Roles
A role is a collection of permissions that defines the access level of an entity over a resource. A role cannot exist without permissions. A role can be assigned:
- To a user on an account.
- To a user on an application.
- To a group on an account.
- To a device on an account or group
Who can create a role?
- Any application can create a role.
- Any user can create a role.
Tips:
- Prefer the name of the role in noun form (e.g.,
Administrator,Viewer,Editor).
Role Classification
A role in IAM is classified into two categories based on its scope:
Standard Role
- A standard role is defined by an application.
- It can be assigned across any account or within the application scope that created the role.
- Standard roles simplify the process of assigning permissions by grouping commonly required access rights for specific job functions or user types.
- Standard roles are designed to cover the most common access and permission needs for users without requiring extensive customization.
Custom Role
- A user can define custom roles in their account to support their unique authorization requirements, giving specific permissions that are not covered by the predefined standard roles.
- Custom roles are always scoped to the account of the calling user’s token.
- A custom role cannot be assigned to an entity outside of its account’s scope.