Help Center> Organizations> FAQs> What Are the Differences in Access Control Between IAM and Organizations?

Updated on 2024-03-18 GMT+08:00

View PDF

What Are the Differences in Access Control Between IAM and Organizations?

They grant permissions to different entities. IAM policies define permissions for IAM users, IAM user groups, and IAM agencies in an account. Organizations SCPs limit permissions for the root OU, other OUs, and member accounts.

They have different control scopes but are relevant to each other. If the organization administrator has attached an SCP to an OU or member account, both the SCP and the granted IAM policies apply to the IAM users, IAM user groups, and IAM agencies in the account. The granted permissions can be applied only if they are allowed by the SCPs. Users cannot perform any actions that are denied by SCPs even if the actions are granted to the users by IAM policies.

They also have different effects on permissions. SCPs specify the maximum available permissions for member accounts in an organization and limit their operations. SCPs never grant permissions. In contrast, IAM policies directly grant permissions to IAM users, IAM user groups, and IAM agencies.

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot