Create management groups to map users to AWS accounts and roles
You need to create another set of external-directory groups to establish a link between sets of users and the specific AWS accounts and roles that they want to access. Management groups are the primary method for managing user access to AWS entitlements.
If you're using Okta groups, you don't need to complete this procedure. See Enable group-based role mapping in Okta.
If you do not have existing groups to manage AWS user entitlements, complete these tasks:
Create an organizational unit (OU) in your directory for AWS management groups. It does not matter where these groups are located in the directory.
Create groups for each user population that requires a different set of AWS roles and accounts. Give meaningful names to the groups. For example: Tier 1 AWS Support, Database Admins, AWS Super Admins
Assign each management group to the AWS role group or groups that it needs to access. This establishes a link between the management groups and the entitlements in all AWS accounts to which group users need to access.
- For each management group, on the Members Of tab of the DevOps Sys Admins Properties dialog box add, remove, modify, or audit AWS entitlements.
- On the Members tab of the DevOps Sys Admins Properties dialog box, assign individual users to the management groups to make them members of the AWS role group.