FinOps Center integrates to QuickSight via the “Anonymous Embedding” pattern which restricts users access to billing data within AWS Account that have been aligned to their financial scope.
Within QuickSight, Datasets need to be configured both with Tag-Based rules for the Application users and the User-based rules for the Dashboard Authors.
- Adding Tag-based rules for Each Dataset created by the CUDOS/CID Framework
- Adding a User-based rule for the QuickSight Authors so that they can view the Dashboards/Analysis from the Authoring environment.
Adding Tag-Based Rules to the Datasets.
Navigate to the Datasets and add the below Tag to Each Dataset
- Column -> account_id
- Tag -> account_id0
- Delimiter -> ,
- Match All -> *
To enable Authors to view data in the console to edit, and create dashboards create a simple csv file with two columns and Apply that then need to applied to User-Based Rule.
Sample:
UserRLS:
https://cdn.document360.io/9c6c5de5-e82a-4925-8765-7cad54ea8876/Images/Documentation/UserRLS%20.csv
- Username -> Full User Name of the Author (e.g. AWSReservedSSO_AWSAdministratorAccess_a268ce32b8a1824c/name) per row for those Authors
- account_id -> leave blank as that will enable "all" access
From the Dataset panel, select create new Dataset from the top right of screen
- From the Create Dataset select Upload a file
- Upload the csv and select Next
- Select the Edit Button
- Next Page Save and Publish
5. Apply Dataset