AWS Service Catalog
Administrator Guide

Example Access Policies for Provisioned Product Management

You can customize your own policies to help meet the security requirements of your organization. The following sections describe some examples of how to customize the access level for each action with support for user, role, and account levels. This allows users to be granted access to view, update, terminate, and manage provisioned products created only by that user or created by others also under their role or the account to which they are logged in. This access is hierarchical — granting account level access also grants role level access and user level access, while adding role level access also grants user level access but not account level access. These can be specified in the policy JSON within a Condition block as accountLevel, roleLevel, or userLevel, as shown in the examples.

These examples also apply to access levels for AWS Service Catalog API write operations UpdateProvisionedProduct and TerminateProvisionedProduct, and read operations DescribeRecord, ScanProvisionedProducts, and ListRecordHistory. The ScanProvisionedProducts and ListRecordHistory API operations use an input called AccessLevelFilterKey, and that key's values correspond to the Condition block levels discussed here (accountLevel is equivalent to an AccessLevelFilterKey value of "Account", roleLevel to "Role", and userLevel to "User"). For more information, see the AWS Service Catalog Developer Guide.