# Managing user access inside Amazon Quick
Managing user access


|  | 
| --- |
|    Intended audience:  System administrators and Amazon Quick administrators  | 

Amazon Quick administrators manage user access in Quick. User access management in Quick is determined by your Quick account identity configuration. For accounts that use IAM Identity Center or Active Directory, groups are assigned to Quick roles. Groups can be assigned the Admin, Author, Reader, Admin Pro, Author Pro, or Reader Pro roles. For more information about Pro roles in Quick see [Get started with Generative BI](https://docs.aws.amazon.com/quicksight/latest/user/generative-bi-get-started.html). Note that Reader Pro maps to Amazon Quick Professional subscription and Author Pro maps to Amazon Quick Enterprise subscription. For more information about integrating your Amazon Quick account with IAM Identity Center, see [Managing access for IAM Identity Center users](https://docs.aws.amazon.com/quicksight/latest/user/managing-user-access-idc.html).

To understand how subscription names relate to user roles and their capabilities, see [Understanding Amazon Quick subscriptions and roles](https://docs.aws.amazon.com/quicksuite/latest/userguide/user-types.html).

Amazon Quick accounts that use Quick and IAM users create users directly in Quick. These users and their roles are managed at the user level. For more details, see [Managing access for Quick and IAM users](https://docs.aws.amazon.com/quicksight/latest/user/managing-user-access-qs-iam.html).

**Topics**
+ [

# Managing access for IAM Identity Center users
](managing-user-access-idc.md)
+ [

# Managing access for Amazon Quick and IAM users
](managing-user-access-qs-iam.md)

# Managing access for IAM Identity Center users



|  | 
| --- |
|  Applies to:  Enterprise Edition  | 


|  | 
| --- |
|    Intended audience:  System administrators and Amazon Quick administrators  | 

AWS administrators can use this topic to learn more about managing accounts that are integrated with IAM Identity Center. The information in this section also applies to Quick accounts that use Active Directory.

To manage Quick users, you must have administrative privileges in Quick and also the appropriate AWS permissions. For more information about the necessary AWS permissions, see [IAM policy examples for Quick](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html). If you are using directory groups, you need to be a network administrator.

Each Quick Enterprise edition account can have an unlimited number of users. User names that contain a semicolon (` ; `) aren't supported.

Use the following topics to add, view, and deactivate Quick users.

**Important**  
You can't remap Amazon Quick users or groups from one identity store to another. For example, if you are migrating from an on-premises Active Directory to Directory Service, or the other way around, you unsubscribe and resubscribe to Amazon Quick. You do this because even if the user's aliases remain the same, the underlying identity data changes. To make the transition easier, request in advance that your users document all their Amazon Quick assets and settings before the migration. 

**Topics**
+ [

## Adding users
](#add-user-accounts-enterprise)
+ [

## Managing user access
](#view-user-accounts-enterprise)
+ [

## Deactivating user accounts
](#deactivate-user-groups-enterprise)
+ [

## Changing a user's role
](#updating-user-accounts-enterprise)
+ [

## Deleting Enterprise accounts
](#delete-a-user-account-enterprise)

## Adding users
Adding users

With IAM Identity Center, add users to Amazon Quick by associating their IAM Identity Center group to an Admin, Admin Pro, Author, Author Pro, Reader, or Reader Pro role in Quick. All users in the selected groups are authorized to sign in to Quick.

For more information about Pro roles in Quick see [Get started with Generative BI](https://docs.aws.amazon.com/quicksight/latest/user/generative-bi-get-started.html).

To see which groups are integrated with your Quick account, follow the procedure in [Managing user access](https://docs.aws.amazon.com/quicksight/latest/user/view-user-accounts-enterprise.html).

## Managing user access
Managing user access

Use the following procedure to view groups that are assigned to a role that grants access to Quick. 

1. Open the [Quick console](https://quicksight.aws.amazon.com/).

1. Choose **Manage Quick**, and then choose **Manage Users**.

1. Choose **Manage role groups**.

1. In the **Manage role groups** page, use the tables to add or remove groups in IAM Identity Center or Active Directory from the Admin, User, or Reader roles in Quick.

## Deactivating user accounts
Deactivating users

Deactivating a Amazon Quick group or user account removes that group or user's access to Quick resources, like analyses or data sets. IAM Identity Center or Active Directory users that are removed from a group that grants them access to Quick lose access to Quick. These users appear in the **Inactive users** list in Quick until the first day of the following month. After that, the deactivated users are automatically removed from the **Inactive users** list. Before you deactivate a user, you can reassign their resources to another user with the asset management console.

