Help Center/
Organizations/
FAQs/
What Are the Differences in Access Control Between IAM and Organizations?
Updated on 2024-09-27 GMT+08:00
What Are the Differences in Access Control Between IAM and Organizations?
- They grant permissions to different entities. IAM policies define permissions for IAM users, IAM user groups, and IAM agencies in an account. Organizations SCPs limit permissions for the root OU, other OUs, and member accounts.
- They have different control scopes but are relevant to each other. If the organization administrator has attached an SCP to an OU or member account, both the SCP and the granted IAM policies apply to the IAM users, IAM user groups, and IAM agencies in the account. The granted permissions can be applied only if they are allowed by the SCPs. Users cannot perform any actions that are denied by SCPs even if the actions are granted to the users by IAM policies.
- They also have different effects on permissions. SCPs specify the maximum available permissions for member accounts in an organization and limit their operations. SCPs never grant permissions. In contrast, IAM policies directly grant permissions to IAM users, IAM user groups, and IAM agencies.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot