User management between editions - Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

User management between editions

User management is different between the Amazon QuickSight Standard and Enterprise editions. However, both editions support identity federation, or Federated Single Sign-On (IAM Identity Center), through Security Assertion Markup Language 2.0 (SAML 2.0).

User management for standard edition

In Standard edition, you can invite an Amazon Identity and Access Management user and allow that user to use their credentials to access Amazon QuickSight. Alternatively, you can invite any person with an email address to create an Amazon QuickSight–only account. When you create a QuickSight user account, Amazon QuickSight sends email to that user inviting them to activate their account.

When you create a QuickSight user account, you also choose to assign it either an administrative or a user role. This role assignment determines the user's permissions in Amazon QuickSight. You perform all management of users by adding, changing, and deleting accounts in Amazon QuickSight.

User management for enterprise edition

In Enterprise edition, you can select one or more IAM Identity Center or Microsoft Active Directory groups for administrative access. All users in these groups are authorized to sign in to Amazon QuickSight as administrators. You can also select one or more IAM Identity Center or Microsoft Active Directory groups in Amazon Directory Service for user access. All users in these groups are authorized to sign in to Amazon QuickSight as users.

Important

With IAM Identity Center, share the Amazon sign in portal with end users to access QuickSight. For more information, see Sign in to the Amazon access portal.

With Active Directory, Amazon QuickSight Administrators and users aren't automatically notified of their access to Amazon QuickSight. You must email users with the sign-in URL, the account name, and their credentials.

You can only add or remove Enterprise edition accounts by adding or removing a person from the IAM Identity Center or Microsoft Active Directory group that you associated with Amazon QuickSight. When you add a QuickSight user account, its permissions depend on whether the IAM Identity Center or Microsoft Active Directory group is an administrative group or a user group in Amazon QuickSight.

To remove a user's access to QuickSight, remove the user from an IAM Identity Center or Microsoft Active Directory group or remove their IAM Identity Center or Microsoft Active Directory group from an associated role in Amazon QuickSight.