Organizing assets into folders for Amazon QuickSight - Amazon QuickSight
Overview of QuickSight foldersPermissions overview for shared foldersCreate and manage permissions for shared foldersConsiderations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Organizing assets into folders for Amazon QuickSight

 Applies to: Enterprise Edition 

In Amazon QuickSight Enterprise edition, your team members can create personal and shared folders to add hierarchical structure to QuickSight asset management. Using folders, people can more easily organize, navigate through, and discover dashboards, analyses, datasets, data sources, and topics. Within a folder, you can still use your usual tools to search for assets or to add assets to your favorites list.

You can use the following types of folders with QuickSight:

  • Personal folders to organize work for yourself.

    Personal folders are visible only to the person who owns them. You can't transfer ownership of personal folders to anyone else.

  • Shared folders:

    • Shared folders organize work and simplify sharing among multiple people. To create and manage shared folders, you need to be a QuickSight administrator.

    • Shared restricted folders are a type of shared folder in QuickSight that ensure that assets remain in the shared folder. Assets that are created from assets that exist within a shared restricted folder must also stay in the restricted folder. Assets that are located in restricted folders can't be moved or shared outside of the restricted folder. For example, if you create a dataset that uses a data source that's located in a shared restricted folder, the new dataset can't be moved outside of that shared restricted folder.

      Restricted folders can only be created with the QuickSight CreateFolder API operation.

    All shared folders are visible to people who have access to them.

Topics

Overview of QuickSight folders

In Amazon QuickSight, you can create personal and shared folders. You can also favorite your personal or shared folders for quick access by choosing the favorite ( ) icon next to it.

You can do the following with personal folders:

  • Create subfolders.

  • Add assets to your folder, including analyses, dashboards, datasets, and data sources. To add assets to a personal folder, you must already have access to the assets. Multiple assets can have the same name.

Shared folders (unrestricted)

QuickSight administrators can perform the following tasks with shared folders.

  • Create or delete a shared folder and subfolders inside of it. You can move either of these around within the top-level folder.

  • Add or remove owners, contributors, and viewers. When you make a person an owner of the folder, you give them ownership of every asset in the folder. For more information, see Permissions overview for shared folders.

The following table summarizes the actions that a QuickSight user can take when working with unrestricted shared folders based on their role.

Action Owner Contributor Viewer
Share an asset in a folder with users that don't have access to the folder. Yes No No
Modify folder permissions. Yes No No
Create assets in the folder. Yes Yes No
Modify assets in the folder. Yes Yes No
Delete assets in the folder. Yes Yes No
Add an existing asset to a folder. Yes Yes No
Remove an asset from a shared folder. Yes No No
View assets in the folder. Yes Yes Yes
Create downstream assets outside of the shared folder that use assets that are located in the shared folder. Yes Yes Yes*
Create downstream assets in the folder that use assets that are located outside of the folder. Yes Yes No

*The user must be assigned an admin or author role to create assets.

Restricted shared folders

Restricted shared folders provide an additional security boundary that restricts the sharing of data outside of the folder. Administrators with the appropriate IAM permissions can perform the following tasks with restricted shared folders.

  • Restricted folders can be created using the CreateFolder API operation. For more information about the CreatFolder API operation, see CreateFolder.

  • The contributor role is assigned to users that can create and edit assets within the restricted folders. Contributors can't manage the permissions of the folder or of the assets that are in the restricted folder.

  • Administrators can assign folder contributor and viewer permissions to users with the UpdateFolderPermissions API operation. For more information about the UpdateFolderPermissions API operation, see UpdateFolderPermissions.

The following table summarizes the actions that a QuickSight user can take when working with restricted shared folders based on their role.

Action Contributor Viewer
Share an asset in a folder with users that don't have access to the folder. No No
Modify folder permissions. No No
Create assets in the folder. Yes No
Modify assets in the folder. Yes No
Delete assets in the folder. Yes No
Add an existing asset to a folder. No No
Remove an asset from a shared folder. No No
View assets in the folder. Yes Yes
Create downstream assets outside of the shared folder that use assets that are located in the shared folder. No No
Create downstream assets in the folder that use assets that are located outside of the folder. No No

The owner role is not supported for restricted shared folders.

Permissions overview for shared folders

Shared folders have three permission levels. To set folder-level permissions for a user or group, see Create and manage permissions for shared folders.

