Skip to content

Roles

A role is a collection of permissions that defines the access level of an entity over a resource. A role cannot exist without permissions. A role can be assigned:

  • To a user on an account.
  • To a user on an application.
  • To a group on an account.
  • To a device on an account or group

Who can create a role?

  • Any application can create a role.
  • Any user can create a role.

Tips:

  • Prefer the name of the role in noun form (e.g., Administrator, Viewer, Editor).

Role Classification

A role in IAM is classified into two categories based on its scope:

Standard Role

  • A standard role is defined by an application.
  • It can be assigned across any account or within the application scope that created the role.
  • Standard roles simplify the process of assigning permissions by grouping commonly required access rights for specific job functions or user types.
  • Standard roles are designed to cover the most common access and permission needs for users without requiring extensive customization.

Custom Role

  • A user can define custom roles in their account to support their unique authorization requirements, giving specific permissions that are not covered by the predefined standard roles.
  • Custom roles are always scoped to the account of the calling user’s token.
  • A custom role cannot be assigned to an entity outside of its account’s scope.