Managing access for QuickSight and IAM users - Amazon QuickSight
Inviting users to access Amazon QuickSight
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Managing access for QuickSight and IAM users

Inviting users to access Amazon QuickSight

   Applies to: Enterprise Edition and Standard Edition 
   Intended audience: Amazon QuickSight administrators 

Use the following procedure to invite a user to access Amazon QuickSight.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users. On this screen, you can manage users who already exist in your account.

  3. Choose Invite users.

  4. In the Invite users to this account table, enter a new user name for a person to whom you want to grant access to Amazon QuickSight. If the user is an IAM user, enter their IAM credentials. Then press +. A user's IAM user name can be the same as their email address.

    Repeat this step until you have entered everyone who you want to invite. Then go to the next step to enter details.

    The image below shows the Invite users to this account table.

    The Manage users table with the Role dropdown open.

  5. For Email, enter an email address for the account.

    Note

    Currently, email addresses are case-sensitive.

  6. For Role, choose the role to assign to each person you're inviting. A role determines the permission level to grant to that account.

    • ADMIN roles:

      • ADMIN – The user is able to both use Amazon QuickSight for authoring and for performing administrative tasks like managing users or purchasing SPICE capacity.

      • ADMIN PRO – The user is able to perform all actions of a QuickSight Admin and utilize applicable QuickSight Generative BI capabilities. For more information about Pro roles in QuickSight, see .

      There are some differences in the administrative tasks that IAM users and Amazon QuickSight administrators can perform. These differences occur because some administrative tasks require permissions in Amazon, which Amazon QuickSight–only users lack. The differences are these:

      • QuickSight administrators can manage users, SPICE capacity, and subscriptions.

      • IAM users with administrative permissions can also manage users, SPICE capacity, and subscriptions. In addition, they can manage Amazon QuickSight permissions to Amazon resources, upgrade to Enterprise edition, and unsubscribe from Amazon QuickSight.

      If you want to create a user with administrator permissions with IAM access, check with your Amazon administrator. Make sure that the IAM user has the all necessary statements in their IAM permissions policy to work with Amazon QuickSight resources. For more information about what statements are required, see IAM policy examples for Amazon QuickSight.

    • AUTHOR roles:

      • AUTHOR– The user is able to author analyses and dashboards in Amazon QuickSight but not perform any administrative tasks in QuickSight.

      • AUTHOR PRO– The user is able to perform all actions of a QuickSight Author and utilize applicable QuickSight Generative BI capabilities. For more information about Pro roles in QuickSight, see .

    • READER roles (Enterprise only):

      • READER– Users are able to interact with shared dashboards, but not author analyses or dashboards or perform any administrative tasks.

      • READER PRO– The user is able to perform all actions of a QuickSight Reader and utilize applicable QuickSight Generative BI capabilities. For more information about Pro roles in QuickSight, see .

  7. For IAM User, verify that it says Yes for accounts that are associated with IAM users, and No for those that are Amazon QuickSight-only.

  8. (Optional) To delete a user, choose the delete icon at the end of the relevant row.

  9. Choose Invite.

Resend an invitation to a user

Note

If you're using IAM Identity Center or Active Directory, you can't create and manage groups in Amazon QuickSight. Instead, you manage the assignment of your identity provider's groups to roles in QuickSight.

If your QuickSight account is integrated with IAM Identity Center (recommended), groups are not managed in the QuickSight application. Instead, groups are managed in IAM Identity Center or in the third-party identity provider that you configured in IAM Identity Center. Groups are synced automatically between QuickSight and IAM Identity Center.

For accounts that use other identity types, admins with IAM credentials who have access to the Amazon QuickSight console can organize sets of users into groups that make it easier to manage access and security. For example, you can create a group of users that you can share QuickSight assets with all at once. You can create and manage groups using the QuickSight console or the Amazon Command Line Interface (Amazon CLI). You can create up to 10,000 groups in a namespace. If you want to create more than 10,000 groups in a namespace, contact Amazon Support.

