A large business intelligence (BI) project with many users and teams and sensitive information demands a multi-faceted security architecture. Such architecture should provide BI administrators and architects with the capability to minimize the amount of information accessible to users. For a straightforward solution to manage ایمیزون کوئیک سائٹ user and asset access permissions, you can use the AWS کمانڈ لائن انٹرفیس (AWS CLI) یا AWS مینجمنٹ کنسول to manually edit QuickSight user role and dashboard access. However, in specific cases, an enterprise can easily have hundreds or thousands of users and groups, and these access management methods aren’t efficient. We have received a large number of requests to provide an advanced programmable approach to deploy and manage a centralized QuickSight security architecture.
This post describes the best practices for QuickSight authentication and authorization granular access control, and provides a centralized cloud application with an AWS کلاؤڈ ڈویلپمنٹ کٹ (AWS CDK) stack to download. One of the advantages of our solution is enterprises can deploy the security framework to administer access control of their BI without leaving AWS.
All configurations are saved in the AWS سسٹمز مینیجر پیرامیٹر اسٹور. Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as user name, user permissions, passwords, and database strings as parameter values. You can reference AWS سسٹمز مینیجر parameters in your scripts and configuration and automation workflows by using the unique name that you specified when you created the parameter.
The AWS CDK application template fits into the continuous integration and continuous deployment (CI/CD) infrastructure and grants or revokes all authentications and authorizations based on a defined policy prescribed by AWS. This avoids possible human errors made by BI developers or administrators. BI developers can edit configuration parameters to release new dashboards to end-users. At the same time, BI administrators can edit another set of parameters to manage users or groups. This AWS CDK CI/CD design bridges the gaps between development and operation activities by enforcing automation in building and deploying BI applications.
سیکورٹی کے تقاضے
In enterprise BI application design, multi-tenancy is a common use case, which serves multiple sets of users with one infrastructure. Tenants could either be different customers of an independent software vendor (ISV), or different departments of an enterprise. In a multi-tenancy design, each tenant shares the dashboards, analyses, and other QuickSight assets. Each user, who can see all other users belonging to the same tenant (for example, when sharing content), remains invisible to other tenants. Within each tenant, the BI admin team has to create different user groups to control the data authorization, including asset access permissions and granular-level data access.
Let’s discuss some use cases of asset access permissions in detail. In a BI application, different assets are usually categorized according to business domains (such as an operational dashboard or executive summary dashboard) and data classification (critical, highly confidential, internal only, and public). For example, you can have two dashboards for analyzing sales results data. The look and feel of both dashboards are similar, but the security classification of the data is different. One dashboard, named Sales Critical Dashboard, contains critical columns and rows of data. The other dashboard, called Sales Highly-Confidential Dashboard, contains highly confidential columns and rows of data. Some users are granted permission to view both dashboards, and others have lower security level permission and can only access Sales Highly-Confidential Dashboard.
In the following use case, we address granular-level data access as follows:
- Row-level access (RLS) – For the users who can access Sales Critical Dashboard, some of them can only view US data. However, some global users can view the data of all countries, including the US and UK.
- Column-level access (CLS) – Some users can only view non-personally identifiable information (PII) data columns of a dataset, whereas the HR team can view all the columns of the same dataset.
Large projects might have several tenants, hundreds of groups, and thousands of users in one QuickSight account. The data leader team wants to deploy one protocol for user creation and authentication in order to reduce the maintenance cost and security risk. The architecture and workflow described in this post help the data leader achieve this goal.
Additionally, to avoid human errors in daily operation, we want these security permissions to be granted and revoked automatically, and fit into the CI/CD infrastructure. The details are explained later in this post.
فن تعمیر کا جائزہ
The following diagram shows the QuickSight account architecture of this solution.
- Authors create dashboards and update AWS Systems Manager Parameter Store to release dashboards to different groups
- Admins approve the requests from authors
- Admins update user management (roles, namespace,) by editing AWS Systems ManagerParameter Store
- DevOps deploy the updates with AWS CDK
*Groups: Object access permission groups control the owner/viewer of the objects. Data segment groups combined with RLS/CLS control data access.
