User groups, roles, and permission sets

User groups manage specialized roles that are defined within your shared accounts. Roles establish sets of permissions that belong together. All members of a group inherit the permission sets, or roles, associated with the group. You can create new groups for the end users of your member accounts, so that you can custom-assign only the roles that are needed for the specific tasks a group performs.

The permission sets available cover a broad range of distinct user permission requirements, such as read-only access, AWS Control Tower administrative access, and Service Catalog access. These permission sets enable your end users to provision their own AWS accounts in your landing zone quickly, and in compliance with your enterprise's guidelines.

For tips on planning your allocations of users, groups, and permissions, refer to Recommendations for setting up groups, roles, and policies

For more information on how to use this service in the context of AWS Control Tower, see the following topics in the AWS IAM Identity Center User Guide.

To add users, see Add Users.
To add users to groups, see Add Users to Groups.
To edit user properties, see Edit User Properties.
To add a group, see Add Groups.

Warning

AWS Control Tower sets up your IAM Identity Center directory in your home Region. If you set up your landing zone in another Region and then navigate to the IAM Identity Center console, you must change the Region to your home region. Do not delete your IAM Identity Center configuration in your home Region.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IAM Identity Center and AWS Control Tower

IAM Identity Center Groups for AWS Control Tower