  • Owners - The folder owner owns everything (folders, analyses, dashboards, datasets, data sources, topics) inside of the folder. They can create, edit, and delete the assets in the folder, modify permissions on the folder and its assets, and delete the folder entirely. The owner role is not supported for restricted shared folders.

  • Contributors - A contributor can create, edit, and delete assets in a folder just like an owner. They can't delete the folder or modify permissions on the folder or on assets where they have contributor access that they inherited from the folder.

  • Viewers - A viewer can only view the assets (folders, dashboards, datasets, data sources, topics) in the folder. A viewer can't edit or share those assets.

The following rules also apply to security for shared folders:

  • QuickSight readers' sharing status for a folder gets shared with the folder. However, a reader gets only read access to folders, and only dashboard access to visuals.

  • Amazon security is enforced on every object within a folder. The folder applies the same type of security to the assets of whoever the folder is shared with according to their access level (admin, author, or reader).

  • The top-level folder is the root folder of any subfolders. When a subfolder is shared at any level, the person whom the folder was shared with sees the root folder in the top-level folders view.

  • The folder permission is the permission on the current folder, combined with permissions of all the folders leading to the root folder.

  • A shared asset inherits its permission from the folder. A shared asset is created when an asset that belongs to the folder owner is added to a shared folder.

  • If you own an unrestricted shared folder, you can transfer ownership of the folder to another QuickSight admin.

  • The owner role is not supported for restricted folders. The contributor role is assigned to authors that create and edit assets within the restricted folders. Folder contributors can't manage the permissions of the restricted folder or its assets.

  • The correct IAM permissions are required to update the permissions of a restricted shared folder with the UpdateFolderPermissions API.

Create and manage permissions for shared folders

Shared folders (unrestricted)

To create a shared folder and to share the folder with one or more groups in the QuickSight console, you must be an Amazon QuickSight administrator. You can also create a shared folder with the CreateFolder API operation. Use the following procedure to share or modify the permissions of a shared folder.

  1. From the left navigation, choose Shared folders and find the folder that you want to share or manage permissions for.

  2. To open the actions menu for that folder's row, choose the ellipsis (three dots).

  3. Choose Share.

  4. In the Share folder modal, add the groups and users with whom you want to share the contents of the folder.

  5. For each user and group that you add, choose a permission level from the Permissions menu in that row.

  6. To update the permission type for an existing user, choose Manage folder access.

  7. When you're done setting user and group permissions for the folder, choose Share. Users are not notified that they now have access to the folder.

Restricted shared folders

Restricted shared folders can only be created with the CreateFolder API operation. The following example creates a restricted shared folder.

aws quicksight create-folder \
--aws-account-id AWSACCOUNTID \
--region us-east-1 \
--folder-id example-folder-name \
--folder-type RESTRICTED \
--name "Example Folder" \

After you create a restricted shared folder, assign folder contributor and viewer permissions with a UpdateFolderPermissions API call. The following example updates the permissions of a restricted shared folder.

aws quicksight update-folder-permissions \
--aws-account-id AWSACCOUNTID \
--region us-east-1 \
--folder-id example-folder-name \
--grant-permissions Principal=arn:aws-cn:quicksight::us-east-1::AWSACCOUNTID:user/default/:username,Actions=quicksight:CreateFolder,quicksight:DescribeFolder, \ 
quicksight:CreateFolderMembership,quicksight:DeleteFolderMembership,quicksight:DescribeFolderPermissions \

Considerations

The following limitations apply to folders in Amazon QuickSight:

  • You can't share folders in your Amazon account with people in other Amazon Web Services accounts.

  • For people who have QuickSight reader permissions, the following limitations apply:

    • Readers can't own a personal or shared folder.

    • Readers can't create or manage folders or folder content.

    • Readers can't have the contributor access level.

    • In shared folders, readers can only see dashboard assets.

In addition, these limitations apply specifically to shared folders:

  • The name of a shared folder (at the top level of the tree) must be unique in your Amazon account.

  • In a single folder, multiple assets can't have the same name. For example, in your top-level folder, you can't create two subfolders with the same name. In the same folder, you can't add two assets with the same name, even if they have different asset IDs. The path to each asset behaves like an Amazon S3 key name. It must be unique in your Amazon account.

  • Restricted shared folders can only be created with the QuickSight CLI.

  • Subfolders are not supported for restricted shared folders.

  • Data sources that are located in restricted shared folders must be created with the CreateDataSource API operation.

For Amazon QuickSight quotas, the Service Quotas console provides the most accurate and up-to-date information. You can do the following in the Service Quotas console: