Users, groups, and provisioning - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Users, groups, and provisioning

Keep the following considerations in mind when you work with users and groups in IAM Identity Center.

User name and email address uniqueness

Users in IAM Identity Center must be uniquely identifiable. IAM Identity Center implements a user name that is the primary identifier for your users. Although most people set the user name equal to a user’s email address, IAM Identity Center and the SAML 2.0 standard do not require this . However, many SAML 2.0-based applications use an email address as the unique identifier for users. These applications obtain this information from assertions that a SAML 2.0 identity provider sends during authentication. Such applications depend on the uniqueness of email addresses for each user. For this reason, IAM Identity Center allows you to specify something other than an email address for user sign-in. IAM Identity Center requires that all user names and email addresses for your users are non-NULL and unique.


Groups are a logical combination of users that you define. You can create groups and add users to the groups. IAM Identity Center does not support adding a group to a group (nested groups). Groups are useful when assigning access to Amazon Web Services accounts and applications. Rather than assign each user individually, you give permissions to a group. Later, as you add or remove users from a group, the user dynamically gets or loses access to accounts and applications that you assigned to the group.

User and group provisioning

Provisioning is the process of making user and group information available for use by IAM Identity Center and Amazon managed applications or customer managed applications. You can create users and groups directly in IAM Identity Center, or work with users and groups you have in Active Directory or an external identity provider. Before you can use IAM Identity Center to assign users and groups access permissions in an Amazon Web Services account, IAM Identity Center must be aware of the users and groups. Similarly, Amazon managed applications and customer managed applications can work with users and groups of which IAM Identity Center is aware.

Provisioning in IAM Identity Center varies based on the identity source that you use. For more information, see Manage your identity source.