Operation Specific Service IAM User permissions
This section lists the operation specific administrator permissions required for the following:
-
IAM APIs
-
Organization APIs
Identity and Access Management APIs
The following tables list the SailPoint operations along with the corresponding IAM API (Actions) used:
|
Operation |
IAM API (Action) |
|
Test Connection |
GetUser |
|
Account Update |
CreateAccessKey |
|
Reset Password |
UpdateLoginProfile CreateLoginProfile |
|
Group Create |
CreateGroup |
|
Group Update |
UpdateGroup AttachGroupPolicy DetachGroupPolicy |
|
Create Customer Managed Policy |
CreatePolicy |
Account Aggregation
|
Operation |
IAM API (Action) |
|
Summary/Attributes (UserName, UserId, Path, ARN, CreateDate, PasswordLastUsed) ConsoleAccess Groups AWSManagedPolicies and CustomerManagedPolicies InlinePolicies Access Keys AWS CodeCommit HTTPS Credentials AWS CodeCommit SSH Keys Signing Certificates Multi-Factor Authentication (MFA) Device AccessKeyLastUsed |
ListUsers GetLoginProfile ListGroupsForUser ListUserPolicies ListAttachedUserPolicies ListAccessKeys ListServiceSpecificCredentials ListSSHPublicKeys ListSigningCertificates ListMFADevices GetAccessKeyLastUsed |
Account-Group Aggregation (Group)
|
Operation |
IAM API (Action) |
|
Summary/Attributes (GroupName, GroupId, Path, ARN, CreateDate) AWSManagedPolicies and CustomerManagedPolicies InlinePolicies |
ListGroups ListAttachedGroupPolicies ListGroupPolicies |
Account-Group Aggregation (AWSManagedPolicy and CustomerManagedPolicy)
|
Operation |
IAM API (Action) |
|
Summary/Attributes (PolicyName, PolicyId, ARN, Path, CreateDate, UpdateDate, DefaultVersionId) Description PolicyJSON (Only for CustomerManagedPolicy) PolicyGroups, PolicyRoles |
ListPolicies GetPolicy GetPolicyVersion (Only for CustomerManagedPolicy) ListEntitiesForPolicy |
Account-Group Aggregation (Role)
|
Operation |
IAM API (Action) |
|
Summary/Attributes (RoleName, RoleId, Path, ARN, Description, CreateDate, TrustPolicyJSON, MaxSessionDuration) AWSManagedPolicies and CustomerManagedPolicies InlinePolicies |
ListRoles ListAttachedRolePolicies ListRolePolicies |
Account-Group Aggregation (InlinePolicy)
|
Operation |
IAM API (Action) |
|
Id Name PolicyJSON |
No API is called for this attribute, it is formatted as: ARN of the entity:InlinePolicy:InlinePolicyName ListUserPolicies, ListGroupPolicies, ListRolePolicies GetUserPolicies, GetGroupPolicies, GetRolePolicies |
Account Refresh
|
Operation |
IAM API (Action) |
|
Summary/Attributes (UserName, UserId, Path, ARN, CreateDate) Groups Access Keys Signing Certificates Password MFA Device AWS CodeCommit HTTPS Credentials and AWS CodeCommit SSH Keys: ListServiceSpecificCredentials |
GetUser ListGroupsForUser ListAccessKeys ListSigningCertificates GetLoginProfile ListMFADevices ListServiceSpecificCredentials |
Refresh Operations
|
Operation |
IAM API (Action) |
|
Refresh Group Refresh Role Refresh AWSManagedPolicy and CustomerManagedPolicy Refresh Inline Policy associated with User Refresh Inline Policy associated with Group Refresh Inline Policy associated with Role |
GetGroup GetRole GetPolicy GetUserPolicies GetGroupPolicies GetRolePolicies |
Group Delete
|
Operation |
IAM API (Action) |
|
Read Accounts in the Group Remove Accounts from the Group Read Group Policies Remove Group Policies |
