Multiple Group Object Source Policies
Examples of policies for the respective policy names:
For AWS Service IAM User:
SPServiceIAMUSer
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::*:role/SPServiceUserAccountAccess"
}
]
}Note
The above role name is an example. Replace SPServiceUserAccountAccess with the specific role name that was created on your AWS system.
For Role:
SPOrganizationPolicy
Required for Multiple Group Object Source and must be assigned to the Role of the AWS Account which needs to be managed.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"organizations:ListPoliciesForTarget",
"organizations:ListAccountsForParent",
"organizations:ListRoots",
"organizations:ListAccounts",
"organizations:ListTargetsForPolicy",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListOrganizationalUnitsForParent",
"organizations:DescribePolicy",
"organizations:ListPolicies",
"organizations:ListTagsForResource"
],
"Resource": "*"
}
]
}Required for Multiple Group Object Source and must be assigned to the Role of the AWS Account which needs to be managed.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetPolicyVersion",
"iam:ListServiceSpecificCredentials",
"iam:ListMFADevices",
"iam:ListSigningCertificates",
"iam:GetGroup",
"iam:ListSSHPublicKeys",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedGroupPolicies",
"iam:ListRolePolicies",
"iam:ListAccessKeys",
"iam:ListPolicies",
"iam:GetRole",
"iam:GetPolicy",
"iam:ListGroupPolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:GetUserPolicy",
"iam:ListGroupsForUser",
"iam:ListAccountAliases",
"iam:ListUsers",
"iam:ListGroups",
"iam:GetGroupPolicy",
"iam:GetUser",
"iam:GetRolePolicy",
"iam:GetLoginProfile",
"iam:ListEntitiesForPolicy",
"iam:GetAccessKeyLastUsed",
"iam:ListUserTags",
"iam:ListRoleTags",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}Required for Multiple-group Object Source and must be assigned to the Role of the AWS Account which needs to be managed.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:UpdateLoginProfile",
"iam:CreateGroup",
"iam:DeleteAccessKey",
"iam:DeleteGroup",
"iam:AttachUserPolicy",
"iam:DeleteUserPolicy",
"iam:UpdateAccessKey",
"iam:AttachRolePolicy",
"iam:DeleteUser",
"iam:CreateUser",
"iam:CreateAccessKey",
"iam:CreatePolicy",
"iam:CreateLoginProfile",
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup",
"iam:DetachRolePolicy",
"iam:DeleteSigningCertificate",
"iam:AttachGroupPolicy",
"iam:DeleteRolePolicy",
"iam:DetachGroupPolicy",
"iam:DetachUserPolicy",
"iam:DeleteGroupPolicy",
"iam:DeleteLoginProfile"
],
"Resource": "*"
}
]
}Note
-
For all provisioning operations, in addition to the provisioning policy permissions listed for SPProvisioningPolicy the permissions for Refresh Operations are also required.
-
For more information on operation specific administrator permissions required for IAM and Organization APIs, see Operation Specific Service IAM User permissions.