Is there a way to limit the management of users in Identity Center group to another Identity Center Group?

Question

We have a multi-organization setup. I created Group A and Group B. Group B has permissions to perform some actions in accounts. We would like only users in Group A to be able to add or remove users from Group B. Is there a way to achieve this?

Answer

This approach is not suitable for default identity store directory or, in other words, when your identity store default one from AWS.

Answer

Create an iam policy and attach to group A.

The policy should control the action CreateGroupMembership limited to the resources
* Group (B)
* User (*)
* Identity Store (X)

All these resources need defining to allow group A to add any user to group B in identity site x.

https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsidentitystore.html

Is there a way to limit the management of users in Identity Center group to another Identity Center Group?

相关内容