DeleteGroup GetGroup RemoveUserFromGroup ListGroupPolicies DeleteGroupPolicy |
Account Enable
|
Operation |
IAM API (Action) |
|
Set Password Activate Access Keys (Last created one) Activate AWS CodeCommit HTTPS Credentials (Last created one) Activate AWS CodeCommit SSH Keys (Last created one) |
UpdateLoginProfile UpdateAccessKey UpdateServiceSpecificCredential UpdateSSHPublicKey |
Account Delete
|
Operation |
IAM API (Action) |
|
Read Groups Remove Groups Read AWSManagedPolicy and CustomerManagedPolicy Remove AWSManagedPolicy and CustomerManagedPolicy Read InlinePolicy Read Security Credentials
Remove Security Credentials
|
ListGroupsForUser RemoveUserFromGroup ListAttachedUserPolicies DetachUserPolicy ListUserPolicies DeleteUserPolicy ListAccessKeys ListSigningCertificates GetLoginProfile ListMFADevices ListServiceSpecificCredentials ListSSHPublicKeys DeleteAccessKey DeleteSigningCertificate DeleteLoginProfile DeactivateMFADevice DeleteServiceSpecificCredential DeleteSSHPublicKey |
Account Disable
|
Operation |
IAM API (Action) |
|
Delete Password Deactivate Access Keys (All) Deactivate AWS CodeCommit HTTPS Credentials (All) Deactivate AWS CodeCommit SSH Keys (All) |
DeleteLoginProfile UpdateAccessKey UpdateServiceSpecificCredential UpdateSSHPublicKey |
Request Entitlement (Group and Managed Policies for User)
|
Operation |
IAM API (Action) |
|
Add group to user Add AWSManagedPolicy and CustomerManagedPolicy to user |
AddUserToGroup AttachUserPolicy |
Remove Entitlement (Group, Managed Policies, Inline Policies from User)
|
Operation |
IAM API (Action) |
|
Remove group from user Remove AWSManagedPolicy and CustomerManagedPolicy from user Remove Inline Policy from user |
RemoveUserFromGroup DetachUserPolicy DeleteUserPolicy |
Remove Inline Policy
|
Operation |
IAM API (Action) |
|
Read from User Delete from User Read from Group Delete from Group Read Role Delete from Role |
GetUserPolicies DeleteUserPolicy GetGroupPolicies DeleteGroupPolicy GetRolePolicies DeleteRolePolicy |
Update Role
|
Operation |
IAM API (Action) |
|
Attach AWSManagedPolicy and CustomerManagedPolicy Remove AWSManagedPolicy and CustomerManagedPolicy |
AttachRolePolicy DetachRolePolicy |
Organization APIs
The following tables list the Operations along with the corresponding IAM APIs used for managing organizational entities:
|
Operations |
Organizations API (Actions) |
|
Test Connections |
Role (Master Account): organizations:ListAccounts |
Account-Group Aggregation (OrganizationUnit)
|
Operations |
Organizations API (Actions) |
|
Summary/Attributes (OUName, OUId, ARN, Parent) ServiceControlPolicies AWSAccounts |
ListRoots, ListOrganizationalUnitsForParent ListPoliciesForTarget ListAccountsForParent |
Account-Group Aggregation (SCP)
|
Operations |
Organizations API (Actions) |
|
|
Account-Group Aggregation (AWSAccount)
|
Operations |
Organizations API (Actions) |
|
Summary/Attributes (AWSAccountName, AWSAccountId, ARN, EmailId, Status, JoinedType, JoinedTimestamp) OrganizationUnit |
ListAccounts ListRoots, ListParents, DescribeOrganizationalUnit |
Get Operations
|
Operations |
Organizations API (Actions) |
|
SCP AWS Accounts Organizational Unit |
DescribePolicy DescribeAccount, ListRoots, ListParents, DescribeOrganizationalUnit DescribeOrganizationalUnit, ListRoots, ListParents, ListPoliciesForTarget, ListAccountsForParent |