How to limit access to specific Identity Center groups?

I have multiple groups in my default Identity Center directory. I want members of a specific group manage users of other groups except a couple of administrator-managed groups. Simple use case is to "Allow team leaders manage limited number of teams by adding/removing users" sso-directory does not support (have) any ARNs and does not have any specific Conditions. Global conditions does not allow to filter by resource ARN or, in my case, group_id. Tags cannot be added to Identity Center groups to allow for aws:ResourceTag/... filtering.

Are there any feasible way to resolve my use-case?

주제

보안, 신원 및 규정 준수 관리 및 거버넌스

태그

보안, 신원 및 규정 준수 AWS 자격 증명 및 액세스 관리 AWS 계정 관리

언어

English

Maksym

질문됨 한 달 전172회 조회

1개 답변

최신
최다 투표
가장 많은 댓글

이 답변이 도움이 되었나요?커뮤니티가 여러분의 지식을 활용할 수 있도록 정답을 찬성하세요.

수락된 답변

Hello.

As stated in the document below, there are no condition keys, so I don't think it is currently possible to manage only specific groups.
https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-ondirectory.html

전문가

Riku_Kobayashi

답변함 한 달 전

Maksym
한 달 전
Thank you @Riku_Kobayashi. I read this doc. I was hoping people may know an indirect way to make it work. For example, since the privilege is for Console sessions, I am trying to explore if there are relevant condition filters available.
Riku_Kobayashi 전문가
한 달 전
I thought that there was no key for narrowing down to a specific group in the global condition key. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#AvailableKeys

How to limit access to specific Identity Center groups?

관련 콘텐츠