How do I troubleshoot row-level security issues in QuickSight?
Last updated: 2022-07-12
I applied RLS to my dataset in Amazon QuickSight, but I'm experiencing issues with data access.
The following are common issues that you can experience when you use row-level security (RLS) on your Amazon QuickSight dataset:
- You can't see any data in the QuickSight embedded dashboard for anonymous QuickSight users.
- Restricted users can still see all the data.
- Unrestricted users can't see any data.
- You receive the error code DatasetRulesInvalidColType when you apply RLS.
- You receive the error Code DatasetRulesUserDenied when you create an analysis.
Note: When you use RLS, consider the following:
- RLS is available only for the Enterprise edition of QuickSight.
- RLS supports only textual data, such as string, char, and varchar for fields in the dataset rule. Currently, RLS doesn't work for dates or numeric fields.
- The full set of rule records that are applied per user must not exceed 999. Datasets with more than 999 rules might fail to apply RLS rules to the dataset.
- You can't apply RLS to empty rows with the default null value because QuickSight treats null as an empty field value. However, spaces in a field are treated as a literal value, so the dataset rule applies to these rows.
- Only users that are added to the dataset rule can see the data based on the rule that's defined. Other users can't see the data.
- When using multiple fields in the dataset rules, the rules work as an AND operator. The OR operator is currently not supported.
- RLS tag-based rules are supported only for embedded dashboards for anonymous users with the GenerateEmbedUrlForAnonymousUser API. If you embedded dashboards for registered users with the GenerateEmbedUrlForRegisteredUser API, then consider using user-level rules.
I can't see any data in the QuickSight embedded dashboard for anonymous users
If you use tag-based rules for your anonymous embedded dashboard, then you can't see or modify the data. To see the data, you must add user-based RLS rules to the dataset.
In the following example dataset rule, John Stiles can see data from only the Logistics department, and Martha Rivera can see all the data from the dataset.
UserName,Department JohnStiles,Logistics MarthaRivera,
Note: You can apply both tag-based rules and user-based RLS rules on your dataset.
Restricted users can still see all data
If a dataset contains too many rules, then even if you successfully applied RLS, restricted users can still see all the data. To resolve this issue, make sure that your dataset contains only 999 or fewer rules. If you restrict users by UserName and have more than 999 users in your dataset rule, then create QuickSight groups. Add the users to the groups, and use GroupName instead of UserName in the dataset rule.
Unrestricted users can't see any data
The following are possible reasons why unrestricted users can't see data:
- The user doesn't exist in the dataset rule. Check the dataset rule to verify that all the intended users are there.
- The UserName or GroupName doesn't match the users or groups in QuickSight. Check the UserName or GroupName from the dataset rule to verify that they match the users or groups in QuickSight.
You receive the error code DatasetRulesInvalidColType when you apply RLS
The DatasetRulesInvalidColType error occurs when you use RLS for dates or numeric fields.
Check the field that's used to evaluate RLS in the dataset rule to verify that the data type is String. You can also convert numeric fields to String in QuickSight by editing the dataset.
You receive the error code DatasetRulesUserDenied when you create an analysis
This DataRulesUserDenied error occurs when the user isn't in the dataset rule. To resolve this error, add the user to the dataset rule, and then refresh the dataset.