*Datasets: Contain all data, restricted by row-level security (RLS) and column-level security (CLS)
The following diagram illustrates the authentication workflow of the architecture:
*First time log in QuickSight: If the QuickSight user is not registered before first time log in, a reader is created and this reader only can view the landing page dashboard, which shares to all users of this account. The landing page provides the reports list that this user can view.
The following diagram illustrates the authorization workflow of the architecture.
Authorization diagram details:
- User information (department, team, geographic location) is stored in Amazon Redshift, Amazon Athena, or any other database. Combined with group-user mapping, RLS databases are built for control data access.
- Hourly permissions assignment:
- According to group-employee name (user) mapping (membership.csv) and group-role mapping (/qs/console/roles), an AWS Lambda function creates groups, registers, users, assigns group members, removes group memberships, promotes readers to author or admin, and deletes users if they’re demoted from author or admin to reader.
- According to group-dashboard mapping in /qs/config/access, an AWS Lambda function updates dashboard permissions to QuickSight groups.
- According to group-namespace mapping in membership.csv, an AWS Lambda function creates QuickSight groups in the specified namespace.
- Sample parameters of objects access permissions and data segments:
- Sample parameters of QuickSight user role:
- Sample data of membership.csv:
In this solution, custom namespaces are deployed to support multi-tenancy. The default
namespace is for all internal users of a company (we call it OkTank). OkTank creates the 3rd-Party
namespace for external users. If we have to support more tenants, we can create more custom namespaces. By default, we’re limited to 100 namespaces per AWS account. To increase this limit, contact the QuickSight product team. For more information about multi-tenancy, see Amazon QuickSight کے ساتھ ایپلی کیشنز میں ملٹی ٹیننٹ اینالیٹکس ایمبیڈ کریں۔.
In each namespace, we create different types of groups. For example, in the default
namespace, we create the BI-Admin
اور BI-Developer
groups for the admin
اور author
صارفین کے لیے reader
, we deploy two types of QuickSight groups to control asset access permissions and data access: object access permission groups and data segment groups.
The following table summarizes how the object access permission groups control permissions.
گروہ کا نام | نیس اسپیس | اجازت | نوٹس |
critical |
پہلے سے طے شدہ | View both dashboards (containing the critical data and highly confidential data) | |
highlyconfidential |
پہلے سے طے شدہ | Only view Sales Highly-Confidential Dashboard | |
BI-Admin |
پہلے سے طے شدہ | Account management and edit all assets | Users in the BI-Admin group are assigned the Admin QuickSight user role. |
BI-Developer |
پہلے سے طے شدہ | Edit all assets | Users in the BI-Developer group are assigned the Author QuickSight user role. |
Power-reader |
پہلے سے طے شدہ | View all assets and create ad hoc analysis to run self-service analytics reports |
Users in the However, this group can’t save or share their ad hoc reports. |
3rd-party |
Non-default namespaces (3rd-party namespace, for example) |
Can only share with readers (3rd-party-reader group, for example) in the same namespace |
In non-default namespaces, we can also create other object access permission groups, which is similar to the critical group in the default namespace. |
For more information about QuickSight groups, users, and user roles, see Managing User Access Inside Amazon QuickSight, Provisioning Users for Amazon QuickSight، اور Using administrative dashboards for a centralized view of Amazon QuickSight objects.
The second type of groups (data segment groups), combined with قطار کی سطح کی سیکورٹی ڈیٹاسیٹس اور column-level security, control data access as described in the following table.
گروہ کا نام | نیس اسپیس | اجازت | گنجائش |
USA |
پہلے سے طے شدہ | Only view US data on any dashboard | Row-level |
GBR |
پہلے سے طے شدہ | Only view UK data on any dashboard | Row-level |
All countries |
پہلے سے طے شدہ | View data of all countries on any dashboard | Row-level |
non-PII |
پہلے سے طے شدہ | Can’t view Social Security numbers, annual income, and all other columns of PII data | کالم کی سطح |
PII |
پہلے سے طے شدہ | Can view all columns including PII data | کالم کی سطح |
We can set up similar groups in non-default namespaces.
