Adding users Managing user access Deactivating users Changing a user's role Deleting users

Managing access for IAM Identity Center users

Applies to: Enterprise Edition

Intended audience: System administrators and Amazon QuickSight administrators

Amazon administrators can use this topic to learn more about managing accounts that are integrated with IAM Identity Center. The information in this section also applies to QuickSight accounts that use Active Directory.

To manage QuickSight users, you must have administrative privileges in Amazon QuickSight and also the appropriate Amazon permissions. For more information about the necessary Amazon permissions, see IAM policy examples for Amazon QuickSight. If you are using directory groups, you need to be a network administrator.

Each Amazon QuickSight Enterprise edition account can have an unlimited number of users. User names that contain a semicolon ( ; ) aren't supported.

Use the following procedures to add, view, and deactivate Amazon QuickSight users.

Important

You can't remap Amazon QuickSight users or groups from one identity store to another. For example, if you are migrating from an on-premises Active Directory to Amazon Directory Service, or the other way around, you unsubscribe and resubscribe to Amazon QuickSight. You do this because even if the user's aliases remain the same, the underlying identity data changes. To make the transition easier, request in advance that your users document all their Amazon QuickSight assets and settings before the migration.

Adding users

With IAM Identity Center, add users to QuickSight by associating their IAM Identity Center group to an Admin, Admin Pro, Author, Author Pro, Reader, or Reader Pro role in QuickSight. All users in the selected groups are authorized to sign in to Amazon QuickSight.

For more information about Pro roles in QuickSight see .

To see which groups are integrated with your Amazon QuickSight account, follow the procedure in Managing user access.

Managing user access

Use the following procedure to view groups that are assigned to a role that grants access to Amazon QuickSight.

Open the QuickSight console.
Choose Manage QuickSight, and then choose Manage Users.
Choose Manage role groups.
In the Manage role groups page, use the tables to add or remove groups in IAM Identity Center or Active Directory from the Admin, User, or Reader roles in QuickSight.

Deactivating user accounts

Deactivating a QuickSight group or user account removes that group or user's access to Amazon QuickSight resources, like analyses or data sets. IAM Identity Center or Active Directory users that are removed from a group that grants them access to QuickSight lose access to QuickSight. These users appear in the Inactive users list in QuickSight until the first day of the following month. After that, the deactivated users are automatically removed from the Inactive users list. Before you deactivate a user, you can reassign their resources to another user with the asset management console.

If you later need to reactivate a QuickSight user's account, put the user into a group with access to Amazon QuickSight. Doing this restores their access to Amazon QuickSight and to any existing resources that are still associated with that user.

Note

With IAM Identity Center integrated into your QuickSight account or Active Directory users, you can change a user's role type by moving them to a group that is associated with a different QuickSight role. If a user is in multiple groups that are mapped to different QuickSight role types, the user is able to access QuickSight with the role that offers the broadest level of access. Accounts that use other identity types can't upgrade or downgrade a user by transferring them between groups. For more information, see Changing a user's role.

You can activate or deactivate multiple users at once by adding or removing one or more IAM Identity Center or Active Directory groups that are associated with a role in Amazon QuickSight.

Changing a user's role

If you're using IAM Identity Center or Active Directory, you can change a user's role by adding or removing them from a group that's mapped to the role that you want to assign them in QuickSight. You can also perform this task by adding a new group to a role in QuickSight. To do this, you need both administrative privileges in Amazon QuickSight and also appropriate Amazon permissions.

With IAM Identity Center integrated users, you can change role types for a user by moving them to a group that is associated with a different QuickSight role. If a user belongs to multiple groups that are mapped to different role types, the user is able to access QuickSight with the role that offers the broadest level of access.

When you make changes to users or groups in Amazon QuickSight, it can take up to five minutes for the change to take effect. Examples of such changes are the following:

Deleting a user
Changing a user from an admin to an author
Adding or removing group members

The five-minute time period allows changes to propagate throughout the system.

Deleting Enterprise accounts

If a user is deleted from IAM Identity Center or Active Directory or is removed from a group that's associated with a role in QuickSight, the user no longer exists in QuickSight. You do not need to delete the user in the QuickSight application. The deleted user will appear in the Inactive users list in QuickSight until the first day of the following month. After that date passes, the user is automatically removed from the list.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Managing user access

Managing access for QuickSight and IAM users