# Delegate who can assign single sign-on access to users and groups in the management account Assigning single sign-on access to the management account using the IAM Identity Center console is a privileged action. By default, only an Amazon Web Services account root user or a user who has the **AmazonSSOMasterAccountAdministrator** and **IAMFullAccess** Amazon managed policies attached, can assign single sign-on access to the management account. The **AmazonSSOMasterAccountAdministrator** and **IAMFullAccess** policies manage single sign-on access to the management account within an Amazon Organizations organization. Alternatively, you can use Amazon CLI to create, attach policies to, and assign permission sets. The following lists the commands for each step: + To create a permission set: [create-permission-set](https://docs.amazonaws.cn//cli/latest/reference/sso-admin/create-permission-set.html) + To attach Amazon Managed Policy to a permission set: [attach-managed-policy-to-permission-set](https://docs.amazonaws.cn//cli/latest/reference/sso-admin/attach-managed-policy-to-permission-set.html) + To attach customer managed policy to a permission set: [attach-customer-managed-policy-to-permission-set](https://docs.amazonaws.cn//cli/latest/reference/sso-admin/attach-customer-managed-policy-reference-to-permission-set.html) + To assign a permission set to a principal: [create-account-assignment](https://docs.amazonaws.cn//cli/latest/reference/sso-admin/create-account-assignment.html) Use the following steps to delegate permissions to manage single sign-on access to users and groups in your directory. **To grant permissions to manage single sign-on access to users and groups in your directory** 1. Sign in to the IAM Identity Center console as a root user of the management account or with another user who has administrator permissions to the management account. 1. Follow the steps in [Create a permission set](howtocreatepermissionset.md) to create a permission set, and then do the following: 1. On the **Create new permission set** page, select the **Create a custom permission set** check box, and then choose **Next: Details**. 1. On the **Create new permission set page**, specify a name for the custom permission set and optionally, a description. If required, modify the session duration and specify a relay state URL. **Note** For the relay state URL, you must specify a URL that is in the Amazon Web Services Management Console. For example: **https://console.aws.amazon.com/ec2/** For more information, see [Set relay state for quick access to the Amazon Web Services Management Console](howtopermrelaystate.md). 1. Under **What policies do you want to include in your permission set?**, select the **Attach Amazon managed policies** check box. 1. In the list of IAM policies, choose both the **AWSSSOMasterAccountAdministrator** and **IAMFullAccess** Amazon managed policies. These policies grant permissions to any user and groups who are assigned access to this permission set in the future. 1. Choose **Next: Tags**. 1. Under **Add tags (optional)**, specify values for **Key** and **Value (optional)**, and then choose **Next: Review**. For more information about tags, see [Tagging Amazon IAM Identity Center resources](tagging.md). 1. Review the selections you made, and then choose **Create**. 1. Follow the steps in [Assign user or group access to Amazon Web Services accounts](assignusers.md) to assign the appropriate users and groups to the permission set that you just created. 1. Communicate the following to the assigned users: When they sign in to the Amazon Web Services access portal and choose the **Accounts** tab, they must choose the appropriate role name to be authenticated with the permissions that you just delegated.