If you later need to reactivate a Quick user's account, put the user into a group with access to Quick. Doing this restores their access to Quick and to any existing resources that are still associated with that user. 

**Note**  
With IAM Identity Center integrated into your Amazon Quick account or Active Directory users, you can change a user's role type by moving them to a group that is associated with a different Amazon Quick role. If a user is in multiple groups that are mapped to different Amazon Quick role types, the user is able to access Amazon Quick with the role that offers the broadest level of access. Accounts that use other identity types can't upgrade or downgrade a user by transferring them between groups. For more information, see [Changing a user's role](https://docs.aws.amazon.com/quicksight/latest/user/updating-user-accounts-enterprise.html).

You can activate or deactivate multiple users at once by adding or removing one or more IAM Identity Center or Active Directory groups that are associated with a role in Amazon Quick. 

## Changing a user's role
Changing a user's role

If you're using IAM Identity Center or Active Directory, you can change a user's role by adding or removing them from a group that's mapped to the role that you want to assign them in Quick. You can also perform this task by adding a new group to a role in Quick. To do this, you need both administrative privileges in Quick and also appropriate AWS permissions.

With IAM Identity Center integrated users, you can change role types for a user by moving them to a group that is associated with a different Quick role. If a user belongs to multiple groups that are mapped to different role types, the user is able to access Quick with the role that offers the broadest level of access.

When you make changes to users or groups in Quick, it can take up to five minutes for the change to take effect. Examples of such changes are the following:
+ Deleting a user
+ Changing a user from an admin to an author
+ Adding or removing group members

The five-minute time period allows changes to propagate throughout the system.

## Deleting Enterprise accounts
Deleting users

If a user is deleted from IAM Identity Center or Active Directory or is removed from a group that's associated with a role in Quick, the user no longer exists in Quick. You do not need to delete the user in the Quick application. The deleted user will appear in the **Inactive users** list in Quick until the first day of the following month. After that date passes, the user is automatically removed from the list.

# Managing access for Amazon Quick and IAM users


Amazon Quick account administrators can use this topic to learn more about managing accounts that use IAM or Quick for identity federation.

To manage Quick users, you must have administrative privileges in Quick and also the appropriate AWS permissions. For more information about the necessary AWS permissions, see [IAM policy examples for Quick](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html).

Each Quick Enterprise edition account can have an unlimited number of users. User names that contain a semicolon (`;` ) aren't supported.

Use the topics below to learn more about managing access for Quick and IAM users.

**Topics**
+ [

## Inviting users to access Amazon Quick
](#inviting-users)
+ [

## Viewing Amazon Quick account details
](#view-user-accounts)
+ [

## Deleting a Amazon Quick user account
](#delete-a-user-account)

## Inviting users to access Amazon Quick



|  | 
| --- |
|    Applies to: Enterprise Edition and Standard Edition  | 


|  | 
| --- |
|    Intended audience:  Amazon Quick administrators  | 

Use the following procedure to invite a user to access Quick.

1. Choose your user name on the application bar and then choose **Manage Quick**.

1. Choose **Manage Users**. On this screen, you can manage users who already exist in your account.

1. Choose **Invite users**.

1. In the **Invite users to this account** table, enter a new user name for a person to whom you want to grant access to Quick. If the user is an IAM user, enter their IAM username. Then press **\$1**. A user's IAM username can be the same as their email address.

   Repeat this step until you have entered everyone who you want to invite. Then go to the next step to enter details.

1. For **Email**, enter an email address for the account. 
**Note**  
Currently, email addresses are case-sensitive.

1. For **Role**, choose the role to assign to each person you're inviting. A *role *determines the permission level to grant to that account.
   + **ADMIN roles**:
     + **ADMIN** – The user is able to both use Amazon Quick for authoring and for performing administrative tasks like managing users or purchasing [SPICE](https://docs.aws.amazon.com/quicksight/latest/user/spice.html) capacity.
     + **ADMIN PRO** – The user is able to perform all actions of a Amazon Quick Admin and utilize applicable Amazon Quick Generative BI capabilities. For more information about Pro roles in Amazon Quick, see [Get started with Generative BI](https://docs.aws.amazon.com/quicksight/latest/user/generative-bi-get-started.html).

     There are some differences in the administrative tasks that IAM users and Amazon Quick administrators can perform. These differences occur because some administrative tasks require permissions in AWS, which Amazon Quick–only users lack. The differences are these:
     + Amazon Quick administrators can manage users, SPICE capacity, and subscriptions. 
     + IAM users with administrative permissions can also manage users, SPICE capacity, and subscriptions. In addition, they can manage Amazon Quick permissions to AWS resources, upgrade to Enterprise edition, and unsubscribe from Amazon Quick.

