# Single sign-on access to Amazon Web Services accounts You can assign users in your connected directory permissions to the management account or member accounts in your organization in Amazon Organizations based on [common job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html). Or you can use custom permissions to meet your specific security requirements. For example, you can grant database administrators broad permissions to Amazon RDS in development accounts but limit their permissions in production accounts. IAM Identity Center configures all the necessary user permissions in your Amazon Web Services accounts automatically. **Note** You might need to grant users or groups permissions to operate in the Amazon Organizations management account. Because it is a highly privileged account, additional security restrictions require you to have the [IAMFullAccess](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/IAMFullAccess) policy or equivalent permissions before you can set this up. These additional security restrictions are not required for any of the member accounts in your Amazon organization. **Topics** + [Assign user or group access to Amazon Web Services accounts](assignusers.md) + [Remove user and group access to an Amazon Web Services account](howtoremoveaccess.md) + [Revoke active IAM role sessions created by permission sets](revoke-user-permissions.md) + [Delegate who can assign single sign-on access to users and groups in the management account](howtodelegatessoaccess.md)