These different groups can overlap each other. For example, if a user belongs to the groups USA
, Critical
، اور PII
, they can view US data on both dashboards, with all columns. The following Venn diagram illustrates the relationships between these groups.
In summary, we can define a multi-faceted security architecture by combining QuickSight features, including namespace, group, user, RLS, and CLS. All related configurations are saved in the Parameter Store. The QuickSight users list and group-user mapping information are in an ایمیزون سادہ اسٹوریج سروس (Amazon S3) bucket as a CSV file (named membership.csv
). This CSV file could be output results of LDAP queries. Several او ڈبلیو ایس لامبڈا۔ functions are scheduled to run hourly (you can also invoke these functions on demand, such as daily, weekly, or any time granularity that fits your requirements) to read the parameters and the membership.csv
. According to the configuration defined, the Lambda functions create, update, or delete groups, users, and asset access permissions.
When the necessary security configurations are complete, a Lambda function calls the QuickSight APIs to get the updated information and record the results in an S3 bucket as CSV files. The BI admin team can build datasets with these files and visualize the results with dashboards. For more information, see Using administrative dashboards for a centralized view of Amazon QuickSight objects اور Building an administrative console in Amazon QuickSight to analyze usage metrics.
In addition, the errors of Lambda functions and the user deletion events are stored in this S3 bucket for the admin team to review.
میشن
The following diagram illustrates the overall workflow of the Lambda functions.
We use a programmable method to create and configure the groups and users automatically. For any ad hoc user registration request (such as the user isn’t recorded in membership.csv
yet due to latency), as long as the user can be authenticated, they can assume the AWS شناخت اور رسائی کا انتظام (IAM) کا کردار quicksight-fed-user
to self-provision as a QuickSight reader. This self-provisioned reader can only view a landing page dashboard, which provides the list of dashboards and corresponding groups. According to the dashboard-group mapping, this new reader can apply for membership of a given group to access the dashboards. If the group owner approves the application, the hourly Lambda functions add the new user into the group the next time they run.
The CI/CD pipeline starts from AWS CDK. The BI administrator and author can update the Systems Manager parameters to release new dashboards or other QuickSight assets in the AWS CDK stack granular_access_stack.py
. The BI administrator can update the Systems Manager parameters in the same stack to create, update, or delete namespaces, groups, or users. Then the DevOps team can deploy the updated AWS CDK stack to apply these changes to the Systems Manager parameters or other AWS resources. The Lambda functions are triggered hourly to call APIs to apply changes to the related QuickSight account.
پیمانے
The Lambda functions are restricted by the maximum runtime of 15 minutes. To overcome this limitation, we can convert the Lambda functions to AWS گلو Python shell scripts with the following high-level steps:
- لوڈ بوٹو 3 wheel files from pypi.org.
- Upload the wheel file into an S3 bucket.
- ڈاؤن لوڈ، اتارنا لیمبڈا کے افعال and merge them into one Python script and create an AWS Glue Python shell script.
- Add the S3 path of the Boto3 wheel file into the Python library path. If you have multiple files to add, separate them with a comma.
- Schedule this AWS Glue job to run daily.
مزید معلومات کے لئے، دیکھیں Program AWS Glue ETL Scripts in Python اور Using Python Libraries with AWS Glue.
شرائط
You must have the following prerequisites to implement this solution:
- A QuickSight Enterprise account
- ازگر کا بنیادی علم۔
- ایس کیو ایل کا بنیادی علم
- Basic knowledge of BI
Create the resources
Create your resources by downloading the AWS CDK stack from the GitHub repo.
میں granular_access
folder, run the command cdk deploy granular-access
to deploy the resources. For more information, see AWS CDK Intro Workshop: Python Workshop.
حل تعینات کریں۔
When you deploy the AWS CDK stack, it creates five Lambda functions, as shown in the following screenshot.
The stack also creates additional supportive resources in your account.
