quicksight:DescribeDashboard", "quicksight:ListDashboardVersions", "quicksight:QueryDashboard" ] } ] }, "Permissions": [ // other dashboard permissions here ], "RequestId": "REQUESTID" } ``` You can also prevent anyone on the internet from accessing the dashboard using the same API operation. The following example request illustrates how by using a CLI command. ``` aws quicksight update-dashboard-permissions \ --aws-account-id account-id \ --region aws-directory-region \ --dashboard-id dashboard-id \ --revoke-link-permissions Principal="arn:aws-cn:quicksight:::publicAnonymousUser/*", Actions="quicksight:DescribeDashboard, quicksight:QueryDashboard, quicksight:ListDashboardVersions" ``` For more information, see [UpdateDashboardPermissions](https://docs.amazonaws.cn/quicksight/latest/APIReference/API_UpdateDashboardPermissions.html) in the *Amazon Quick API Reference*. When anyone on the internet is granted access to the dashboard, the following snippet is added to Amazon CloudTrail log as part of the `eventName` `UpdateDashboardAccess`, and the `eventCategory` `Management`. ``` "linkPermissionPolicies": [ { "principal": "arn:aws-cn:quicksight:::publicAnonymousUser/*", "actions": [ "quicksight:DescribeDashboard", "quicksight:ListDashboardVersions", "quicksight:QueryDashboard" ] } ] ```