Comments (4)
i do see high value for the implementation of the proposals especially for an enterprise environment. The current 'one-fits-all' approach with managing access to data via quicksight management control is not workable on a larger scale.
from aws-dataall.
Hi @enr0c thanks for the response! We will try to prioritize this feature. Can you describe more in depth how do you currently use Quicksight?
- What type of Quicksight users do you used? How are they created/mapped to IdP?
- How many AWS accounts do they use?
- How do you manage data access control to the teams?
from aws-dataall.
We are not using data.all currently, but we are assessing if we will use it in the future. One challenge we do currently see is the usage of quicksight and the fact that user that belong to an environment do have access to all dashboards, regardless if the underlying data is not accessible to them. Furthermore one needs to manually select Athena sources for users per environment.
We foresee many thousand QS users from 20-40 AWS account. Identify will be delivered by an external IdP, leveraging SAML or OIDC.
Data Access Control shall be implemented with Lakeformation
Thank you for asking :)
from aws-dataall.
One further clarification - The ticket says:
That means that when users start a Quicksight session they should start a session with a team and in this session they see only the data owned or shared with that data.all team.
This is already an improvement, however for our case not sufficient.
Our requirement
We foresee a multi-Account setup. In this ecosystem, multiple roles (delivered via external IdP via SAML) can be assigned to a user. Permissions are "additive", the union of the permission shall be applied.
I can be in a team, but that should not determine if I have now access to data or not. And the data permission should not be related to any team I belong toβ¦
For important components (e.g. Quicksight or Sagemaker Studios) it is currently not working in data.all.
Example with Sagemaker Studio, can be applied 1:1 to Quicksight
- User A creates a ML Studio, leveraging role
$\color{blue}{\textsf{playersRW}}$ The ML studio is only accessible by users that has the role$\color{blue}{\textsf{playersRW}}$
Than there are two tables (in glue for example sitting in two different accounts:
- goalkeepers, which is readable by users that have
$\color{blue}{\textsf{playersRW}}$ - fouls that is readable for users with
$\color{green}{\textsf{sanctionsRW}}$ - Sagemaker studio execution role is:
$\color{blue}{\textsf{playersRW}}$
Current behavior
- User A, having
$\color{blue}{\textsf{playersRW}}$ and$\color{green}{\textsf{sanctionsRW}}$ is not able to access fouls table from within sagemaker
Expected behavior for the two users:
User | Role | ML Studio Access | Read goalkeepers table (Quicksight, sagemaker, athena, ...) | Read fouls table (Quicksight, sagemaker, athena, ...) |
---|---|---|---|---|
User A |
|
yes | yes | yes |
User B | yes | yes | no | |
User C | no | no | yes |
from aws-dataall.
Related Issues (20)
- datasets fail when Glue catalog is encrypted with KMS CMK HOT 2
- Wrong Tag in SageMaker permissions
- Unable to access Glue tables with data.all dataset role due to KMS:decrypt permission not found HOT 4
- Data.all UPDATE/DELETE team in environment referencing the environment and not the Team HOT 2
- Allow DA admins to view share logs
- Profiling jobs failing with ImportError: cannot import name 'ColumnProfilerRunner' from 'awsglue.transforms' (/opt/amazon/lib/python3.6/site-packages/awsglue/transforms/__init__.py)
- Error banner does not throw error after X number of times that we retry an error action
- Integration tests executed on a real deployment as part of the CICD HOT 1
- Make visibility of auto-approval toggle configurable based on confidentiality HOT 3
- Unrestricted S3 permissions for shares with consumer role HOT 2
- Integration tests executed on a real deployment as part of the CICD - Environments
- Data Quality rules using AWS Glue Data Quality
- Add Permissions boundary to the Roles HOT 1
- Manage Team in Environment permissions to invite/update/remove other teams
- Unable to view all environments in the environment list view HOT 2
- enforce in CDK that infra and deployment regions should be the same
- Dataset import does not work HOT 2
- Better handling of "out of sync" Tables
- Allow cross region shares with a feature flag
- Introduce Persistent Email Reminders for Producers of Datasets HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-dataall.