۔ granular_user_governance
function is triggered by the ایمیزون کلاؤڈ واچ واقعہ کا اصول qs-gc-everyhour
. The information of groups and users is defined in the file membership.csv
. The S3 bucket name is stored in the parameter store /qs/config/groups
. The following diagram shows the flowchart of this function.
- Set the destination of
granular_user_governance
to another Lambda function,downgrade_user
، کے ساتھsource=Asynchronous invocation
اورcondition=On Success
.
The following diagram is a flowchart of this function.
To avoid breaking critical access to QuickSight assets governed by Admin or Author, we demote an admin or author by deleting the admin or author user and creating a new reader user with the Lambda function downgrade_user
. granular_user_governance
function handles downgrading admin to author, or upgrading author to admin.
- Set the destination of
downgrade_user
to the Lambda functiongranular_access_assets_govenance
ساتھsource=Asynchronous invocation
اورcondition=On Success
.
The following diagram shows a flowchart of this function.
- Set the destination of
downgrade_user
to the Lambda functioncheck_team_members
ساتھsource=Asynchronous invocation
اورcondition=On Failure
.
۔ check_team_members
function simply calls QuickSight APIs to get the namespaces, groups, users, and assets information, and saves the results in the S3 bucket. The S3 key is monitoring/quicksight/group_membership/group_membership.csv
اور monitoring/quicksight/object_access/object_access.csv
.
Besides the two output files of the previous step, the error logs and user deletion logs (logs of downgrade_user
) are also saved in the monitoring/quicksight
فولڈر.
- Set the destination of
granular_access_assets_govenance
to the Lambda functioncheck_team_members
ساتھsource=Asynchronous invocation
اورcondition=On Success
orcondition=On Failure
.
Create row-level security datasets
As a final step, we create RLS datasets. This allows you to change the dashboard records based on the users that view the dashboards.
QuickSight supports RLS by applying a system-managed dataset that sub-selects records from the dashboard dataset. The mechanism allows the administrator to provide a filtering dataset (the RLS dataset) with username
or groupname
columns, which are automatically filtered to the user that is logged in. For example, a user named YingWang
belongs to QuickSight group BI
, so all the rows of the RLS dataset that correspond to the username YingWang
or group name BI
are filtered. The rows that remain in the RLS after applying the username and the group name filters are then used to filter the dashboard datasets further by matching columns with the same names. For more information about row-level security, see ڈیٹا سیٹ تک رسائی کو محدود کرنے کے لیے رو لیول سیکیورٹی (RLS) کا استعمال.
In this solution, we export the sample user information into the file membership.csv
, which is stored in an S3 bucket. In this file, we provide some sample groups for RLS dataset definition. These groups are the data segment groups, as described in the overall architecture design. The following screenshot shows some of the groups and the users in those groups.
۔ granular_user_governance
function creates these groups and adds the related users to be members of these groups.
How do we create the RLS dataset? Let’s say we have a table called employee_information
in our organization’s HR database. The following screenshot shows some sample data.
کی بنیاد پر employee_information
table, we create a view called rls
for an RLS dataset. See the following SQL code:
The following screenshot shows our sample data.
Now we have the table ready, we can create the RLS dataset with the following custom SQL:
The following screenshot shows our sample data.
For the group quicksight-fed-all-countries
, we set the username
, country
، اور city
as null, which means that all the users in this group can view the data of all countries.
For country level, only the security rules defined in the groupname
اور ملک columns
are used for filtering. The username
اور city
columns are set as null. The users in the quicksight-fed-usa
group can view the data of USA, and the users in the quicksight-fed-gbr
group can view the data of GBR.
For each user with groupname
set as null, they can only view the specific country and city assigned to their username. For example, TerryRigaud
can only view data of Austin, in the US.
In QuickSight, multiple rules in an RLS dataset are combined together with OR.
With these multi-faceted RLS rules, we can define a comprehensive data access pattern.
صاف کرو
To avoid incurring future charges, delete the resources you created by running the following command:
نتیجہ
This post discussed how BI administrators can design and automate QuickSight authentication and authorization granular access control. We combined QuickSight security features like row-level and column-level security, groups, and namespaces to provide a comprehensive solution. Managing these changes through “BIOps” ensures a robust, scalable mechanism for managing QuickSight security. To learn more, sign up for a QuickSight demo.