     If you want to create a user with administrator permissions with IAM access, check with your AWS administrator. Make sure that the IAM user has the all necessary statements in their IAM permissions policy to work with Amazon Quick resources. For more information about what statements are required, see [IAM policy examples for Amazon Quick](https://docs.aws.amazon.com/quicksight/latest/user/iam-policy-examples.html).
   + **AUTHOR roles**:
     + **AUTHOR**– The user is able to author analyses and dashboards in Amazon Quick but not perform any administrative tasks in Amazon Quick.
     + **AUTHOR PRO**– The user is able to perform all actions of a Amazon Quick Author and utilize applicable Amazon Quick Generative BI capabilities. For more information about Pro roles in Amazon Quick, see [Get started with Generative BI](https://docs.aws.amazon.com/quicksight/latest/user/generative-bi-get-started.html).
   + **READER roles (Enterprise only)**:
     + **READER**– Users are able to interact with shared dashboards, but not author analyses or dashboards or perform any administrative tasks.
     + **READER PRO**– The user is able to perform all actions of a Amazon Quick Reader and utilize applicable Amazon Quick Generative BI capabilities. For more information about Pro roles in Amazon Quick, see [Get started with Generative BI](https://docs.aws.amazon.com/quicksight/latest/user/generative-bi-get-started.html).

1. For **IAM User**, verify that it says **Yes** for accounts that are associated with IAM users, and **No** for those that are Amazon Quick-only.

1. (Optional) To delete a user, choose the delete icon at the end of the relevant row.

1. Choose **Invite**.

## Viewing Amazon Quick account details
View Amazon Quick users


|  | 
| --- |
|    Intended audience:  Amazon Quick administrators  | 

You can view Amazon Quick accounts on the **Manage Users** page. To view a Amazon Quick user account, use the following procedure. 

1. Choose your user name on the application bar and then choose **Manage Quick**.

1. Choose **Manage Users** to view details about people who are Amazon Quick users. The information that displays includes:
   + Username – The person's user name.
   + Email – The email associated with this user name.
   + Role – The security cohort that the person's user name belongs to: **ADMIN**, **ADMIN PRO**, **AUTHOR**, **AUTHOR PRO**, **READER**, or **READER PRO**.
   + Last active – The last date and time that this person accessed the Amazon Quick console. Anyone who isn't an active user has a **Last active** status of `User has no activity`.

   You can also see deleted or inactive users in this screen.

1. To find a user name, enter a part or all of a user's name or email the search box. Search is case-insensitive and wildcards aren't supported. To clear the search results and view all user names, delete your search entry.

## Deleting a Amazon Quick user account



|  | 
| --- |
|    Intended audience:  Amazon Quick administrators  | 

**Warning**  
**Deleting user accounts has permanent, organization-wide consequences.** When you delete a user account:  
All user-owned resources are permanently removed unless explicitly transferred to another user before deletion
Shared dashboards and analyses become inaccessible to other users if the deleted user was the owner
Data sources and datasets owned by the user are deleted, potentially breaking dependent analyses across your organization
**This action cannot be undone - deleted resources cannot be recovered**
Always transfer critical resources to another user before deleting an account. Review all user-owned assets using the asset management console before proceeding with any account deletion.

Accounts can be deleted by either an AWS administrator or an Amazon Quick administrator. Deleting a Amazon Quick user account works the same in both the Standard and Enterprise editions of Amazon Quick. 

Deleting a Amazon Quick user account removes or transfers their resources. In Enterprise edition, the network administrator can temporarily deactivate a Amazon Quick user account by removing it from the network group that has access to Amazon Quick. If a user is deleted, but not deactivated, that user can still access Amazon Quick as a new user. For more information about deactivating an Enterprise account, see [Deactivating user accounts](https://docs.aws.amazon.com/quicksight/latest/user/deactivate-user-groups-enterprise.html).

Use the following procedure to delete a Amazon Quick user account. 

1. Choose your user name on the application bar and then choose **Manage Quick**.

1. Choose **Manage Users**.

1. Locate the account you want to delete and then choose the delete icon at the end of that row.

1. Choose to either delete or transfer any resources owned by the user and then choose **OK**.

1. Do one of the following:
   + If you chose to transfer user resources, enter the user name of the account to transfer them to and then choose **Delete and transfer resources**.
   + If you chose to delete user resources, choose **Delete**. You can't undo this action.