Delegate permission set administration - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Delegate permission set administration

IAM Identity Center enables you to delegate management of permission sets and assignments in accounts by creating IAM policies that reference the Amazon Resource Names (ARNs) of IAM Identity Center resources. For example, you can create policies that enable different administrators to manage assignments in specified accounts for permission sets with specific tags.

You can use either of the following methods to create these types of policies.

  • (Recommended) Create permission sets in IAM Identity Center, each with a different policy, and assign the permission sets to different users or groups. This enables you to manage administrative permissions for users who sign in using your chosen IAM Identity Center identity source.

  • Create custom policies in IAM, and then attach them to IAM roles that your administrators assume. For information about roles, see IAM roles to get their assigned IAM Identity Center administrative permissions.


IAM Identity Center resource ARNs are case sensitive.

The following shows the proper case for referencing the IAM Identity Center permission set and account resource types.

Resource Types ARN Context Keys
PermissionSet arn:${Partition}:sso:::permissionSet/${InstanceId}/${PermissionSetId} aws:ResourceTag/${TagKey}
Account arn:${Partition}:sso:::account/${AccountId} Not Applicable