مصنفین کے بارے میں
ینگ وانگ is a Senior Data Visualization Engineer with the Data & Analytics Global Specialty Practice in AWS Professional Services.
Amir Bar Or is a Principal Data Architect at AWS Professional Services. After 20 years leading software organizations and developing data analytics platforms and products, he is now sharing his experience with large enterprise customers and helping them scale their data analytics in the cloud.
- "
- &
- 100
- تک رسائی حاصل
- رسائی کا انتظام
- اکاؤنٹ
- سرگرمیوں
- Ad
- ایڈیشنل
- منتظم
- تمام
- ایمیزون
- تجزیہ
- تجزیاتی
- APIs
- درخواست
- ایپلی کیشنز
- فن تعمیر
- اثاثے
- اثاثے
- آسٹن، ٹیکساس
- کی توثیق
- اجازت
- میشن
- AWS
- او ڈبلیو ایس لامبڈا۔
- BEST
- بہترین طریقوں
- سرحد
- تعمیر
- عمارت
- کاروبار
- کاروبار کی ذہانت
- فون
- مقدمات
- تبدیل
- بوجھ
- شہر
- درجہ بندی
- بادل
- کوڈ
- کامن
- کمپنی کے
- مواد
- ممالک
- تخلیق
- گاہکوں
- ڈیش بورڈ
- اعداد و شمار
- ڈیٹا تک رسائی
- ڈیٹا تجزیات
- ڈیٹا مینجمنٹ
- اعداد و شمار کی تصور
- ڈیٹا بیس
- ڈیٹا بیس
- ڈیمانڈ
- ڈیزائن
- تباہ
- تفصیل
- ڈویلپرز
- ترقی
- DevOps
- ڈومینز
- انجینئر
- انٹرپرائز
- انٹرپرائز گاہکوں
- واقعہ
- واقعات
- ایگزیکٹو
- برآمد
- خصوصیات
- فلٹر
- پہلا
- پہلی بار
- فٹ
- فریم ورک
- تقریب
- مستقبل
- گلوبل
- گرانٹ
- گروپ
- کس طرح
- hr
- HTTPS
- سینکڑوں
- IAM
- شناختی
- سمیت
- انکم
- اضافہ
- معلومات
- انفراسٹرکچر
- انضمام
- انٹیلی جنس
- IT
- ایوب
- میں شامل
- کلیدی
- علم
- لینڈنگ پیج
- بڑے
- ایل ڈی اے پی
- معروف
- جانیں
- سطح
- لائبریری
- لمیٹڈ
- لائن
- لسٹ
- محل وقوع
- لانگ
- انتظام
- اراکین
- نام
- تعداد
- حکم
- دیگر
- دیگر
- مالک
- پاس ورڈز
- پاٹرن
- PII
- پلیٹ فارم
- پالیسی
- پرنسپل
- مصنوعات
- حاصل
- منصوبے
- منصوبوں
- عوامی
- ازگر
- ریڈر
- قارئین
- ریکارڈ
- کو کم
- رجسٹریشن
- تعلقات
- رپورٹیں
- ضروریات
- وسائل
- نتائج کی نمائش
- کا جائزہ لینے کے
- رسک
- قوانین
- رن
- چل رہا ہے
- فروخت
- پیمانے
- سیکورٹی
- خود خدمت
- سروسز
- مقرر
- سیکنڈ اور
- حصص
- شیل
- سادہ
- So
- سماجی
- سافٹ ویئر کی
- SQL
- ذخیرہ
- ذخیرہ
- حمایت
- کی حمایت کرتا ہے
- سسٹمز
- وقت
- Uk
- یونین
- اپ ڈیٹ کریں
- تازہ ترین معلومات
- us
- امریکا
- صارفین
- لنک
- تصور
- ہفتہ وار
- وہیل
- ڈبلیو
- کے اندر
- کام کا بہاؤ
- سال