Creating and managing groups using the Amazon QuickSight console

Use the following procedures to create and manage groups in the Amazon QuickSight console.

To create a user group in the QuickSight console:

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Manage groups.

  2. Choose NEW GROUP.

  3. On the Create new group page, enter the name and description of the new group in the corresponding boxes.

  4. When you're finished, choose Create to create the new group.

After you have created a new group, you can't change the group's title but you can change the group's description.

To change the description of a group:

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Manage groups.

  2. Choose the group that you want to change, and then choose the Edit link next to the group description.

  3. In the Edit description box that appears, enter the new description and choose Save.

After you create a group, you can add and remove users from the Manage groups page. You can't add a user to a group if you haven't added the user to your account. For more information on adding users to your QuickSight account, see Managing user access inside Amazon QuickSight.

To add a user to a group

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Manage groups.

  2. Choose the group that you want to add a user to, and choose ADD USER at the page's upper right.

  3. Enter the user name or email of the user that you want to add, and choose the correct user for Search users.

To remove a user from a group:

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Manage groups.

  2. Choose the group that you want to remove a user from.

  3. Find the user that you want to remove and choose Remove.

Choosing remove automatically removes the selected user from the group.

You can also search for a group member by entering the user's full user name into the search bar on the right-hand side of the group's page.

You can't delete a group from the QuickSight console, but you can delete a group with the Amazon CLI. For more information on deleting a QuickSight group with the Amazon CLI, see Deleting groups from Amazon QuickSight.

The sign-up URL in the invitation email expires after 7 days. To resend an invitation to someone, use the following procedure.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users.

  3. Find the entry for the person you want to re-invite, and choose Resend invitation for that user.

  4. Choose Confirm.

Viewing Amazon QuickSight account details

   Intended audience: Amazon QuickSight administrators 

You can view Amazon QuickSight accounts on the Manage Users page. To view a QuickSight user account, use the following procedure.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users to view details about people who are QuickSight users. The information that displays includes:

    • Username – The person's user name.

    • Email – The email associated with this user name.

    • Role – The security cohort that the person's user name belongs to: ADMIN, ADMIN PRO, AUTHOR, AUTHOR PRO, READER, or READER PRO.

    • Last active – The last date and time that this person accessed the QuickSight console. Anyone who isn't an active user has a Last active status of User has no activity.

    You can also see deleted or inactive users in this screen.

  3. To find a user name, enter a part or all of a user's name or email the search box. Search is case-insensitive and wildcards aren't supported. To clear the search results and view all user names, delete your search entry.

Deleting a QuickSight user account

   Intended audience: Amazon QuickSight administrators 

Accounts can be deleted by either an Amazon administrator or an Amazon QuickSight administrator. Deleting a QuickSight user account works the same in both the Standard and Enterprise editions of Amazon QuickSight.

Deleting a QuickSight user account removes or transfers their resources. In Enterprise edition, the network administrator can temporarily deactivate a QuickSight user account by removing it from the network group that has access to Amazon QuickSight. If a user is deleted, but not deactivated, that user can still access Amazon QuickSight as a new user. For more information about deactivating an Enterprise account, see Deactivating user accounts.

Use the following procedure to delete a QuickSight user account.

  1. Choose your user name on the application bar and then choose Manage QuickSight.

  2. Choose Manage Users.

  3. Locate the account you want to delete and then choose the delete icon at the end of that row.

  4. Choose to either delete or transfer any resources owned by the user and then choose OK.

  5. Do one of the following:

    • If you chose to transfer user resources, enter the user name of the account to transfer them to and then choose Delete and transfer resources.

    • If you chose to delete user resources, choose Delete. You can't undo this action.

Creating and managing groups in Amazon QuickSight

   Intended audience: System administrators 
 Applies to: Enterprise Edition 
Note

If you're using IAM Identity Center or Active Directory, you can't create and manage groups in Amazon QuickSight. Instead, you manage the assignment of your identity provider's groups to roles in QuickSight.

