Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔐 Spike: Investigate Row-Based and Tag-Based Security #3062

Closed
6 tasks
Tracked by #2955
Ed-Bajo opened this issue Jan 24, 2024 · 1 comment
Closed
6 tasks
Tracked by #2955

🔐 Spike: Investigate Row-Based and Tag-Based Security #3062

Ed-Bajo opened this issue Jan 24, 2024 · 1 comment
Labels
data-platform-apps-and-tools This issue is owned by Data Platform Apps and Tools 💄 Visualisation MI/BI (Epic #2955)

Comments

@Ed-Bajo
Copy link

Ed-Bajo commented Jan 24, 2024
edited by julialawrence
Loading

User Story

As Platform Engineers we would like to investigate the use of row-based and tag-based security to allow restricting access to data both for QS dashboard authors and viewers so that we can achieve similar level of permission granularity as we currently maintain in AP

Value / Purpose

Being able to autogenerate RLS or TBS rules from users' IAM permissions would allow us to potentially reduce the number of datasets we manage in QuickSight while maintaining the same level of access security.

Useful Contacts

@julialawrence
@Ed-Bajo

Proposal

Hypothesis

Additional Information

https://docs.aws.amazon.com/quicksight/latest/user/row-level-security.html

Things we don't currently know:

  • What happens when a user tries to use a dataset that has more data in it than they have access to via their IAM permissions?
  • What happens if a user uploads a manifest file for more paths than they have access to?
  • How does this work for Athena-based data sets?

Definition of Done

  • Research and document answers to "Things we don't currently know."
  • Based on this research, investigate whether implementing row-based or tag-based security rules would be a viable way forward instead of managing multiple s3 manifest files.
  • Investigate and document whether RBS or TBS rules can be generated programmatically from user's IAM permissions
  • Present findings to team and recommend way forward
  • Follow-on stories raised
  • Service Design further work identigied
@Ed-Bajo Ed-Bajo converted this from a draft issue Jan 24, 2024
@Ed-Bajo Ed-Bajo added data-platform-apps-and-tools This issue is owned by Data Platform Apps and Tools 💄 Visualisation MI/BI (Epic #2955) labels Jan 24, 2024
@github-actions github-actions bot mentioned this issue Jan 24, 2024
Open
66 tasks
This was referenced Jan 24, 2024
Closed
Closed
Closed
Closed
Closed
@julialawrence julialawrence changed the title Spike: Row Level Access to manage object-level permissions rather than creating datasource for each Spike: Investigate Row-Based and Tag-Based Security Jan 29, 2024
@julialawrence julialawrence changed the title Spike: Investigate Row-Based and Tag-Based Security 🔐 Spike: Investigate Row-Based and Tag-Based Security Jan 29, 2024
@tom-webber
Copy link
Contributor

LakeFormation may be able to help provide some tooling for integrated access and RLS for Quicksight + Athena + Data Lake S3

@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@jacobwoffenden jacobwoffenden moved this to 👀 TODO in Analytical Platform Feb 15, 2024
@Ed-Bajo Ed-Bajo closed this as not planned Won't fix, can't repro, duplicate, stale Feb 27, 2024
@github-project-automation github-project-automation bot moved this from 👀 TODO to 🎉 Done in Analytical Platform Feb 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
data-platform-apps-and-tools This issue is owned by Data Platform Apps and Tools 💄 Visualisation MI/BI (Epic #2955)
Projects
Analytical Platform
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ed-Bajo @tom-webber