Assign user access to applications - AWS IAM Identity Center (successor to AWS Single Sign-On)

Assign user access to applications

Use the following procedure to assign users single sign-on access to cloud applications or custom SAML 2.0 applications.

  • To help simplify administration of access permissions, we recommend that you assign access directly to groups rather than to individual users. With groups you can grant or deny permissions to groups of users, rather than having to apply those permissions to each individual. If a user moves to a different organization, you simply move that user to a different group. The user then automatically receives the permissions that are needed for the new organization.

  • When assigning user access to applications, IAM Identity Center does not currently support users being added to nested groups. If a user is added to a nested group, they may receive a “You do not have any applications” message during sign-in. Assignments must be made against the immediate group the user is a member of.

To assign user or group access to applications
  1. Open the IAM Identity Center console.


    Make sure that the IAM Identity Center console is using the Region where your AWS Managed Microsoft AD directory is located before taking the next step.

  2. Choose Applications.

  3. In the list of applications, choose an application to which you want to assign access.

  4. On the application details page, choose the Assigned users tab. Then choose Assign users.

  5. In the Assign users dialog box, enter a user or group name. Then choose Search connected directory. You can specify multiple users or groups by selecting the applicable accounts as they appear in search results.

  6. Choose Assign users.