Admins with IAM credentials who have access to the Amazon QuickSight console can organize sets of users into groups that make it easier to manage access and security. For example, you can create a group of users that you can share QuickSight assets with all at once. You can create and manage groups using the QuickSight console or the Amazon Command Line Interface (Amazon CLI). You can create up to 10,000 groups in a namespace. If you want to create more than 10,000 groups in a namespace, contact Amazon Support.

Creating and managing groups using the Amazon QuickSight console

Use the following procedures to create and manage groups in the Amazon QuickSight console.

To create a user group in the QuickSight console:

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Manage groups.

  2. Choose NEW GROUP.

  3. On the Create new group page, enter the name and description of the new group in the corresponding boxes.

  4. When you're finished, choose Create to create the new group.

After you have created a new group, you can't change the group's title but you can change the group's description.

To change the description of a group:

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Manage groups.

  2. Choose the group that you want to change, and then choose the Edit link next to the group description.

  3. In the Edit description box that appears, enter the new description and choose Save.

After you create a group, you can add and remove users from the Manage groups page. You can't add a user to a group if you haven't added the user to your account. For more information on adding users to your QuickSight account, see Managing user access inside Amazon QuickSight.

To add a user to a group

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Manage groups.

  2. Choose the group that you want to add a user to, and choose ADD USER at the page's upper right.

  3. Enter the user name or email of the user that you want to add, and choose the correct user for Search users.

To remove a user from a group:

  1. On the Amazon QuickSight start page, choose Manage QuickSight, and then choose Manage groups.

  2. Choose the group that you want to remove a user from.

  3. Find the user that you want to remove and choose Remove.

Choosing remove automatically removes the selected user from the group.

You can also search for a group member by entering the user's full user name into the search bar on the right-hand side of the group's page.

You can't delete a group from the QuickSight console, but you can delete a group with the Amazon CLI. For more information on deleting a QuickSight group with the Amazon CLI, see Deleting groups from Amazon QuickSight.

Creating and managing groups using the Amazon CLI

Before you begin, make sure that you have the Amazon CLI installed. For more information, see Installing the Amazon CLI in the Amazon CLI User Guide.

Use the following procedure to create an Amazon QuickSight user group.

  1. Open a terminal window. If you are using Microsoft Windows, open a command prompt.

  2. Enter the following command at the prompt to create a group. Substitute the correct values for your parameters.

    aws quicksight create-group --aws-account-id=111122223333 --namespace=default --group-name="Sales-Management" --description="Sales Management - Forecasting"

    You might find it easier to create the command in a text editor before entering it at the prompt. For more information on create-group and other available commands, see the Amazon QuickSight API reference.

  3. Verify that the group exists by using a command similar to one of the following. The following command lists all groups.

    aws quicksight list-groups --aws-account-id 111122223333 --namespace default

    The following command describes a specific group.

    aws quicksight describe-group --aws-account-id 11112222333 --namespace default --group-name Sales

    The following command searches for groups in a specified QuickSight namespace.

    aws quicksight search-groups --region us-west-2 --aws-account-id 11112222333 --namespace default --filters "[{\"Operator\": \"StartsWith\", \"Name\": \"GROUP_NAME\", \"Value\": \"Mar\"}]"

  4. Add a member to the new group by using a command similar to the following.

     aws quicksight create-group-membership --aws-account-id 111122223333 --namespace default --group-name Sales --member-name Pat

    The following command determines if a user is a member of a specified group.

    aws quicksight describe-group-membership --region us-west-2 --aws-account-id 11112222333 --namespace default --group-name Marketing-East --member-name user

Deleting groups from Amazon QuickSight

You can delete a group from the Amazon CLI. Use the following procedure to delete a Amazon QuickSight user group.

To delete a group in Amazon QuickSight

  1. Open a terminal window. If you are using Microsoft Windows, open a command prompt.

  2. Enter the following command at the prompt to create a group. Substitute the correct values for your parameters.

    aws quicksight delete-group --aws-account-id 111122223333 --namespace default --group-name Marketing-East

    You might find it easier to create the command in a text editor before entering it at the prompt. For more information on delete-group and other available commands, see the Amazon QuickSight API reference.