Apply a custom permissions profile to a user with the QuickSight API
The following example applies a custom permissions profile to a user.
aws quicksight update-user-custom-permission \ --aws-account-idAWSACCOUNTID\ --namespacedefault\ --user-nameUSER_NAME\ --custom-permissions-namemyCustomPermission
The following example deletes a custom permissions profile from a user.
aws quicksight delete-user-custom-permission \ --aws-account-idAWSACCOUNTID\ --namespacedefault
The following example adds custom permissions to a new QuickSight IAM user.
aws quicksight register-user \ --iam-arn arn:aws-cn:iam::AWSACCOUNTID:user/USER\ --identity-type IAM \ --user-role AUTHOR \ --custom-permissions-namecustom-permissions-profile-name\ --emailAWSACCOUNTID\ --namespace default \
You can also associate an existing IAM user with a new permissions profile. The following example updated the custom permissions profile of an existing IAM user.
aws quicksight update-user \ --user-nameUSERNAME\ --role AUTHOR \ --custom-permissions-namecustom-permissions-profile-name\ --emailAWSACCOUNTID\ --namespace default \
The example below removes an existing user from a permissions profile.
aws quicksight update-user \ --user-nameUSERNAME\ --role AUTHOR \ --unapply-custom-permissions \ --emailAWSACCOUNTID\ --namespace default
To test the custom permissions that are applied to a role or user, log in to the user's account. When a user logs into QuickSight, they are granted the highest privilege role that they have access to. The highest privileged role a user can be granted is Admin. The lowest privileged role that a user can be granted is reader. For more information about roles in Amazon QuickSight, see Managing user access inside Amazon QuickSight.
If you assign a custom permissions profile that restricts data source sharing to the author's role, that author is no longer able to access the controls that allow data source sharing. Instead, the affected author has view-only permissions to the data source.