Establishing Enterprise Architecture on AWS
AWS Whitepaper

Roles and Actors

In the business architecture domain, there are actors and roles. An actor can be a person, organization, or system that has a role that initiates or interacts with activities. Actors belong to an enterprise and, in combination with the role, perform the business function.

Understanding the actors in your organization enables you to create a definitive listing of all participants that interact with IT, including users and owners of IT systems. Understanding actor-to-role relationships is necessary to enable organizational change management and organizational transformation.

The actors and roles of your enterprise can be modelled on two levels. Typically, an organization has a corporate directory (e.g. Active Directory) that reflects its actors and roles. On a different level, you can enforce these components with AWS Identity and Access Management (IAM).

IAM achieves the actor-role relationship while complementing AWS Organizations. In IAM, an actor is known as a user. An AWS account within an OU defines the users for that account and the corresponding roles that users can adopt. With IAM, you can securely control access to AWS services and resources for your users. You can also create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.

SCPs put bounds around the permissions that IAM policies can grant to entities in an account, such as IAM users and roles. The AWS account inherits the SCPs defined in, or inherited by, the OU. Then, within the AWS account, you can write even more granular policies to define how and what the user or role can access. You can apply these policies at the user- or group-level.

In this manner, you can create very granular permissions for the actors and roles of your organization. Key business relationships between OUs, actors (users), and roles can be reflected in IAM.