AWS quicksight documentation change
Summary
Added section about Rules Dataset tagging for row-level security, including requirements for creating rules datasets and strict SPICE ingestion rules
Security assessment
The change documents security-related features (row-level security controls and data integrity enforcement) but does not indicate a specific security vulnerability being addressed. It enhances documentation about existing security mechanisms.
Diff
diff --git a/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md b/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md index 656237d34..420315f4e 100644 --- a/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md +++ b/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.md @@ -5 +5 @@ -Creating dataset rules for row-level securityCreating row-level security +Creating dataset rules for row-level securityCreating row-level securityRules Dataset tagging for row-level security @@ -203,0 +204,8 @@ To fix this, specify new dataset rules. Creating a dataset with the same name is +## Rules Dataset tagging for row-level security + +Rules Dataset is a flag that distinguishes permission datasets used for row-level security from regular datasets. If a permissions dataset has already been applied to a regular dataset, it will have a Rules Dataset flag in the **Dataset** landing page. If a permissions dataset has not yet been applied to any dataset, it will be categorized as a regular dataset. To use it as a rules dataset, duplicate the permissions dataset and flag it as a rules dataset in the console when creating the dataset. To successfully duplicate it as a rules dataset, ensure the original dataset has: 1. Required user metadata or group metadata column(s) and 2. Only string type columns. + +When creating a rules dataset programmatically, add the following parameter: **UseAs: RLS_RULES**. This is an optional parameter that is only used to create a rules dataset. Once a dataset has been created, either through the console or programmatically, and flagged as either a rules dataset or a regular dataset, it cannot be changed. + +Once datasets are flagged as rules datasets, Amazon QuickSight will apply strict SPICE ingestion rules on them. To ensure data integrity, SPICE ingestions for rules datasets will fail if there are invalid rows or cells exceeding length limits. You must fix the ingestion issues in order to re-initiate a successful ingestion. Strict ingestion rules are only applicable to rules datasets. Regular datasets will not have dataset ingestion failures when there are skipped rows or string truncations. +